On Wed, 2020-09-30 at 16:04 +1000, Fraser Tweedale wrote: > On Tue, Sep 29, 2020 at 09:44:16AM -0400, Simo Sorce via FreeIPA-users wrote: > > On Tue, 2020-09-29 at 14:01 +0200, Christian Heimes via FreeIPA-users > > wrote: > > > On 28/09/2020 08.01, Fraser Tweedale via FreeIPA-users wrote: > > > > On Thu, Sep 24, 2020 at 02:15:11PM -0000, Willie Lima via FreeIPA-users > > > > wrote: > > > > > Hi guys, > > > > > > > > > > I have 12 freeipa servers deployed with integrated DNS and CA > > > > > (realm and domain int.example.com). > > > > > > > > > > I would like to make a DNS round-robin, for instance: request > > > > > ldap.int.example.com and forward for one of the servers and also > > > > > an external domain ldap.example.com > > > > > > > > > > The problem is with the certificate, the TLS handshake fails > > > > > because there's no alternative name with ldap.int.example.com or > > > > > ldap.example.com. > > > > > > > > > > I read the redhat documentation about certificate manipulation, > > > > > but I got very confused in fact how it works. > > > > > > > > > > How can I do that? Are there another recommendation? > > > > > > > > > Hello Willie, > > > > > > > > It is not supported. With some effort you could create the > > > > necessary objects and relationship in FreeIPA to permit issuance of > > > > such a certificate, then you could modify the certmonger tracking > > > > request (on every server) to request a certificate with those SANs. > > > > But the tracking request modifications would eventually be lost > > > > during ipa-server-upgrade (FreeIPA will see that the tracking > > > > request doesn't match expectations and replace it). > > > > > > > > A possible alternative approach (I haven't tested it yet) is if you > > > > discover the LDAP servers via SRV records, i.e. > > > > _ldaps._tcp.int.example.com. This would give "round robin" > > > > (actually service weighting but you get the idea) to all the LDAP > > > > servers in the topology. I'd have to check if openldap client > > > > performs certificate validation properly in this scenario though. > > > > > > OpenLDAP does not support SRV lookup. The python-ldap feature request > > > https://github.com/python-ldap/python-ldap/issues/178 contains more > > > information on the topic. I have recently implemented a new feature that > > > would allow you to implement SRV lookup more efficiently. > > > > > > TLS hostname verification is not an issue. A client does not directly > > > use the SRV address. Instead you perform a SRV lookup which gives you a > > > list of hostnames with weights and priorities. An LDAP client connects > > > to the hostnames and uses the hostname to verify the identity of the > > > certificate. > > > > This is cool but also problematic wrt security unless DNSSEC is used, > > as it is relatively easy to spoof a SRV record reply to point the > > client to an attacker controlled server. > > > > Simo. > > > > SRVName in the certificate mitigates this security issue, if the > client validates SRVName per RFC 6125. But FreeIPA does not yet > support issuing certs with SRVName. I have an experimental branch > but there are some issues to resolve.
Would be really cool to support indeed, as that definitely resolve issues as long as the CA properly verifies ownership of the SRV Name before granting it in certs. Any thought on how we could support this with ACME ? I guess we'd need an additional test ? Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
