On 11/22/2011 03:35 PM, Steven Jones wrote:
> Now the ipa-client-install script is on 443 and I have no firewall engineer 
> today....and maybe not until Monday....

Feel free to add more to it.
https://bugzilla.redhat.com/show_bug.cgi?id=756163
> :(
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Steven Jones [steven.jo...@vuw.ac.nz]
> Sent: Wednesday, 23 November 2011 9:24 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Improvement to documentaion needed for 
> firewalling pls.
>
> Hi,
>
> I dont find out until I run the script.....its a bit late.  I then have to 
> raise more change controls and wait.  Also for any application deployment I 
> have to do a [security] design and say what is opened,  why and if any 
> sensitive data is transmitted, so I really need this info before I touch a 
> server at all.  For instance a user id and password is classed as sensitive, 
> so it has to be encrypted.....by some acceptable standard method and it has 
> to be adequately encrypted....   So the security portion of the design can 
> take weeks to get signed off.....if I've missed anything serious I may have 
> to re-write and submit.. We end up doing this frequently.....sometimes we 
> even reject a vendor's product because we find it has a fundamental security 
> flaw....like its transmitting plain text passwords or even storing/caching 
> them locally in plain text....not that un-common....
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Wednesday, 23 November 2011 9:04 a.m.
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Improvement to documentaion needed for 
> firewalling pls.
>
> On 11/22/2011 02:58 PM, Steven Jones wrote:
>> Hi,
>>
>> 2.1.3.4 page 10 lists ports but not what happens with them...
>>
>> For instance I am now in a very secure environment and find when I do a 
>> ipa-client-install the client connects to port 80 and retrieves a 
>> ca.crt........now I have to wait 3 days to get port 80 opened up...to the 
>> IPA server(s).
>>
>> If I had better docs then I can make the request before hand....
>>
>> This of course is the first failure.....if say I find that the 
>> ipa-client-install script uses 443 next I will have to wait another 3 
>> days......if I find there are 4 un-documented port calls to get an client 
>> install to work......well its a week to 2 weeks wait....
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> When you install IPA the output of the installation lists all the ports
> that you need to open and for what service: DNS, Kerberos, LDAP etc.
> Is this not enough? What level of details you are looking for?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to