On ma, 17 loka 2016, Karl Forner wrote:
On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com>

On ma, 17 loka 2016, Karl Forner wrote:

Thanks Alexander, unfortunately I could only find outdated documentation.
I just realized that my question is not precise enough.

The documentation I linked is the up-to-date one.

Yes I know. I was explaining...

From your answer, I understand that during the replica setup process,
all I need (because I do not use RHEL) is a ssh port between the master
and the replica.

You did not read carefully what I quoted. SSH port is in addition to the
ports required to be open for normal IPA master.

I did read.  I wrote "between the master and the replica". Each server has
its own set of open ports in its own network, used by its clients.
IPA replica is a client of IPA master, there isn't much difference,
except where Kerberos tickets are obtained from as each master/replica
host own KDC with exactly same keys, so they are able to 'short cut' it
here.  However, the rest stands.

What I want to know is what ports are used by the replication process, i.e.
what ports must I open on my firewall to enable the replication.
Exactly the same ports as specified in the documentation.

Maybe all the ports are used for that purpose, but this is not, unless
mistaken, clearly stated in the documentation.
You are mistaken and the mistake most likely comes from your idea that
somehow IPA master/replica are different from other IPA clients. They
are not, they are IPA clients themselves. Replication exchange is built
on LDAP protocol.

In that case, this may be a security problem opening that many ports in the
Nothing prevents you from organizing a proper VPN or other types of tunneling
between the networks.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to