On Fri, Apr 25, 2014 at 10:11:15AM +0200, Martin Kosek wrote:
> 
> Does anybody know about other precautions that should be made besides standard
> hardening (SELinux, firewall, log audits)?
> 

I've been running IPA on AWS for a while, replicating within regions as
well as inter-region and also a regular datacentre. 
Not using IPA DNS services, but instead using Route53 (managed by
puppet).

All in all have been pretty impressed with the stability of it.


As well as disabling anonymous binds, you should also disallow
plain-text connections.

This is done in /etc/dirsrv/slapd-PROD-TELNIC-NET/dse.ldif
Find nsslapd-minssf, and change this from '0' to '56'

With this enabled, all clients will need to communicate via STARTTLS or
LDAPS.

The only caveat to this is in 3.0, this affects only the regular slapd
instance, and not the CA slapd which replicates over plain-text only.
This is apparently fixed in 3.2.


Cheers,
-- 
Richard Clark
rich...@fohnet.co.uk

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to