I'm trying to ask this question in a way that's answerable, but part of the issue is knowing the implications of my current situation and if there's an issue or technical debt which'll bite me further on.
I've setup a few IPA servers in a master & replicas setup.
server1: dns A record (and fqdn hostname): srv1.mydomain.com
server2: dns A record (and fqdn hostname): srv2.mydomain.com
server3: dns A record (and fqdn hostname): srv3.mydomain.com
the servers have a cname of auth-a, auth-b, auth-c, respectively and use a self signed cert as per a normal IPA install.
This worked fine for months for ssh connections, and sssd and so on. The issue arrived when trying to hook in applications which only allow one ldap server to be specified. There are SRV dns records setup for failover, but in an attempt to get these apps to work i also put in a dns round robin record.
The catch is this round robin only works for normal ldap lookups, not ldap ssl. I can make ssl work however if i disable checking on the ssl cert.
So... the questions !
a) realistically, how bad is it to disable checking of the cert on an internal service ? This ldap server is going to be queried from the LAN, always. I believe i'm opened up to a possible MITM attack, but i'm not certain of how worried i need to be of that. I mean, right now my other option is not using ssl, and that's scary sauce. To perform the MITM attack they'd already need be on my network and have control of the DNS, no ? Any advice which could quantify that concern into real terms would be helpful.
b) as i understand it to actually fix this i'd need to give the RR dns entry as a subject alt name on the self signed cert of the server(s). That means re-keying the server, right ? which in the case of IPA means rejoining every client to IPA for the new cert. That's a non-starter i think.
c) given the current situation and outcome of (a) and (b), what would you recommend as the best course of action to allow apps which only allow one ldap server to be specified (and don't use SRV dns records in any way) to fail-over to the other server should one go down, and still allow ldap over ssl giving my certificates ?