[Freeipa-users] Blocking 389 and 636 for AD trusts
Brian Lee
brian_lee1 at jabil.com
Wed Aug 14 10:47:38 UTC 2013
Great news! Thanks for the update.
On Wed, Aug 14, 2013 at 4:50 AM, Sumit Bose <sbose at redhat.com> wrote:
> On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote:
> > Hello everyone,
> >
> > I understand this is well documented that we need to block AD from
> > establishing communication to the LDAP ports, but I've never heard an
> > explanation on why this is needed.
> >
> > Additionally, In our environment, we have a 100+ AD servers. Do I need to
> > add an iptables rule for each AD server, on each IPA server or only the
> > ones configured for DNS forwarding?
> >
> > Thanks as always
>
> Thank you for bringing up this topic. I've discussed this with
> Alexander and we think that this recommendation can be dropped.
>
> I have updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup.
> The new version now says:
>
> """
> Previously we recommended that you should make sure that IPA LDAP server
> is not reachable by AD DC by closing down TCP ports 389 and 636 for AD
> DC. Our current tests lead to the assumption that this is not necessary
> anymore. During the early development stage we tried to create a trust
> between IPA and AD with both IPA and AD tools. It turned out that the AD
> tools expect an AD like LDAP schema and layout to create a trust. Since
> the IPA LDAP server does not meet those requirements it is not possible
> to create a trust between IPA and AD with AD tools only with the 'ipa
> trust-add' command. By blocking the LDAP ports for the AD DC we tried to
> force the AD tools to fall back to other means to get the needed
> information with no success. But we kept the recommendation to block
> those ports because it was not clear at this time if AD will check the
> LDAP layout of a trust partner during normal operation as well. Since we
> have not observed those request the recommendation can be dropped.
> """
>
> HTH
>
> bye,
> Sumit
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130814/28a3fbf5/attachment.htm>
More information about the Freeipa-users
mailing list