Implementing LDAP with Public IP

Question

I'd like to implement an LDAP using FreeIPA for centralized authentication and for security sake (Kerberos).

The problem is my servers (Ubuntu) running as public cloud with no private interface provided. So, my only choice is using public but I'm not sure is this a nice idea to implement with public IP for both server and clients.

Apart from that, I'm worrying about external services. How can external services access to the REALM?.

also wondering about users, We have two types of users

1. external users with various public IP
2. external users that using one public IP but using NAT to assign private IP

I have little experience with LDAP and that was implement only on private. Please share you suggestion. I'm really appreciated.

Answer 1

Yes, you can allow access to Kerberos and LDAP directly over the internet. Carefully.

Kerberos was designed to run over untrusted networks.

Only run LDAP over TLS; disable unencrypted service. Limit what an anonymous user can query. Check how sensitive data in LDAP is, would there be a compliance or legal problem if some PII leaked?

Knowing a user's IP addresses by itself is not authentication. (Although the trustworthiness of IP addresses can be useful as threat intelligence.) Auth is implemented with strong cryptography in these applications.

As these services will be provided via internet, make an effort to secure it. Harden the services, do not run anything else on this host. Monitor, review failed logins and firewall hits to get an idea of how many probes take a try. Consider consulting with a red team to try a mock attack on your defenses.

---

NATs are no fun. Consider implementing IPv6, offering dual stack like internet services should be.

Easier to allow list large contiguous IPv6 net blocks, if you wish to do so. The space is so large it is infeasible to brute force scan, less noise due to slightly more work for attackers to find you. And it reinforces that NAT is not security, change a firewall rule and your directory is no longer accessible from the internet, despite having a "public" IP address.