[Freeipa-users] Securing IPA Redux
Rob Crittenden
rcritten at redhat.com
Mon May 18 17:53:22 UTC 2015
Rich Megginson wrote:
> On 05/18/2015 08:26 AM, Martin Kosek wrote:
>> Adding freeipa-users list back, to keep others in the loop.
>>
>> On 05/18/2015 12:32 PM, Brian Topping wrote:
>>> Thanks for taking the time to write that, Martin. It's good to have a
>>> reference to build from.
>>>
>>> Result of "ida-client-install" outside the firewall with port 636
>>> accessible:
>> Ah, I mostly just use 636 as a convenience port to show the supported
>> cryptos,
>> 389 is really the port we should be using by default.
>>
>> Of course, 389 port + STARTTLS environment turned on, to make sure
>> passwords do
>> not go in clean over the wire.
>>
>>>> Please make sure the following ports are opened in the firewall
>>>> settings:
>>>> TCP: 80, 88, 389
>>>> UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
>>>> Also note that following ports are necessary for ipa-client working
>>>> properly after enrollment:
>>>> TCP: 464
>>>> UDP: 464, 123 (if NTP enabled)
>>> No mention of 636, confirmed by tcpdump that it's not trying. Also no
>>> option on command line to specify 636.
>>>
>>> Opening up 389 means that some misconfigured client could expose
>>> passwords.
>
> Not necessarily.
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SecureConnections.html#requiring-secure-connections
>
>
>>> It's possible to remove null ciphers, but then there's really no
>>> reason not to use 636.
>>>
>>> Seems like ipa-client-install should try 636 by default, then fall
>>> back to 389 in it's various forms, no?
>> I think the general direction here was the opposite. To work on the
>> port 389 as
>> the common denominator, offering both password-less traffic and encrypted
>> traffic. I am not sure if there were other reasons too, I would let
>> Rob or
>> Ludwig reply here if they know.
ldaps / port 636 is deprecated in favor of StartTLS. For OpenLDAP's take
on it see http://www.openldap.org/faq/data/cache/605.html
rob
More information about the Freeipa-users
mailing list