Re: [Freeipa-users] IPA port 80

2016-09-01 Thread Sean Hogan
Thank You for the clarification all. Sean Hogan From: Rob Crittenden To: Sean Hogan/Durham/IBM@IBMUS, Peter Fern Cc: freeipa-users Date: 09/01/2016 06:47 AM Subject:Re: [Freeipa-users] IPA port 80 Sean Hogan wrote: > Thanks Peter, > > >

Re: [Freeipa-users] IPA port 80

2016-09-01 Thread Simo Sorce
On Thu, 2016-09-01 at 09:33 +1000, Peter Fern wrote: > On 01/09/16 08:35, Simo Sorce wrote: > > Port 80 is not required, the only thing you'll find there is a redirect > > to the HTTPS port. > > What about CRL/OCSP (and possibly others)? The Apache configs > explicitly do not redirect to HTTPS ex

Re: [Freeipa-users] IPA port 80

2016-09-01 Thread Rob Crittenden
r Fern ---08/31/2016 04:01:30 PM---You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host ser From: Peter Fern To: freeipa-users Date: 08/31/2016 04:01 PM Subject: Re: [Freeipa-users] IPA port 8

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
Note: In RHEL 7, 389 port is used for replication instead of 7389 port. Sean Hogan From: Peter Fern To: freeipa-users Date: 08/31/2016 04:01 PM Subject: Re: [Freeipa-users] IPA port 80 Sent by:freeipa-users-boun...@redhat.com You need to serve CRLs and OCSP

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Peter Fern
On 01/09/16 08:35, Simo Sorce wrote: > Port 80 is not required, the only thing you'll find there is a redirect > to the HTTPS port. What about CRL/OCSP (and possibly others)? The Apache configs explicitly do not redirect to HTTPS except for the /ipa path for this reason. -- Manage your subscrip

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
unning DNS and NTP from IPA. Sean Hogan From: Simo Sorce To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users Date: 08/31/2016 03:36 PM Subject: Re: [Freeipa-users] IPA port 80 On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Bee

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Peter Fern
You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself. I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple

Re: [Freeipa-users] IPA port 80

2016-08-31 Thread Simo Sorce
On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not found > a concrete answer. I know the redhat docs indicate port 80 is required > bidirectional however I need to investigate if it is truly needed. > > G

[Freeipa-users] IPA port 80

2016-08-31 Thread Sean Hogan
Hi all, Been reading a lot about Port 80 for IPA and firewalls but have not found a concrete answer. I know the redhat docs indicate port 80 is required bidirectional however I need to investigate if it is truly needed. GUI only responds to 443 so not sure what else would be utilizing port