On 15/07/2022 11:49, Ronald Wimmer via FreeIPA-users wrote:
The official RedHat doumentation states
> The TCP port 389 is not required to be open on IdM servers for trust,
> but it is necessary for clients communicating with the IdM server.
Is this still true? Or could LDAPS/Port 636 be used as well?
SASL/GSSAPI/Kerberos is used to encrypt the ldap traffic on port 389.
For good measure I configure my IPA servers with nsslapd-minssf so that
I know none of the traffic on port 389 is unencrypted (except for the
root DSE).
(In the past this broke realmd, whichi I don't use; I believe current
versions aren't broken by the setting, I wonder if it's worth
reconsidering whether to enable nsslapd-minssf in FreeIPA by default again)?
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9