Category Archives: FreeIPA

IPTables rules for FreeIPA

Posted on by
7

I end up editing this so much, figure I’d post it here for all to use.  This is the standard IPtables config file augmented with those rules required to let through the protocols supported by FreeIPA

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

#TCP ports for FreeIPA
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464  -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 53  -j ACCEPT

#UDP ports for FreeIPA
-A INPUT -m state --state NEW -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 464 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

DNS Managers in FreeIPA

Posted on by
3

The Domain Name System (DNS) is an essential part of systems management. If you need to manage multiple physical hosts you’d really benefit by a degree of control of some subset of DNS. With Virtual machines, the sheer number of hosts created demand a responsive DNS. Kerberos, X509 and other security mechanisms require a proper DNS configuration. Yet, for many organizations, DNS is locked down by IT to a very static set of records. Earlier articles discussed User Groups, Host Groups, and Netgroups. The final installment in this series discsusses how to delegate DNS Zone management in FreeIPA.

Continue reading

Netgroup Managers in FreeIPA

Posted on by
Reply

The last two articles described how to delegate management of user groups and host groups. The other way to manage both hosts and users in FreeIPA is with Netgroups. Although Netgroups are a concept from NIS, FreeIPA takes them to the next level, and makes them into containers capable of managing both users and groups. This article shows how to delegate the control of a netgroup to a specified user.

Continue reading

A second Kerberos Realm

Posted on by
2

With the release of KRB5 1.10 A Kerberos workstation can finally have two different TGTs from two different KDCs active at the same time. Until this technology makes it into the major distributions, we are stuck with the limitation of the browser only knowing about one TGT/KDC/Realm at a time.  If you find yourself needing to talk to a second KDC without disrupting your primary,  here are the steps you can take.

Continue reading

Cloud Identity Management

Posted on by
Reply

Openstack Keystone is the Identity Management (IdM) gateway for the rest of the Openstack infrastructure.  While it is fairly new code, and not feature complete as of yet,  it does show some interesting aspects of cloud identity management and the issues it involves.  That, of course, begets the question of what is required in a cloud Identity Management gateway.

Continue reading

Certificates for Web SSO

Posted on by
7

Kerberos is a single sign on solution. AFAICT, it is the only one that solves the problem completely: You confirm that you are who you say you are, and the remote side confirms that it is who you think it is. It doesn’t work over he public internet only due to the fact that most corporate firewalls block the ports it needs.  So  we want to be able to do Kerberos, or its equivalent from the browser.

Continue reading