Port 389 on IPA servers - FreeIPA-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

Port 389 on IPA servers

SSSD prompting/2fa

After the server time rollback,...

Ronald Wimmer

Friday, 15 July 2022 Fri, 15 Jul '22

5:49 a.m.

The official RedHat doumentation states

The TCP port 389 is not required to be open on IdM servers for trust, but it is necessary for clients communicating with the IdM server.

Is this still true? Or could LDAPS/Port 636 be used as well? Cheers, Ronald

Reply

Show replies by date

Rob Crittenden

Friday, 15 July Fri, 15 Jul

7:15 a.m.

Ronald Wimmer via FreeIPA-users wrote:

The official RedHat doumentation states > The TCP port 389 is not required to be open on IdM servers for trust, > but it is necessary for clients communicating with the IdM server. Is this still true? Or could LDAPS/Port 636 be used as well?

Used for what? Are you still talking about trust? Yes, port 636 can be used for LDAP traffic. It's been deprecated for years in favor of startTLS but it's one of those things that isn't likely to go away for a while. rob

Reply

Mark Reynolds

9:02 a.m.

On 7/15/22 8:15 AM, Rob Crittenden via FreeIPA-users wrote:

Ronald Wimmer via FreeIPA-users wrote: > The official RedHat doumentation states > >> The TCP port 389 is not required to be open on IdM servers for trust, >> but it is necessary for clients communicating with the IdM server. > Is this still true? Or could LDAPS/Port 636 be used as well? Used for what? Are you still talking about trust? Yes, port 636 can be used for LDAP traffic. It's been deprecated for years in favor of startTLS

Really? LDAPS deprecated? In our opinion startTLS should deprecated in favor of LDAPS. Interesting... :-)

but it's one of those things that isn't likely to go away for a while. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

-- Directory Server Development Team

Reply

Vinícius Ferrão

9:55 a.m.

On 15 Jul 2022, at 11:02, Mark Reynolds via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote: On 7/15/22 8:15 AM, Rob Crittenden via FreeIPA-users wrote: > Ronald Wimmer via FreeIPA-users wrote: >> The official RedHat doumentation states >> >>> The TCP port 389 is not required to be open on IdM servers for trust, >>> but it is necessary for clients communicating with the IdM server. >> Is this still true? Or could LDAPS/Port 636 be used as well? > Used for what? Are you still talking about trust? > > Yes, port 636 can be used for LDAP traffic. It's been deprecated for > years in favor of startTLS Really? LDAPS deprecated? In our opinion startTLS should deprecated in favor of LDAPS. Interesting... :-)

Yes. Everyone is favoring STARTTLS instead of SSL. SMTP done the same.

> but it's one of those things that isn't > likely to go away for a while. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure -- Directory Server Development Team _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

Reply

Rob Crittenden

2:52 p.m.

Mark Reynolds via FreeIPA-users wrote:

On 7/15/22 8:15 AM, Rob Crittenden via FreeIPA-users wrote: > Ronald Wimmer via FreeIPA-users wrote: >> The official RedHat doumentation states >> >>> The TCP port 389 is not required to be open on IdM servers for trust, >>> but it is necessary for clients communicating with the IdM server. >> Is this still true? Or could LDAPS/Port 636 be used as well? > Used for what? Are you still talking about trust? > > Yes, port 636 can be used for LDAP traffic. It's been deprecated for > years in favor of startTLS Really? LDAPS deprecated? In our opinion startTLS should deprecated in favor of LDAPS. Interesting... :-)

I always thought it was deprecated in the same way that CN=hostname was deprecated in certs: everyone kept using it anyway. I tend to agree with you. The problem with startTLS is it only takes one badly configured client to send password requests in the clear. rob

> but it's one of those things that isn't > likely to go away for a while. > > rob > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-leave(a)lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure

Reply

Sam Morris

7:20 a.m.

On 15/07/2022 11:49, Ronald Wimmer via FreeIPA-users wrote:

The official RedHat doumentation states > The TCP port 389 is not required to be open on IdM servers for trust, > but it is necessary for clients communicating with the IdM server. Is this still true? Or could LDAPS/Port 636 be used as well?

SASL/GSSAPI/Kerberos is used to encrypt the ldap traffic on port 389. For good measure I configure my IPA servers with nsslapd-minssf so that I know none of the traffic on port 389 is unencrypted (except for the root DSE). (In the past this broke realmd, whichi I don't use; I believe current versions aren't broken by the setting, I wonder if it's worth reconsidering whether to enable nsslapd-minssf in FreeIPA by default again)? -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9

Reply

650

days inactive

650

days old

freeipa-users@lists.fedorahosted.org

Manage subscription

5 comments

5 participants

tags (0)

participants (5)

Mark Reynolds
Rob Crittenden
Ronald Wimmer
Sam Morris
Vinícius Ferrão