Stas Teitel asked:
I installed FreeIPA, here is my etc/ipa/default.conf file
[global] host = freeipa.domain.local basedn = dc=domain,dc=local realm = domain.LOCAL domain = domain.local xmlrpc_uri = https://freeipa.domain.local/ipa/xml ldap_uri = ldapi://%2fvar%2frun%2fslapd-DOMAIN-LOCAL.socket
The problem is that: what I’m going to do with that now, if I need access to FreeIPA from internet?!
For example I need to setup LDAP client. He use domain name that doesn’t exist in internet and can’t be find remotely
URI ldaps://freeipa.domain.local BASE dc=domain,dc=local
Any advice or best solution?
Your domain has a serious and unrecoverable mistake: You used a nonexistent domain name ending in
.local as the domain name. You should never use
.local for domain names, and the reasons for this (and the best practices) are much the same as they are for Active Directory.
We strongly recommend that you do not use a domain name that is not delegated to you, even on a private network. For example, you should not use domain name company.int if you don’t have valid delegation for it in public DNS tree.
If this rule is not respected, the domain name will be resolved differently depending on the network configuration. As a result, network resources will become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain.
For further information about this issue please see the ICANN FAQ on domain name collisions.
However, unlike Active Directory, it is not possible to rename a FreeIPA domain.
It is not possible to change FreeIPA primary domain and realm after installation. Plan carefully. Do not expect move from lab/staging environment to production environment (e.g. change
At this point, your recovery procedure will look something like this:
- Unjoin all hosts from the domain with
- Destroy the FreeIPA domain controllers.
- Reinstall the FreeIPA domain controllers, using a correctly chosen domain name.
- Rejoin all hosts to the new domain.
There will definitely be more steps to this if you’ve created domain services such as kerberized NFS, HTTP, etc. You’ll have to set all of these up again on the new domain.
Once you’ve correctly set up the FreeIPA domain, using a subdomain of your existing domain name, you can set up NS records in that domain so that the subdomain’s DNS is reachable from the Internet. After that it’s just opening the relevant firewall ports for the services you want to be accessible on the Internet…
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.