[Freeipa-users] ipa ports

Dmitri Pal dpal at redhat.com
Wed May 23 23:27:11 UTC 2012 

On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote:
> We have quite strict firewalls, so I need to specify the IPA network
> ports accurately. So, we have now opening for:
>
> 	80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> 	88/udp, 464/udp
>
> in to our first IPA server. Now I'm in the process of configuring the
> first replica. Is there any other ports that needs to be opened between
> ipa master and replica?
>
> We don't serve NTP or DNS from IPA, so I guess these shouldn't be
> relevant, but I think we want dogtag replicated, so there's maybe some
> ports for that that needs opening ?
>
> Or, to put it another way, which of these ports:
>
> 	http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports
>
> needs to be opened between ipa server, which for all clients, which for
> replica and which for administrative clients ?
>
> 	HTTP/HTTPS	-- open for all
> 	LDAP/LDAPS	-- open for all
> 	Kerberos	-- open for all
> 	OCSP responder  -- open for all if we use certs
>
> 	dogtag 9443 (agents)	-- ?
> 	dogtag 9444 (users, SSL)	-- ?
> 	dogtag 9445 (administrators)	-- ?
> 	dogtag 9446 (users, client authentication)	-- ?
> 	dogtag 9701 (Tomcat)	-- ?
> 	dogtag 7389 (internal LDAP database) -- ?
>
>

Dogtag ports are now proxied vial HTTP
https://fedorahosted.org/freeipa/ticket/1334
I guess we need a doc bug to correct the documentation.
Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824666

Replica can check its connectivity to master it is created from using
ipa-replica-conncheck utility on replica.
It seems that this is not documented.
Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824667

>   -jf
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list