Identity Services

From Dark Peak
Jump to: navigation, search

The identity server lives at and comprises various bits of low-level infrastructure and the FreeIPA management interface that provide comprehensive identity and authentication facilities for Dark Peak Data members and the services we host.

This page documents various details about how we have set up FreeIPA, PKI, LDAP, KDC and DNS.

Standard Operating Procedures

Documentation for common administrative procedures involving the identity services:

Operational Details

As the infrastructure "linchpin" that all other services depend on, the identity server is deployed by kickstart script onto its own dedicated VM. The kickstart scripts are kept in a git repository.

The following services are exposed by the identity server:

  • FreeIPA Management Interface (httpd)
  • PKI Certificate Server (httpd/tomcat)
  • LDAP Directory Server (ns-slapd)
  • MIT Kerberos KDC (krb5kcd/kadmin)
  • DNS (named)

The LDAP serves as the back-end storage for the DNS, Kerberos and PKI systems so that everything can be managed through the FreeIPA management interface and therefore for any potential high-availability setup requirements, it is probably only necessary to replicate the LDAP. Similarly for disaster recovery requirements, it is probably only necessary to backup the LDAP.

TODO: Figure out and document backup mechanism here.

The following ports must be open on the identity server:

  • 53 - DNS (TCP and UDP)
  • 80/443 - HTTP/HTTPS (TCP only)
  • 88/464 - Kerberos (TCP and UDP)
  • 389/636 - LDAP/LDAPS (TCP only)