FreeIPA access from internet if dc=domain,dc=local (freeipa.domain.local)

domain-name-system ldap openldap freeipa

Your domain has a serious and unrecoverable mistake: You used a nonexistent domain name ending in .local as the domain name. You should never use .local for domain names, and the reasons for this (and the best practices) are much the same as they are for Active Directory.

From FreeIPA Deployment Recommendations:

We strongly recommend that you do not use a domain name that is not delegated to you, even on a private network. For example, you should not use domain name company.int if you don't have valid delegation for it in public DNS tree.

If this rule is not respected, the domain name will be resolved differently depending on the network configuration. As a result, network resources will become unavailable. Using domain names that are not delegated to you also makes DNSSEC more difficult to deploy and maintain.

For further information about this issue please see the ICANN FAQ on domain name collisions.

However, unlike Active Directory, it is not possible to rename a FreeIPA domain.

It is not possible to change FreeIPA primary domain and realm after installation. Plan carefully. Do not expect move from lab/staging environment to production environment (e.g. change lab.example.com to prod.example.com)

At this point, your recovery procedure will look something like this:

  1. Unjoin all hosts from the domain with ipa-client-install --uninstall.
  2. Destroy the FreeIPA domain controllers.
  3. Reinstall the FreeIPA domain controllers, using a correctly chosen domain name.
  4. Rejoin all hosts to the new domain.

There will definitely be more steps to this if you've created domain services such as kerberized NFS, HTTP, etc. You'll have to set all of these up again on the new domain.

Once you've correctly set up the FreeIPA domain, using a subdomain of your existing domain name, you can set up NS records in that domain so that the subdomain's DNS is reachable from the Internet. After that it's just opening the relevant firewall ports for the services you want to be accessible on the Internet...

Related

Redoing AD: How to completely remove old domain from the network without re-installing Windows?
Scheduling tasks|jobs across servers from central location. (Windows Server)
domain controller naming group policy [closed]
Email account terminology
wds pc name based on previous ad pc name
My AD domain and DNS domain names are the same. Can this be resolved with SRV secords?
802.1x wired auth after domain change
Hotmail/Outlook.com DKIM failure when signing with different domain - header.d ignored
How can I block all traffic to PlayStation network?
How do I not lose my Rackspace emails when I use WordPress DNS?
enabling php in apache
how to generate a small RSA key