On Fri, Apr 25, 2014 at 10:11:15AM +0200, Martin Kosek wrote:
> Does anybody know about other precautions that should be made besides standard
> hardening (SELinux, firewall, log audits)?

I've been running IPA on AWS for a while, replicating within regions as
well as inter-region and also a regular datacentre. 
Not using IPA DNS services, but instead using Route53 (managed by

All in all have been pretty impressed with the stability of it.

As well as disabling anonymous binds, you should also disallow
plain-text connections.

This is done in /etc/dirsrv/slapd-PROD-TELNIC-NET/dse.ldif
Find nsslapd-minssf, and change this from '0' to '56'

With this enabled, all clients will need to communicate via STARTTLS or

The only caveat to this is in 3.0, this affects only the regular slapd
instance, and not the CA slapd which replicates over plain-text only.
This is apparently fixed in 3.2.

Richard Clark

Attachment: signature.asc
Description: Digital signature

Freeipa-users mailing list

Reply via email to