On Thu, 2017-10-26 at 14:11 -0700, Sean Hogan via FreeIPA-users wrote:
> Hello IPA,
> Hopefully a quick question.
> RHEL 7.3 IPA 4.4
> I have been digging around RHEL docs
> https://access.redhat.com/solutions/357673 for firewall ports and it
> 389 is required for replication of IPA servers and clients to IPA
> FreeIPA docs say this:
> SSL/startTLS When possible, configure your LDAP client to
> communicate over
> SSL/TLS. You can either use port 389 and enable startTLS in the
> client or
> configure to use the ldaps port, 636. The IPA CA certificate can be
> in /etc/ipa/ca.crt on all enrolled hosts.
> Question is this... can IPA be configured without Port 389 at all
> for clients to comm with IPA servers?
Most clients use SASL/GSSAPI to secure the connection, and that is done
over port 389.
> I realize the starttls using 389 encrypts the comms but for our
> vlan firewall rules 389 is not something we really want to open. It
> is easier to open IPA server IP to IPA server IP port 389 bi-
> direction if needed for replication but for clients it would be the
> whole subnet to IPA server 389.
> I also noticed somewhere that direct 636 instead of 389 with starttls
> for clients is deprecated but I think that was in Directory Server
Sr. Principal Software Engineer
Red Hat, Inc
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org