On Wed, 2012-05-23 at 19:27 -0400, Dmitri Pal wrote:
> On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote:
> > We have quite strict firewalls, so I need to specify the IPA network
> > ports accurately. So, we have now opening for:
> >
> >     80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> >     88/udp, 464/udp
> >
> > in to our first IPA server. Now I'm in the process of configuring the
> > first replica. Is there any other ports that needs to be opened between
> > ipa master and replica?
> >
> > We don't serve NTP or DNS from IPA, so I guess these shouldn't be
> > relevant, but I think we want dogtag replicated, so there's maybe some
> > ports for that that needs opening ?
> >
> > Or, to put it another way, which of these ports:
> >
> >     
> > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports
> >
> > needs to be opened between ipa server, which for all clients, which for
> > replica and which for administrative clients ?
> >
> >     HTTP/HTTPS      -- open for all
> >     LDAP/LDAPS      -- open for all
> >     Kerberos        -- open for all
> >     OCSP responder  -- open for all if we use certs
> >
> >     dogtag 9443 (agents)    -- ?
> >     dogtag 9444 (users, SSL)        -- ?
> >     dogtag 9445 (administrators)    -- ?
> >     dogtag 9446 (users, client authentication)      -- ?
> >     dogtag 9701 (Tomcat)    -- ?
> >     dogtag 7389 (internal LDAP database) -- ?
> >
> >
> 
> Dogtag ports are now proxied vial HTTP

Exactly. So in your case, between replicas, you would need to open ports
you specified:

>       80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> >     88/udp, 464/udp

+ the proxy port: 7389/tcp

I suppose you don't need to open 7389/tcp for all clients unless you
want them to be able to run LDAP search against dogtag backend LDAP
database.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to