On 15/07/2022 11:49, Ronald Wimmer via FreeIPA-users wrote:
The official RedHat doumentation states
The TCP port 389 is not required to be open on IdM servers for trust,
but it is necessary for clients communicating with the IdM server.
Is this still true? Or could LDAPS/Port 636 be used as well?
SASL/GSSAPI/Kerberos is used to encrypt the ldap traffic on port 389.
For good measure I configure my IPA servers with nsslapd-minssf so that
I know none of the traffic on port 389 is unencrypted (except for the
root DSE).
(In the past this broke realmd, whichi I don't use; I believe current
versions aren't broken by the setting, I wonder if it's worth
reconsidering whether to enable nsslapd-minssf in FreeIPA by default again)?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
