FreeIPA access from internet if dc=domain,dc=local (freeipa.domain.local)

Stas Teitel asked:

I installed FreeIPA, here is my etc/ipa/default.conf file

[global]
host = freeipa.domain.local
basedn = dc=domain,dc=local
realm = domain.LOCAL
domain = domain.local
xmlrpc_uri = https://freeipa.domain.local/ipa/xml
ldap_uri = ldapi://%2fvar%2frun%2fslapd-DOMAIN-LOCAL.socket

The problem is that: what I’m going to do with that now, if I need access to FreeIPA from internet?!
For example I need to setup LDAP client. He use domain name that doesn’t exist in internet and can’t be find remotely

URI ldaps://freeipa.domain.local
BASE dc=domain,dc=local

Any advice or best solution?

My answer:


Your domain has a serious and unrecoverable mistake: You used a nonexistent domain name ending in .local as the domain name. You should never use .local for domain names, and the reasons for this (and the best practices) are much the same as they are for Active Directory.

From FreeIPA Deployment Recommendations:

We strongly recommend that you do not use a domain name that is not delegated to you, even on a private network. For example, you should not use domain name company.int if you don’t have valid delegation for it in public DNS tree.

If this rule is not respected, the domain name will be resolved differently depending on the network configuration. As a result, network resources will become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain.

For further information about this issue please see the ICANN FAQ on domain name collisions.

However, unlike Active Directory, it is not possible to rename a FreeIPA domain.

It is not possible to change FreeIPA primary domain and realm after installation. Plan carefully. Do not expect move from lab/staging environment to production environment (e.g. change lab.example.com to prod.example.com)

At this point, your recovery procedure will look something like this:

  1. Unjoin all hosts from the domain with ipa-client-install --uninstall.
  2. Destroy the FreeIPA domain controllers.
  3. Reinstall the FreeIPA domain controllers, using a correctly chosen domain name.
  4. Rejoin all hosts to the new domain.

There will definitely be more steps to this if you’ve created domain services such as kerberized NFS, HTTP, etc. You’ll have to set all of these up again on the new domain.

Once you’ve correctly set up the FreeIPA domain, using a subdomain of your existing domain name, you can set up NS records in that domain so that the subdomain’s DNS is reachable from the Internet. After that it’s just opening the relevant firewall ports for the services you want to be accessible on the Internet…


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.