FreeIPA Support

Help
1

I have tried to setup FreeIPA in various different configurations to work with Caddy, but because of the various TLS interconnections I am yet to figure out a way to set it up. There are 3 possible configurations documented, and I would like to ask the community if it can provide some hints on which one is most likely to work and how to set it up:

  1. Native FreeIPA key management:
  • FreeIPA manages it’s own local TLS certificates for both HTTP and LDAP. This is easy to install, but hard to configure together with Caddy
  • Problem: During authentication, FreeIPA checks against it’s own certificates in order to authenticate. So even in reverse proxy on an HTTP port, authentication fails.
  • Possible solution: Make caddy use FreeIPA TLS certs. There is a guide on how to achieve this, but I am still stuck at the section of generating the Cert files using certutil. This would most likely be the best approach, but I do not know how to debug this. One concern I have is whether I would have to manually repeat these steps when the certificate expires.
  1. Have FreeIPA use external CA:
  • I am not sure what exactly this does and if it is viable in a reverse-proxy environment, but it might be easier to setup
  • Problem: I need to sign the CSR with the external CA, but there is no guide on how to do so.
  1. CA-less FreeIPA:
  • Despite the name, I still need to provide it with both HTTP and a LDAP cert files.
  • Problem: During the LDAP configuration I get such an error if I were to naively use the same certificates:
slapd_extract_cert - SERVER CERT NAME: Unknown CA
  • This is most likely an issue with needing to manually generate the key/cert for LDAP, but it would still be difficult to manage and learn how to do so. Another concern is when the certificates are regenerated/moved I would lose access to the server and reinstalling the certificates becomes problematic.

If anyone has some insight on what I should try I would love to figure it out. Manually installing and configuring LDAP is going over my head, and I would like to use FreeIPA to manage all of these.

2

I should add to this topic: I have had a quick conversation on the FreeIPA subreddit, and at least some of the developers are against the idea of supporting running a webserver (asside from the one managed by their service) on the same machine that is running the FreeIPA service, due to understandable security concerns. So there will not likely be official support from them.

3

I think you were on the right track on option 3, but FreeIPA isn’t recognizing the CA which issued the cert for Caddy. You probably just need to tell FreeIPA of the additional CA issuers it needs to trust. Upon some googling, I found this: Using 3rd part certificates for HTTP/LDAP.

I have no experience of FreeIPA, though been on my long to-learn lists, so take this with a large dose of salt. If you manage to set it up, please report back with how :slight_smile: We’d love to have documentation on that.

4

This topic was automatically closed after 30 days. New replies are no longer allowed.