Rich Megginson wrote:
On 05/18/2015 08:26 AM, Martin Kosek wrote:
Adding freeipa-users list back, to keep others in the loop.

On 05/18/2015 12:32 PM, Brian Topping wrote:
Thanks for taking the time to write that, Martin. It's good to have a
reference to build from.

Result of "ida-client-install" outside the firewall with port 636
accessible:
Ah, I mostly just use 636 as a convenience port to show the supported
cryptos,
389 is really the port we should be using by default.

Of course, 389 port + STARTTLS environment turned on, to make sure
passwords do
not go in clean over the wire.

Please make sure the following ports are opened in the firewall
settings:
      TCP: 80, 88, 389
      UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
Also note that following ports are necessary for ipa-client working
properly after enrollment:
      TCP: 464
      UDP: 464, 123 (if NTP enabled)
No mention of 636, confirmed by tcpdump that it's not trying. Also no
option on command line to specify 636.

Opening up 389 means that some misconfigured client could expose
passwords.

Not necessarily.
https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html#requiring-secure-connections


It's possible to remove null ciphers, but then there's really no
reason not to use 636.

Seems like ipa-client-install should try 636 by default, then fall
back to 389 in it's various forms, no?
I think the general direction here was the opposite. To work on the
port 389 as
the common denominator, offering both password-less traffic and encrypted
traffic. I am not sure if there were other reasons too, I would let
Rob or
Ludwig reply here if they know.

ldaps / port 636 is deprecated in favor of StartTLS. For OpenLDAP's take on it see http://www.openldap.org/faq/data/cache/605.html

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to