On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote: > Hello IPA, > > Hopefully a quick question. > > RHEL 7.3 IPA 4.4 > > I have been digging around RHEL docs > https://access.redhat.com/solutions/357673 for firewall ports and it > says > 389 is required for replication of IPA servers and clients to IPA > servers. > > FreeIPA docs say this: > SSL/startTLS When possible, configure your LDAP client to > communicate over > SSL/TLS. You can either use port 389 and enable startTLS in the > client or > configure to use the ldaps port, 636. The IPA CA certificate can be > found > in /etc/ipa/ca.crt on all enrolled hosts. > > > > > > Question is this... can IPA be configured without Port 389 at all > for clients to comm with IPA servers?
Nope, sorry. Most clients use SASL/GSSAPI to secure the connection, and that is done over port 389. > > I realize the starttls using 389 encrypts the comms but for our > vlan firewall rules 389 is not something we really want to open. It > is easier to open IPA server IP to IPA server IP port 389 bi- > direction if needed for replication but for clients it would be the > whole subnet to IPA server 389. > I also noticed somewhere that direct 636 instead of 389 with starttls > for clients is deprecated but I think that was in Directory Server > docs. -- Simo Sorce Sr. Principal Software Engineer Red Hat, Inc _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org