Hello IPA,

  Hopefully a quick question.

RHEL 7.3 IPA 4.4

 I have been digging around RHEL docs
https://access.redhat.com/solutions/357673 for firewall ports and it says
389 is required for replication of IPA servers and clients to IPA servers.

  FreeIPA docs say this:
SSL/startTLS  When possible, configure your LDAP client to communicate over
SSL/TLS. You can either use port 389 and enable startTLS in the client or
configure to use the ldaps port, 636. The IPA CA certificate can be found
in /etc/ipa/ca.crt on all enrolled hosts.

  Question is this... can IPA be configured without Port 389 at all for
clients to comm with IPA servers?

  I realize the starttls using 389 encrypts the comms but for our vlan
firewall rules 389 is not something we really want to open.  It is easier
to open IPA server IP to IPA server IP port 389 bi-direction if needed for
replication but for clients it would be the whole subnet to IPA server 389.
I also noticed somewhere that direct 636 instead of 389 with starttls for
clients is deprecated but I think that was in Directory Server docs.

Sean Hogan

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to