[Freeipa-users] Firewalling IPA 2
Stephen Gallagher
sgallagh at redhat.com
Wed Feb 1 12:33:24 UTC 2012
On Wed, 2012-02-01 at 07:56 +0100, Jakub Hrozek wrote:
> On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote: > Hi, > > I'd
> like to restict which hosts have access to port 389 on the IPA server.
> > How does SSSD connect to the IPA 2.x server for user name queries? I
> half expected it to need port 389 or 636 open on the server, but my
> testing is showing this is not the case.
> SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is
> Kerberos with the exception of client side password migration that does
> a one-time TLS bind.
>
> Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps://
> (which would be port 636 by default) in the IPA provider at all.
>
> As per why your testing looked like port 389 does not need to be open, my
> guess is that SSSD simply returned entries from cache. Does an identity
> lookup (getent passwd admin) work when you remove or expire the caches
> and restart SSSD?
Yeah, I agree with Jakub. SSSD performs caching on the client side so
that if the FreeIPA server is unreachable for a time, it can still
return resutls locally. If the server is unavailable, the cached results
will never expire, so you can't just wait it out (or use the sss_cache
tool to any great effect).
In terms of your firewall rules, you only want to allow access on port
389 for your hosts. It's also worth noting that because SSSD clients
bind with their host entry, you can also opt to disable anonymous access
to the FreeIPA LDAP server for added security.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120201/2c7d8b74/attachment.sig>
More information about the Freeipa-users
mailing list