[Freeipa-users] Firewalling IPA 2
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 1 06:56:00 UTC 2012
On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote:
> Hi,
>
> I'd like to restict which hosts have access to port 389 on the IPA server.
> How does SSSD connect to the IPA 2.x server for user name queries? I half expected it to need port 389 or 636 open on the server, but my testing is showing this is not the case.
>
> cya
>
> Craig
>
SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is
Kerberos with the exception of client side password migration that does
a one-time TLS bind.
Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps://
(which would be port 636 by default) in the IPA provider at all.
As per why your testing looked like port 389 does not need to be open, my
guess is that SSSD simply returned entries from cache. Does an identity
lookup (getent passwd admin) work when you remove or expire the caches
and restart SSSD?
More information about the Freeipa-users
mailing list