Thank you ! This is at last crystal clear for me ! Thank you also for the VPN/tunneling suggestion, I'll look into it.
On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com> >> wrote: >> >> On ma, 17 loka 2016, Karl Forner wrote: >>> >>> Thanks Alexander, unfortunately I could only find outdated documentation. >>>> I just realized that my question is not precise enough. >>>> >>>> The documentation I linked is the up-to-date one. >>> >>> >> Yes I know. I was explaining... >> >> >> >>> >>> From your answer, I understand that during the replica setup process, >>>> all I need (because I do not use RHEL) is a ssh port between the master >>>> and the replica. >>>> >>>> You did not read carefully what I quoted. SSH port is in addition to the >>> ports required to be open for normal IPA master. >>> >>> >> I did read. I wrote "between the master and the replica". Each server has >> its own set of open ports in its own network, used by its clients. >> > IPA replica is a client of IPA master, there isn't much difference, > except where Kerberos tickets are obtained from as each master/replica > host own KDC with exactly same keys, so they are able to 'short cut' it > here. However, the rest stands. > > What I want to know is what ports are used by the replication process, i.e. >> what ports must I open on my firewall to enable the replication. >> > Exactly the same ports as specified in the documentation. > > Maybe all the ports are used for that purpose, but this is not, unless >> mistaken, clearly stated in the documentation. >> > You are mistaken and the mistake most likely comes from your idea that > somehow IPA master/replica are different from other IPA clients. They > are not, they are IPA clients themselves. Replication exchange is built > on LDAP protocol. > > In that case, this may be a security problem opening that many ports in the >> firewall. >> > Nothing prevents you from organizing a proper VPN or other types of > tunneling > between the networks. > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project