[Freeipa-users] Blocking 389 and 636 for AD trusts

[Sumit Bose]

On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote:
> Hello everyone,
> 
> I understand this is well documented that we need to block AD from
> establishing communication to the LDAP ports, but I've never heard an
> explanation on why this is needed.
> 
> Additionally, In our environment, we have a 100+ AD servers. Do I need to
> add an iptables rule for each AD server, on each IPA server or only the
> ones configured for DNS forwarding?
> 
> Thanks as always

Thank you for bringing up this topic. I've discussed this with
Alexander and we think that this recommendation can be dropped.

I have updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup.
The new version now says:

"""
Previously we recommended that you should make sure that IPA LDAP server
is not reachable by AD DC by closing down TCP ports 389 and 636 for AD
DC. Our current tests lead to the assumption that this is not necessary
anymore. During the early development stage we tried to create a trust
between IPA and AD with both IPA and AD tools. It turned out that the AD
tools expect an AD like LDAP schema and layout to create a trust. Since
the IPA LDAP server does not meet those requirements it is not possible
to create a trust between IPA and AD with AD tools only with the 'ipa
trust-add' command. By blocking the LDAP ports for the AD DC we tried to
force the AD tools to fall back to other means to get the needed
information with no success. But we kept the recommendation to block
those ports because it was not clear at this time if AD will check the
LDAP layout of a trust partner during normal operation as well. Since we
have not observed those request the recommendation can be dropped.
"""

HTH

bye,
Sumit

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users