Re: [Freeipa-users] network ports requirements for a replica
Thank you ! This is at last crystal clear for me ! Thank you also for the VPN/tunneling suggestion, I'll look into it. On Mon, Oct 17, 2016 at 12:12 PM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy >> wrote: >> >> On ma, 17 loka 2016, Karl Forner wrote: >>> >>> Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. The documentation I linked is the up-to-date one. >>> >>> >> Yes I know. I was explaining... >> >> >> >>> >>> From your answer, I understand that during the replica setup process, all I need (because I do not use RHEL) is a ssh port between the master and the replica. You did not read carefully what I quoted. SSH port is in addition to the >>> ports required to be open for normal IPA master. >>> >>> >> I did read. I wrote "between the master and the replica". Each server has >> its own set of open ports in its own network, used by its clients. >> > IPA replica is a client of IPA master, there isn't much difference, > except where Kerberos tickets are obtained from as each master/replica > host own KDC with exactly same keys, so they are able to 'short cut' it > here. However, the rest stands. > > What I want to know is what ports are used by the replication process, i.e. >> what ports must I open on my firewall to enable the replication. >> > Exactly the same ports as specified in the documentation. > > Maybe all the ports are used for that purpose, but this is not, unless >> mistaken, clearly stated in the documentation. >> > You are mistaken and the mistake most likely comes from your idea that > somehow IPA master/replica are different from other IPA clients. They > are not, they are IPA clients themselves. Replication exchange is built > on LDAP protocol. > > In that case, this may be a security problem opening that many ports in the >> firewall. >> > Nothing prevents you from organizing a proper VPN or other types of > tunneling > between the networks. > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] network ports requirements for a replica
On ma, 17 loka 2016, Karl Forner wrote: On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy wrote: On ma, 17 loka 2016, Karl Forner wrote: Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. The documentation I linked is the up-to-date one. Yes I know. I was explaining... From your answer, I understand that during the replica setup process, all I need (because I do not use RHEL) is a ssh port between the master and the replica. You did not read carefully what I quoted. SSH port is in addition to the ports required to be open for normal IPA master. I did read. I wrote "between the master and the replica". Each server has its own set of open ports in its own network, used by its clients. IPA replica is a client of IPA master, there isn't much difference, except where Kerberos tickets are obtained from as each master/replica host own KDC with exactly same keys, so they are able to 'short cut' it here. However, the rest stands. What I want to know is what ports are used by the replication process, i.e. what ports must I open on my firewall to enable the replication. Exactly the same ports as specified in the documentation. Maybe all the ports are used for that purpose, but this is not, unless mistaken, clearly stated in the documentation. You are mistaken and the mistake most likely comes from your idea that somehow IPA master/replica are different from other IPA clients. They are not, they are IPA clients themselves. Replication exchange is built on LDAP protocol. In that case, this may be a security problem opening that many ports in the firewall. Nothing prevents you from organizing a proper VPN or other types of tunneling between the networks. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] network ports requirements for a replica
On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy wrote: > On ma, 17 loka 2016, Karl Forner wrote: > >> Thanks Alexander, unfortunately I could only find outdated documentation. >> I just realized that my question is not precise enough. >> > The documentation I linked is the up-to-date one. > Yes I know. I was explaining... > > >> From your answer, I understand that during the replica setup process, >> all I need (because I do not use RHEL) is a ssh port between the master >> and the replica. >> > You did not read carefully what I quoted. SSH port is in addition to the > ports required to be open for normal IPA master. > I did read. I wrote "between the master and the replica". Each server has its own set of open ports in its own network, used by its clients. What I want to know is what ports are used by the replication process, i.e. what ports must I open on my firewall to enable the replication. Maybe all the ports are used for that purpose, but this is not, unless mistaken, clearly stated in the documentation. In that case, this may be a security problem opening that many ports in the firewall. Thanks for your patience. Karl -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] network ports requirements for a replica
On ma, 17 loka 2016, Karl Forner wrote: Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. The documentation I linked is the up-to-date one. Suppose I have a master running in its LAN, with all required ports open. Now I want to setup a replica running in a docker in a AWS EC2 instance. It does not matter. From your answer, I understand that during the replica setup process, all I need (because I do not use RHEL) is a ssh port between the master and the replica. You did not read carefully what I quoted. SSH port is in addition to the ports required to be open for normal IPA master. Just follow documentation. What about the after-setup replica synchronization ? Does it also only use ssh ? No, it is not. Please read the documentation, it has all the details, really. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] network ports requirements for a replica
Thanks Alexander, unfortunately I could only find outdated documentation. I just realized that my question is not precise enough. Suppose I have a master running in its LAN, with all required ports open. Now I want to setup a replica running in a docker in a AWS EC2 instance. >From your answer, I understand that during the replica setup process, all I need (because I do not use RHEL) is a ssh port between the master and the replica. What about the after-setup replica synchronization ? Does it also only use ssh ? Regards, Karl On Wed, Oct 12, 2016 at 7:25 PM, Alexander Bokovoy wrote: > On ke, 12 loka 2016, Karl Forner wrote: > >> Hello, >> >> A very simple question, but I could not find the answer. I'd like to setup >> a replica on another network than my master. Is it possible to setup the >> replication using only https, or other ports must be available ? >> > This is all documented, did you read the guide? > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/prepping-replica.html > > > The replica requires additional ports to be open >In addition to the standard IdM server port requirements described > in Section 2.1.4, “Port Requirements”, make sure the following port > requirements are complied as well: > >During the replica setup process, keep the TCP port 22 open. > This port is required in order to use SSH to connect to the master > server. >If one of the servers is running Red Hat Enterprise Linux 6 and > has a CA installed, keep also TCP port 7389 open during and after the > replica configuration. In a purely Red Hat Enterprise Linux 7 > environment, port 7389 is not required. > > Section 2.1.4: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > rise_Linux/7/html/Linux_Domain_Identity_Authentication_and_ > Policy_Guide/installing-ipa.html#prereq-ports > > -- > / Alexander Bokovoy > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] network ports requirements for a replica
On ke, 12 loka 2016, Karl Forner wrote: Hello, A very simple question, but I could not find the answer. I'd like to setup a replica on another network than my master. Is it possible to setup the replication using only https, or other ports must be available ? This is all documented, did you read the guide? https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prepping-replica.html The replica requires additional ports to be open In addition to the standard IdM server port requirements described in Section 2.1.4, “Port Requirements”, make sure the following port requirements are complied as well: During the replica setup process, keep the TCP port 22 open. This port is required in order to use SSH to connect to the master server. If one of the servers is running Red Hat Enterprise Linux 6 and has a CA installed, keep also TCP port 7389 open during and after the replica configuration. In a purely Red Hat Enterprise Linux 7 environment, port 7389 is not required. Section 2.1.4: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
