[Freeipa-users] Web UI access from outside the home network via port forwarding

Wed Jul 13 16:30:17 UTC 2016

Hi Rob,

On that note, how do you handle password changes / first time logins for users that are external to the organization?

We need to create accounts for external partners, and expose the UI to the outside so that people can login and change their passwords / add their SSH keys.

However, I’m worried about security. Is there any recommendations there on how to do this?
Is FreeIPA actually safe enough to do this?

Kind regards,

—
Christophe  

> On 13 Jul 2016, at 17:11, Rob Crittenden <rcritten at redhat.com> wrote:
> 
> Harry Kashouli wrote:
>> I tried uncommenting everything in the ipa-rewrite.conf file, but it
>> still changed the web address. I'll try clearing the cache, in case that
>> was still remembering the links.
>> 
>> I may be attacking my original thought badly, if this is going to be bad
>> for security. I'm wanting to allow users to change their passwords
>> remotely, so I figured giving them public access to the Web UI was the
>> way to go. Is there a better solution?
> 
> Moving back to list.
> 
> Getting the rewrite rules right can be tricky sometimes. You might have an easier time using a proxy instead. Exposing the UI increases the attack surface area so as usual it's a balance of security and convenience that you need to assess.
> 
> A community portal was started last summer but has largely stalled. This is the long-term plan for what you're looking for. The design and a pointer to the current code is at https://www.freeipa.org/page/V4/Community_Portal
> 
> rob
> 
>> 
>> -Harry
>> 
>> On 11 July 2016 at 19:56, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>> 
>>    Harry Kashouli wrote:
>> 
>>        Hi all,
>> 
>>        I have a freeipa server set up, and would like to access the Web UI
>>        remotely (from outside my home network).
>> 
>>        I set up a fresh Fedora 24 server install, and installed
>>        freeipa-server.
>>           - I own a domain, domain.com <http://domain.com>
>>        <http://domain.com>
>>           - The hostname of my freeipa server is
>>        hostname.subdomain.domain.com <http://hostname.subdomain.domain.com>
>>        <http://hostname.subdomain.domain.com>
>>           - My home network domain is subdomain.domain.com
>>        <http://subdomain.domain.com>
>>        <http://subdomain.domain.com>
>> 
>>        I set up a CNAME hostname.domain.com
>>        <http://hostname.domain.com> <http://hostname.domain.com> and
>>        port forwardings, and I tested this works with nginx on the same
>>        machine; I can successfully see the nginx test page.
>>        I then assumed I could do the same with the freeipa Web UI, but
>>        when I
>>        navigate to http://hostname.domain.com:<external_port>, it
>>        switches to
>>        https://hostname.subdomain.domain.com:<internal_port>, and with the
>>        following error: "Server not found"
>> 
>>        What am I doing wrong?
>> 
>> 
>>    Look at ipa-rewrite.conf in the IPA Apache config. It does rewriting
>>    to the real name of the IPA server when it was installed. You can
>>    try tweaking this to allow both names, or to just not do the rewriting.
>> 
>>    You may have issues with Kerberos and SSL due to using a different name.
>> 
>>    You definitely don't want to use IPA over an unsecure channel.
>> 
>>    rob
>> 
>> 
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project