On Tue, 29 Mar 2016, Simo Sorce wrote:
On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote:
Hello,

I am using FreeIPA on the cloud and am worried about MITM attacks.  I'm
assuming all network traffic can be easily read and possibly manipulated by
an attacker.

When following
https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html,
some of the listed ports for FreeIPA (80 and 389) are unencrypted ports.

The only thing port 80 does is redirect to 443.
There is also a CA certificate access on port 80 in case LDAP-based
access didn't work.

Port 389 is the only use LDAP port and clients will use the STARTTLS
command to transition to to a TLS encrypted connection or use GSSAPI and
confidentiality to encrypt the traffic.
Also, any LDAP BIND with password will be refused without STARTTLS
command.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to