Ssl – freeipa ssl ldap and round robin dns

freeipaldapssl

I'm trying to ask this question in a way that's answerable, but part of the issue is knowing the implications of my current situation and if there's an issue or technical debt which'll bite me further on.

I've setup a few IPA servers in a master & replicas setup.

server1: dns A record (and fqdn hostname): srv1.mydomain.com

server2: dns A record (and fqdn hostname): srv2.mydomain.com

server3: dns A record (and fqdn hostname): srv3.mydomain.com

the servers have a cname of auth-a, auth-b, auth-c, respectively and use a self signed cert as per a normal IPA install.

This worked fine for months for ssh connections, and sssd and so on. The issue arrived when trying to hook in applications which only allow one ldap server to be specified. There are SRV dns records setup for failover, but in an attempt to get these apps to work i also put in a dns round robin record.

The catch is this round robin only works for normal ldap lookups, not ldap ssl. I can make ssl work however if i disable checking on the ssl cert.

So… the questions !

a) realistically, how bad is it to disable checking of the cert on an internal service ? This ldap server is going to be queried from the LAN, always. I believe i'm opened up to a possible MITM attack, but i'm not certain of how worried i need to be of that. I mean, right now my other option is not using ssl, and that's scary sauce. To perform the MITM attack they'd already need be on my network and have control of the DNS, no ? Any advice which could quantify that concern into real terms would be helpful.

b) as i understand it to actually fix this i'd need to give the RR dns entry as a subject alt name on the self signed cert of the server(s). That means re-keying the server, right ? which in the case of IPA means rejoining every client to IPA for the new cert. That's a non-starter i think.

c) given the current situation and outcome of (a) and (b), what would you recommend as the best course of action to allow apps which only allow one ldap server to be specified (and don't use SRV dns records in any way) to fail-over to the other server should one go down, and still allow ldap over ssl giving my certificates ?

Best Answer

You should issue new certificates with subjectAlternitiveNames and point the dns record for that name at a load balancer.

A) Turning off certificate checking does open you up to MITM. The advantage is that an encrypted channel can't be passively eaves dropped. It's more work to MITM an encrypted channel, but it's not much more. If you're not high value and don't operate across Wireless or open internet (as opposed to a VPN link), then turning off the certificate checking isn't very risky, but don't to it. Doing things the right way is just about as easy.
B) Yes, the servers will need an subjectAlternitiveName or (and don't do this) a wildcard subjectName. However, FreeIPA does its own PublicKeyInfrastucture (PKI), which is to say you have your own self-signed Certificate Authority (CA), rather than a collect of self-signed certificates. This means that you only need to generate and replace the certificates for the FreeIPA servers (the ones used by LDAP). The CA certificate used for signing (that's the cert that's deployed across all your machines) stays the same, so there's no need to touch any other machines. Also, you don't need the servers private keys, just the public certificates.
C) See the top, A and B are justification.

Related Solutions

Ssl – LDAP SSL connect problem

Is seems to be very important that you install the same root ca on your client from which you try to connect your Server.

"You can also use this procedure to connect to the AD LDS instance over LDAPS from a client computer. In this scenario, the client must trust the server authentication certificate that is installed on the server that is running your AD LDS instance. You can achieve this trust by adding the root certificate from the same trusted CA that issued the AD LDS server authentication certificate to the Trusted Root Certification Authorities store on the client computer. "

Source: http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx

Regards, Andreas

Backup and restoration of a freeipa infrastructure

I don't have a proper solution to backup and restore a FreeIPA server on CentOS, only a workaround to have a server operative with the same configuration in the shortest time possible. You do lose the CA and you need to rejoin the hosts to the server.

This is the way I dealt with "disaster recovery" while using the 2.x series. I did many trial and error experiments and got tired of restoring my settings from scratch:

provision a new host using DHCP+PXE+TFTP+Kickstart.
ensure the kickstart script installs the puppetlabs repo and register itself with the puppetmaster, there is (was) an entry in autosign.conf for this purpose. (The puppetlabs repo is not mandatory, but I was using syntax not present in the stock version of puppet).
write a module containing a package resource to have the server and its dependencies installed, and an exec resource to run a shell script (all kept under version control) defining all the infrastructure needed in the domain.

I'll give you a snippet of the script here, you get the general idea:


#!/usr/bin/env bash
# vim:syn=sh:ts=2:fdm=marker
# IPASERVER BOOTSTRAP {{{
# HOSTGROUPS {{{
# foo {{{
ipa hostgroup-add foo --desc='Foo Bar Baz'
ipa hostgroup-add-member sanfernando --hosts={foo,bar,baz}.domain.com
ipa netgroup-add net_foo --nisdomain=domain.com --desc='Foo Bar Baz'
ipa netgroup-add-member net_foo --hostgroups=sanfernando
# }}}
# }}}
# PWPOLICY {{{
ipa pwpolicy-mod global_policy --history=24
ipa pwpolicy-mod global_policy --lockouttime=1200
ipa pwpolicy-mod --setattr=krbpwdmindiffchars=4
ipa pwpolicy-mod --setattr=krbpwdminlenght=14
ipa pwpolicy-mod --setattr=krbpwdmaxfailure=5
ipa pwpolicy-mod --setattr=krbminpwdlife=168
ipa pwpolicy-mod --setattr=krbpwdfailurecountinterval=1200
# }}}
# USERS/GROUPS/HBAC {{{
# developers {{{
ipa user-add jdoe --first='Jane' --last='Doe' --email='jdoe@domain.com' --gecos='Jane Doe' --shell='/bin/rbash' --sshpubkey='AAA......XXGDGHU='
ipa group-add foo --desc='Foo Staff'
ipa group-add-member foo --users=jdoe
ipa hbacrule-add developers_access --desc='Developers access'
ipa hbacrule-add-host developers_access --hostgroups=development
ipa hbacrule-add-user developers_access --groups=developers
ipa hbacrule-add-service developers_access --hbacsvcs=sshd
ipa hbacrule-add-service developers_access --hbacsvcgroups=Sudo
# }}}
# }}}
# SUDO CMD/RULE/GROUP {{{
# networking {{{
ipa sudocmd-add --desc='administration tool for IPv4 packet filtering and NAT' '/sbin/iptables'
ipa sudocmd-add --desc='view and manipulate media-independent interface status' '/sbin/mii-tool'
ipa sudocmd-add --desc='display or change ethernet card settings' '/sbin/ethtool'
ipa sudocmd-add --desc='show and manipulate routing, devices, policy routing and tunnels' '/sbin/ip'
ipa sudocmd-add --desc='sudoedit configuration file of IPv4 packet filtering and NAT' 'sudoedit /etc/sysconfig/iptables'
ipa sudocmdgroup-add networking --desc='commands for network configuration and troubleshooting'
ipa sudocmdgroup-add-member networking --sudocmds=/sbin/{iptables,mii-tool,ethtool,ip}
ipa sudocmdgroup-add-member networking --sudocmds='sudoedit /etc/sysconfig/iptables'
ipa sudorule-add networking_4_operators_2 --desc='Operator Level 2 access to networking management commands'
ipa sudorule-add-allow-command networking_4_operators_2 --sudocmdgroups='networking'
ipa sudorule-add-user networking_4_operators_2 --groups='operators_2'
ipa sudorule-add-host networking_4_operators_2 --hostgroups=foo-hosts
# }}}
# }}}
# }}}

Best Answer

Related Solutions

Ssl – LDAP SSL connect problem

Backup and restoration of a freeipa infrastructure

Related Topic