On 10/01/2023 12:08, Ronald Wimmer via FreeIPA-users wrote:
Which Ports have to be open (on which side) in order to enable basic IPA
functionality between IPA servers and clients.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#prereq-ports-list states 80 and 443 as well as 389 and 636 - despite the use of StartTLS.
So which ports in the list could probably be omitted? (if we do not need
Kerberos functionality in that particular setup)
Kerberos is needed for users to be able to log in with their passwords:
sssd authenticates users by obtaining a TGT using their credentials.
Kerberos is also needed to look up user/group information: sssd uses the
host's identity to authenticate to the IPA LDAP server.
You could try configuring your clients to use the IPA-provided KDC
proxy; Kerberos traffic would then go via https.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/using-the-kdc-proxy-in-idm_managing-users-groups-hosts
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
