FreeIPA
Draft version. Content is hallucinated. Do not use!
security

FreeIPA Security Best Practices

Essential security hardening techniques and best practices for your FreeIPA deployment

FreeIPA Team
#security #hardening #best-practices

Introduction

Security is paramount in identity management systems. As the central authority for authentication and authorization, your FreeIPA deployment requires careful attention to security best practices. This guide covers essential hardening techniques to protect your infrastructure.

Server Hardening

Operating System Security

Start with a secure foundation:

# Keep system updated
sudo dnf update -y

# Enable SELinux (enforcing mode)
sudo setenforce 1
sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

# Configure firewall
sudo firewall-cmd --permanent --add-service=freeipa-ldap
sudo firewall-cmd --permanent --add-service=freeipa-ldaps
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --permanent --add-service=ntp
sudo firewall-cmd --reload

Minimal Installation

Install only required packages:

  • Avoid installing unnecessary services
  • Remove or disable unused components
  • Regular security audits of installed packages

File System Security

Protect critical files and directories:

# Verify permissions on key files
ls -l /etc/ipa/
ls -l /var/lib/ipa/
ls -l /etc/httpd/conf.d/ipa*.conf

# Keytab files should be mode 600
find /etc -name "*.keytab" -exec chmod 600 {} \;

Password Policies

Strong Global Policy

Configure robust password requirements:

# Set global password policy
ipa pwpolicy-mod --minlife=1 \
  --maxlife=90 \
  --history=10 \
  --minclasses=4 \
  --minlength=14 \
  --maxfail=3 \
  --failinterval=300 \
  --lockouttime=900

Policy rationale:

  • minlife: Prevent rapid password changes to bypass history
  • maxlife: Force periodic password rotation
  • history: Prevent password reuse
  • minclasses: Require diverse character types
  • minlength: Adequate length for entropy
  • maxfail: Lock accounts after failed attempts
  • lockouttime: Balance security and usability

Admin-Specific Policies

Stricter requirements for privileged accounts:

# Create admin group policy
ipa pwpolicy-add admins \
  --minlife=1 \
  --maxlife=60 \
  --history=15 \
  --minlength=16 \
  --maxfail=5

Access Control

Disable Default Policies

Remove overly permissive defaults:

# Disable allow_all HBAC rule
ipa hbacrule-disable allow_all

# Create specific rules instead
ipa hbacrule-add admin_access \
  --desc="Admin SSH access"
ipa hbacrule-add-user admin_access --groups=admins
ipa hbacrule-add-host admin_access --hostgroups=all_hosts
ipa hbacrule-add-service admin_access --hbacsvcs=sshd

Principle of Least Privilege

Grant minimum necessary permissions:

# Create limited admin roles
ipa role-add user_admin --desc="User Management Only"
ipa role-add-privilege user_admin \
  --privileges="User Administrators"

# Create help desk role
ipa role-add helpdesk --desc="Password Reset Only"
ipa role-add-privilege helpdesk \
  --privileges="Password Reset"

Separate Admin Accounts

Never use administrative accounts for routine tasks:

  • Create separate admin accounts (e.g., jsmith and jsmith-admin)
  • Use regular account for daily work
  • Switch to admin account only when needed
  • Monitor admin account usage closely

Network Security

TLS/SSL Configuration

Enforce strong encryption:

# Edit /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLHonorCipherOrder on

LDAPS vs StartTLS

Prefer LDAPS (LDAP over SSL) for better security:

# Test LDAPS connection
ldapsearch -H ldaps://ipa.example.com \
  -x -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com" \
  -W -b "dc=example,dc=com"

Network Segmentation

Isolate FreeIPA servers:

  • Place servers in dedicated network segments
  • Restrict access from client networks only
  • Use VPNs for remote administration
  • Monitor and log all network access

Authentication Security

Two-Factor Authentication

Enable OTP for all users:

# Enable OTP for user
ipa user-mod jsmith --user-auth-type=otp

# Users can self-enroll tokens
ipa otptoken-add --type=totp --owner=jsmith

Smart Card Authentication

For highest security environments:

# Configure smart card authentication
ipa config-mod --user-auth-type=otp,password,pkinit

# Issue user certificates
ipa cert-request user.csr --principal=jsmith@EXAMPLE.COM

Kerberos Hardening

Strengthen Kerberos security:

# Disable weak encryption types
ipa config-mod --ipakrbauthzdata=MS-PAC

# Set appropriate ticket lifetimes
ipa krbtpolicy-mod --maxlife=36000 --maxrenew=86400

# Require pre-authentication
ipa config-mod --ipakrbrequirepreauth=TRUE

Monitoring and Auditing

Enable Comprehensive Logging

Configure detailed audit logs:

