In the (apparently) first message to the list in 2014, 
https://www.redhat.com/archives/freeipa-users/2014-January/msg00000.html 
<https://www.redhat.com/archives/freeipa-users/2014-January/msg00000.html> 
addressed questions about securing IPA and I don't see much other talk about 
it. Now that 4.x is prevalent, I wanted to bring it up again.

I'd like my installation to be allow hardened machines (i.e. in the cloud with 
encrypted filesystems) to be a part of the domain. I believe this means that I 
need to expose Kerberos and LDAP to the world, since the machines could live 
anywhere. I don't believe I need to worry about KRB5, but I am concerned about 
389-DS since it seems somewhat difficult to force TLS 
(https://blog.routedlogic.net/?p=119 <https://blog.routedlogic.net/?p=119>) and 
maybe that's a bad idea under IPA for reasons I thought I'd ask here about. 
Last year's thread also referenced 
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
 
<https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html>
 and I thought I would check to see if that's still necessary under 4.x.

Setting up the firewall to allow cloud networks in is always an option, but if 
I can get a secure IPA setup going, it would also allow road warriors to kinit 
and use their credentials for configured intranet sites without having to turn 
on the VPN (which can really slow things down from remote parts of the globe).

Cheers, Brian

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to