[Freeipa-users] FreeIPA Replica ports
Simo Sorce
simo at redhat.com
Mon Aug 26 19:41:26 UTC 2013
On Mon, 2013-08-26 at 14:08 -0400, Rob Crittenden wrote:
> bwellsnc wrote:
> > I have been over the documentation and all documentations states that
> > replication happens over port 7389. This is incorrect. It is happening
> > over 389. I have a need for replication to operate over 7389 because I
> > have a remote server that is located in a datacenter which I have no
> > vpn/p2p access. Is there a way to set the replication port in IPA?
>
> The documentation is a little unclear, I agree. It is trying to say that
> IF you want a CA on the replica then you'll need port 7389 (and a few
> others) opened in the firewall.
>
> Changing the port would require reconfiguring 389-ds to listen on
> another port (or an additional port) and configure replication over that
> port. We don't provide the ability to configure ports so you'd need to
> make code changes.
>
> If the concern is lack of security, we initially (during
> ipa-replica-install) to use startTLS over 389. Once the server is up we
> reconfigure the agreement to use GSSAPI, so the data is always
> encrypted. For the case of the CA, it always uses startTLS on port 7389.
We should also probably note that in newer versions of FreeIPA we have
consolidated all instances in one, so only port 389 is used.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list