# 389 DS audit logging
ldapmodify -x -D "cn=Directory Manager" -W << EOF
dn: cn=config
changetype: modify
replace: nsslapd-auditlog-logging-enabled
nsslapd-auditlog-logging-enabled: on
EOF

# Configure log rotation
/etc/logrotate.d/dirsrv

Monitor Authentication Failures

Track failed login attempts:

# Check for failed authentications
journalctl -u krb5kdc | grep "FAILED"
journalctl -u httpd | grep "401"

# LDAP bind failures
grep "BIND" /var/log/dirsrv/slapd-*/access

Automated Alerting

Set up alerts for security events:

  • Failed login attempts exceeding threshold
  • Administrative actions outside business hours
  • Certificate expiration warnings
  • Unauthorized access attempts
  • Service failures

Backup and Recovery

Regular Backups

Automate backup process:

# Full backup
ipa-backup --data --logs --online

# Schedule daily backups
cat > /etc/cron.daily/ipa-backup << 'EOF'
#!/bin/bash
BACKUP_DIR="/var/lib/ipa/backup"
ipa-backup --data --logs --online
find $BACKUP_DIR -type f -mtime +30 -delete
EOF

chmod +x /etc/cron.daily/ipa-backup

Secure Backup Storage

Protect backup files:

  • Encrypt backups at rest
  • Store off-site copies
  • Test restore procedures regularly
  • Limit access to backup files

Certificate Security

Automated Renewal

Enable certmonger for automatic renewal:

# List tracked certificates
ipa-getcert list

# Ensure auto-renewal is enabled
ipa-getcert start-tracking \
  -c IPA \
  -k /etc/pki/tls/private/server.key \
  -f /etc/pki/tls/certs/server.crt

Certificate Revocation

Respond quickly to compromises:

# Revoke compromised certificate
ipa cert-revoke 12345 --revocation-reason=keyCompromise

# Update CRL immediately
ipa-getcert refresh-ca

Monitor Certificate Expiration

Prevent outages:

# Check certificate expiration
ipa cert-find --validnotafter-from=$(date +%Y-%m-%d) \
  --validnotafter-to=$(date -d "+30 days" +%Y-%m-%d)

Replica Security

Replica Authentication

Secure replication traffic:

  • Use dedicated replication credentials
  • Monitor replication agreements
  • Encrypt replication data
  • Isolate replication network traffic

Replica Placement

Strategic replica deployment:

  • Replicas in different physical locations
  • Network isolation between replicas
  • Separate replicas for read vs. write operations
  • Geographic distribution for disaster recovery

Compliance Considerations

GDPR

For EU deployments:

  • Document data retention policies
  • Implement right-to-erasure procedures
  • Maintain audit trails
  • Encrypt personal data

HIPAA

Healthcare environments:

  • Enable detailed audit logging
  • Encrypt data in transit and at rest
  • Implement access controls
  • Regular security assessments

PCI DSS

Payment card industry:

  • Separate admin and user accounts
  • Strong authentication requirements
  • Network segmentation
  • Regular vulnerability scans

Security Checklist

Use this checklist for regular security reviews:

  • All systems updated with latest security patches
  • SELinux enabled and enforcing
  • Firewall configured and active
  • Strong password policies enforced
  • Two-factor authentication enabled
  • HBAC rules reviewed and updated
  • Admin accounts separated from user accounts
  • All certificates current and monitored
  • Backups tested and verified
  • Audit logs reviewed regularly
  • Unnecessary services disabled
  • TLS configuration hardened
  • Network segmentation implemented
  • Intrusion detection active
  • Incident response plan documented

Regular Security Tasks

Daily

  • Monitor authentication failures
  • Review system logs
  • Check service availability

Weekly

  • Review user access changes
  • Analyze audit logs
  • Check backup success

Monthly

  • Audit HBAC and sudo rules
  • Review user account status
  • Test disaster recovery procedures
  • Update documentation

Quarterly

  • Full security assessment
  • Penetration testing
  • Policy review and updates
  • Staff security training

Incident Response

Preparation

Have a plan ready:

  1. Define security incidents
  2. Establish response team
  3. Document procedures
  4. Practice scenarios

Detection

Monitor for indicators:

  • Unusual authentication patterns
  • Failed login spikes
  • Unauthorized access attempts
  • Service disruptions

Response

Act quickly and systematically:

  1. Isolate affected systems
  2. Gather evidence
  3. Contain the incident
  4. Eradicate the threat
  5. Recover services
  6. Document lessons learned

Conclusion

Security is an ongoing process, not a one-time configuration. Regular reviews, updates, and monitoring are essential to maintaining a secure FreeIPA deployment. Implement these best practices as baseline security, and adapt them to your specific requirements and risk tolerance.

Remember: the cost of prevention is always less than the cost of a security breach.

Additional Resources

Stay secure!