Thank you ! This is at last crystal clear for me !
Thank you also for the VPN/tunneling suggestion, I'll look into it.



On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On ma, 17 loka 2016, Karl Forner wrote:
>
>> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <aboko...@redhat.com>
>> wrote:
>>
>> On ma, 17 loka 2016, Karl Forner wrote:
>>>
>>> Thanks Alexander, unfortunately I could only find outdated documentation.
>>>> I just realized that my question is not precise enough.
>>>>
>>>> The documentation I linked is the up-to-date one.
>>>
>>>
>> Yes I know. I was explaining...
>>
>>
>>
>>>
>>> From your answer, I understand that during the replica setup process,
>>>> all I need (because I do not use RHEL) is a ssh port between the master
>>>> and the replica.
>>>>
>>>> You did not read carefully what I quoted. SSH port is in addition to the
>>> ports required to be open for normal IPA master.
>>>
>>>
>> I did read.  I wrote "between the master and the replica". Each server has
>> its own set of open ports in its own network, used by its clients.
>>
> IPA replica is a client of IPA master, there isn't much difference,
> except where Kerberos tickets are obtained from as each master/replica
> host own KDC with exactly same keys, so they are able to 'short cut' it
> here.  However, the rest stands.
>
> What I want to know is what ports are used by the replication process, i.e.
>> what ports must I open on my firewall to enable the replication.
>>
> Exactly the same ports as specified in the documentation.
>
> Maybe all the ports are used for that purpose, but this is not, unless
>> mistaken, clearly stated in the documentation.
>>
> You are mistaken and the mistake most likely comes from your idea that
> somehow IPA master/replica are different from other IPA clients. They
> are not, they are IPA clients themselves. Replication exchange is built
> on LDAP protocol.
>
> In that case, this may be a security problem opening that many ports in the
>> firewall.
>>
> Nothing prevents you from organizing a proper VPN or other types of
> tunneling
> between the networks.
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to