[Freeipa-users] Firewalling IPA 2

[Simo Sorce]

On Wed, 2012-02-01 at 07:33 -0500, Stephen Gallagher wrote:
> On Wed, 2012-02-01 at 07:56 +0100, Jakub Hrozek wrote:
> > On Wed, Feb 01, 2012 at 03:31:15PM +1100, Craig T wrote: > Hi, > > I'd
> > like to restict which hosts have access to port 389 on the IPA server. 
> > > How does SSSD connect to the IPA 2.x server for user name queries? I
> > half expected it to need port 389 or 636 open on the server, but my
> > testing is showing this is not the case.
> 
> > SSSD uses LDAP + SASL/GSSAPI for identity lookups. Authentication is
> > Kerberos with the exception of client side password migration that does
> > a one-time TLS bind.
> > 
> > Both SASL/GSSAPI and the TLS bind use port 389. We don't use ldaps://
> > (which would be port 636 by default) in the IPA provider at all.
> > 
> > As per why your testing looked like port 389 does not need to be open, my
> > guess is that SSSD simply returned entries from cache. Does an identity
> > lookup (getent passwd admin) work when you remove or expire the caches
> > and restart SSSD?
> 
> Yeah, I agree with Jakub. SSSD performs caching on the client side so
> that if the FreeIPA server is unreachable for a time, it can still
> return resutls locally. If the server is unavailable, the cached results
> will never expire, so you can't just wait it out (or use the sss_cache
> tool to any great effect).
> 
> In terms of your firewall rules, you only want to allow access on port
> 389 for your hosts. It's also worth noting that because SSSD clients
> bind with their host entry, you can also opt to disable anonymous access
> to the FreeIPA LDAP server for added security.

When freeIPA install it tells you the list of ports you should leave
open, LDAP, Krb, and possibly other like DNS, NTP, etc... should all be
made available to clients.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York