This guide provides security hardening techniques for FreeIPA installations. Following these practices will help protect your identity management infrastructure and ensure compliance with security standards.
FreeIPA combines multiple identity management components (LDAP, Kerberos, DNS, CA) into a single solution. Securing such a critical system requires attention to multiple layers: network security, authentication, encryption, access controls, and monitoring. This guide covers best practices for each aspect.
Configure firewall rules to restrict access to only necessary services:
# For firewalld
sudo firewall-cmd --permanent --add-service=freeipa-ldap
sudo firewall-cmd --permanent --add-service=freeipa-ldaps
sudo firewall-cmd --permanent --add-service=kerberos
sudo firewall-cmd --permanent --add-service=dns
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
# Or with specific IPs if possible
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp' port='80' accept"
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp' port='443' accept"
Configure robust password policies:
# Set password complexity requirements
ipa pwpolicy-add global_policy \
--maxlife=90 \
--minlife=1 \
--history=5 \
--minclasses=3 \
--maxlength=70 \
--minlength=12
# Apply to default users
ipa pwpolicy-mod --set-default-user-class global_policy
# Configure account lockout
ipa config-mod \
--maxauthtries=5 \
--lockouttime=900
# Monitor for brute force attempts
journalctl -u dirsrv -f | grep -i "invalid credentials"
Enable and enforce 2FA for administrative accounts:
# Enable OTP globally
ipa config-mod --user-otp-cache-enabled=True
# Create users with 2FA requirements
ipa user-mod admin --require-hashed-password=False
Ensure all communication is encrypted:
# Verify TLS is enforced
ipa config-show | grep -i secure
# Check certificate expiration
ipa cert-find --expires-from="$(date -d '+30 days' +%Y%m%d%H%M%SZ)"
# Renew certificates as needed
ipa-certupdate
With FreeIPA 4.13.x, Random Serial Numbers (RSN) are enabled by default:
# Verify RSN is enabled
ipa config-show | grep -i random
# Configure certificate profiles for security
ipa certprofile-find
ipa certprofile-mod --desc="Secure profile with extended validation" SECURE
Enable DNSSEC and DNS over TLS (4.13.x+):
# Enable DNSSEC
ipa dnsconfig-mod --enable-dnssec-master=TRUE
# Configure DNS over TLS (requires 4.13.x+)
ipa dnsconfig-mod --forwarder="dot://8.8.8.8:853"
Create role-based access controls instead of using admin accounts:
# Create limited admin roles
ipa role-add "User Admins" --desc="Manage users but not groups"
ipa role-add "Group Admins" --desc="Manage groups but not users"
ipa role-add "Host Admins" --desc="Manage hosts but not users"
# Assign specific privileges
ipa role-add-privilege "User Admins" --privileges="User Administrators"
ipa role-add-privilege "Group Admins" --privileges="Group Administrators"
# Assign roles to users
ipa role-add-member "User Admins" --users=limited_admin
# Create dedicated admin accounts with limited privileges
ipa user-add limited_admin --first="Limited" --last="Admin" --password
# Disable the default admin account if possible
ipa user-disable admin
# Or rename the admin account
ipa user-mod admin --rename admin_backup
FreeIPA 4.13.x introduces LDAP system accounts:
# Create system accounts with specific purposes
ipa sysaccount-add --desc="Backup service account" backup_svc
ipa sysaccount-add --desc="Monitoring service account" monitoring_svc
# Disable system accounts when not needed
ipa sysaccount-disable backup_svc
# Run server configuration check
sudo ipa-server-config-check
# Verify configuration
ipa config-show
# Check for security misconfigurations
ipa-healthcheck --check ipahealthcheck.dogtag.ca
Configure secure Kerberos settings:
# Enable FAST armor (available in 4.13.x)
ipa config-mod --enable-fast-armor=True
# Configure Kerberos policies
ipa config-mod --maxauthtries=3 --lockouttime=600
Configure secure HTTP headers and SSL settings:
# Check Apache configuration
sudo httpd -S
# Verify SSL/TLS configuration
openssl s_client -connect ipa.example.com:443 -servername ipa.example.com
FreeIPA generates logs for security monitoring:
/var/log/httpd/error_log - Apache errors/var/log/dirsrv/slapd-REALM/access - Directory Server access/var/log/dirsrv/slapd-REALM/errors - Directory Server errors/var/log/krb5kdc.log - Kerberos KDC logs/var/log/pki/pki-tomcat/ca/ - CA logsRegularly run health checks:
# Run health check
ipa-healthcheck --all
# Check specific areas
ipa-healthcheck --check ipahealthcheck.ipa.certs
ipa-healthcheck --check ipahealthcheck.dogtag.ca
ipa-healthcheck --check ipahealthcheck.ipa.replication
Monitor for suspicious activities:
# Check for failed authentications
grep -i "failed" /var/log/krb5kdc.log
# Monitor user changes
journalctl -u dirsrv -f
# Monitor admin activities
grep -i "admin" /var/log/dirsrv/slapd-REALM/access
# Create encrypted backup
ipa-backup --data --encrypt
# Verify backup integrity
ipa-backup --verify /var/lib/ipa/backup/...
# Store backups securely with access controls
chmod 600 /var/lib/ipa/backup/*
chown root:root /var/lib/ipa/backup/*
Document and test recovery procedures regularly:
# Test backup restoration in isolated environment
ipa-restore --uninstall-before-restore /path/to/backup
# Verify restored configuration after recovery
ipa-healthcheck --all
FreeIPA supports FIPS 140-2 mode:
# Check FIPS status
ipa-fips-mode-service status
# Enable FIPS mode (requires system-level FIPS enablement first)
# This must be done at the OS level before enabling in FreeIPA
With FreeIPA 4.13.x, consider these additional security capabilities:
Keep FreeIPA updated with security patches:
# Check for available updates
dnf check-update | grep ipa
# Update IPA (always test in staging first)
sudo dnf update ipa-server ipa-client
# Verify functionality after updates
ipa-healthcheck --all
ipactl status
FreeIPA can help meet various compliance requirements:
Configure FreeIPA to meet audit requirements:
# Enable detailed logging
ipa config-mod --enable_sid_generation=True
# Configure audit logging
# This is handled automatically by FreeIPA's underlying components
Perform regular security assessments:
# Test certificate validity
openssl x509 -in /etc/ipa/ca.crt -text -noout
# Test Kerberos authentication
kinit admin
klist
# Test LDAP connectivity with TLS
ldapsearch -x -H ldaps://ipa.example.com -b "dc=example,dc=com" -D "cn=Directory Manager" -W "objectclass=*"