Great news! Thanks for the update.
On Wed, Aug 14, 2013 at 4:50 AM, Sumit Bose <sb...@redhat.com> wrote: > On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote: > > Hello everyone, > > > > I understand this is well documented that we need to block AD from > > establishing communication to the LDAP ports, but I've never heard an > > explanation on why this is needed. > > > > Additionally, In our environment, we have a 100+ AD servers. Do I need to > > add an iptables rule for each AD server, on each IPA server or only the > > ones configured for DNS forwarding? > > > > Thanks as always > > Thank you for bringing up this topic. I've discussed this with > Alexander and we think that this recommendation can be dropped. > > I have updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup. > The new version now says: > > """ > Previously we recommended that you should make sure that IPA LDAP server > is not reachable by AD DC by closing down TCP ports 389 and 636 for AD > DC. Our current tests lead to the assumption that this is not necessary > anymore. During the early development stage we tried to create a trust > between IPA and AD with both IPA and AD tools. It turned out that the AD > tools expect an AD like LDAP schema and layout to create a trust. Since > the IPA LDAP server does not meet those requirements it is not possible > to create a trust between IPA and AD with AD tools only with the 'ipa > trust-add' command. By blocking the LDAP ports for the AD DC we tried to > force the AD tools to fall back to other means to get the needed > information with no success. But we kept the recommendation to block > those ports because it was not clear at this time if AD will check the > LDAP layout of a trust partner during normal operation as well. Since we > have not observed those request the recommendation can be dropped. > """ > > HTH > > bye, > Sumit > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipafirstname.lastname@example.org > > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users