[Freeipa-users] Hardening freeipa on the internet
Richard Clark
richard at fohnet.co.uk
Fri May 9 14:50:52 UTC 2014
On Fri, Apr 25, 2014 at 10:11:15AM +0200, Martin Kosek wrote:
>
> Does anybody know about other precautions that should be made besides standard
> hardening (SELinux, firewall, log audits)?
>
I've been running IPA on AWS for a while, replicating within regions as
well as inter-region and also a regular datacentre.
Not using IPA DNS services, but instead using Route53 (managed by
puppet).
All in all have been pretty impressed with the stability of it.
As well as disabling anonymous binds, you should also disallow
plain-text connections.
This is done in /etc/dirsrv/slapd-PROD-TELNIC-NET/dse.ldif
Find nsslapd-minssf, and change this from '0' to '56'
With this enabled, all clients will need to communicate via STARTTLS or
LDAPS.
The only caveat to this is in 3.0, this affects only the regular slapd
instance, and not the CA slapd which replicates over plain-text only.
This is apparently fixed in 3.2.
Cheers,
--
Richard Clark
richard at fohnet.co.uk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140509/b5410d51/attachment.sig>
More information about the Freeipa-users
mailing list