Ok.. no worries. Thanks Simo





Inactive hide details for Simo Sorce via FreeIPA-users ---10/26/2017 02:17:12 PM---On Thu, 2017-10-26 at 14:11 -0700, Sean HogaSimo Sorce via FreeIPA-users ---10/26/2017 02:17:12 PM---On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote: > Hello IPA,

From: Simo Sorce via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Sean Hogan <schogan@us.ibm.com>, Simo Sorce <simo@redhat.com>
Date: 10/26/2017 02:17 PM
Subject: [Freeipa-users] Re: Port 389




On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote:

> Hello IPA,

>

>   Hopefully a quick question.

>

> RHEL 7.3 IPA 4.4

>

>  I have been digging around RHEL docs

> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com_solutions_357673&d=DwIGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=pAvZgCz4zBPNXNWPu8dLOYdmUIAP7pySuYQoq4H7yUs&m=M3GS01uKZUvxf9atkJNRslbDUFIirk4nvs1XLmsEE5E&s=ZF1CthjI5DDAlOhll_SNlHRwCqPzTHvQrRRt7dcKMeA&e= for firewall ports and it

> says

> 389 is required for replication of IPA servers and clients to IPA

> servers.

>

>   FreeIPA docs say this:

> SSL/startTLS  When possible, configure your LDAP client to

> communicate over

> SSL/TLS. You can either use port 389 and enable startTLS in the

> client or

> configure to use the ldaps port, 636. The IPA CA certificate can be

> found

> in /etc/ipa/ca.crt on all enrolled hosts.

>

>

>

>

>

>   Question is this... can IPA be configured without Port 389 at all

> for clients to comm with IPA servers?



Nope, sorry.

Most clients use SASL/GSSAPI to secure the connection, and that is done

over port 389.



>

>   I realize the starttls using 389 encrypts the comms but for our

> vlan firewall rules 389 is not something we really want to open.  It

> is easier to open IPA server IP to IPA server IP port 389 bi-

> direction if needed for replication but for clients it would be the

> whole subnet to IPA server 389.

> I also noticed somewhere that direct 636 instead of 389 with starttls

> for clients is deprecated but I think that was in Directory Server

> docs.







--

Simo Sorce

Sr. Principal Software Engineer

Red Hat, Inc

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org