0

I'm orientating around FreeIPA. I have a test setup with a couple of hosts and am experimenting with LDAP. Once thing I noticed is that the hosts are able to query the entirety of the LDAP directory in FreeIPA:

kinit -kt /etc/krb5.keytab
ldapsearch -x

This will dump all users, groups, hosts and other items in the database. For a production environment, this is bad and could potentially expose this information on a host that has been compromised.

I'm having trouble finding a way to limit the access a host has to this information. How have others fixed this issue?

Jochem
  • 21
  • 2
  • What is a point of a directory, if the content is not accessible? – Samson Scharfrichter Nov 20 '20 at 14:25
  • 1
    FreeIPA is _by design_ a POSIX directory, with a list of managed hosts, a list of managed *nix users, a list of managed *nix groups, and access rules to define which user can access which hosts.If one host is compromised, then local queries on users & groups + queries on DNS will provide about the same amount of information. – Samson Scharfrichter Nov 20 '20 at 14:32
  • 1
    For the record, I work for a large "systemic" bank, with a culture of paranoia, and IPA _(the supported RedHat version)_ is used for all *nix servers, espacially in Prod. – Samson Scharfrichter Nov 20 '20 at 14:34
  • Well some content should be accessible, say all content in the hosts it's own hostgroup and all users having access to that hostgroup, e.g. only content that a host needs. However, having the entire directory available is a security risk and would allow a compromised machine to gain an fairly complete overview of the entire network. Don't you think? – Jochem Nov 20 '20 at 14:34
  • 1
    Caveat: _multiple_ IPA directories are a good thing - for Prod, QA, etc (and 1 per DMZ) – Samson Scharfrichter Nov 20 '20 at 14:38
  • So I work at an MSP with several separate environment. So instead of prod, qa etc, it would be Customer1, Customer2 etc.. Would it make sense to have separate directories for each of these? – Jochem Nov 20 '20 at 14:42
  • Ah, yes, in case of multi-tenancy, you have to provide some kind of isolation. And FreeIPA has no feature for that AFAIK, so it means one instance per tenant. Plus, possibly, a separate instance just for bastion hosts (aka jump-off hosts) used by your Ops staff. – Samson Scharfrichter Nov 21 '20 at 14:48
  • https://www.freeipa.org/page/V3/Multitenancy >> _"These are the changes necessary to the FreeIPA server to support a cloud deployment and multi-tenancy"_ >> ouch, it won't happen soon... – Samson Scharfrichter Nov 21 '20 at 15:56

0 Answers0