On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote:
> Hello IPA,
>   Hopefully a quick question.
> RHEL 7.3 IPA 4.4
>  I have been digging around RHEL docs
> https://access.redhat.com/solutions/357673 for firewall ports and it
> says
> 389 is required for replication of IPA servers and clients to IPA
> servers.
>   FreeIPA docs say this:
> SSL/startTLS  When possible, configure your LDAP client to
> communicate over
> SSL/TLS. You can either use port 389 and enable startTLS in the
> client or
> configure to use the ldaps port, 636. The IPA CA certificate can be
> found
> in /etc/ipa/ca.crt on all enrolled hosts.
>   Question is this... can IPA be configured without Port 389 at all
> for clients to comm with IPA servers?

Nope, sorry.
Most clients use SASL/GSSAPI to secure the connection, and that is done
over port 389.

>   I realize the starttls using 389 encrypts the comms but for our
> vlan firewall rules 389 is not something we really want to open.  It
> is easier to open IPA server IP to IPA server IP port 389 bi-
> direction if needed for replication but for clients it would be the
> whole subnet to IPA server 389.
> I also noticed somewhere that direct 636 instead of 389 with starttls
> for clients is deprecated but I think that was in Directory Server
> docs.

Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to