[Freeipa-users] freeipa unsecured ports & MITM
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 29 15:48:12 UTC 2016
On Tue, 29 Mar 2016, Simo Sorce wrote:
>On Tue, 2016-03-29 at 08:51 -0600, Master P. wrote:
>> Hello,
>>
>> I am using FreeIPA on the cloud and am worried about MITM attacks. I'm
>> assuming all network traffic can be easily read and possibly manipulated by
>> an attacker.
>>
>> When following
>> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html,
>> some of the listed ports for FreeIPA (80 and 389) are unencrypted ports.
>
>The only thing port 80 does is redirect to 443.
There is also a CA certificate access on port 80 in case LDAP-based
access didn't work.
>Port 389 is the only use LDAP port and clients will use the STARTTLS
>command to transition to to a TLS encrypted connection or use GSSAPI and
>confidentiality to encrypt the traffic.
Also, any LDAP BIND with password will be refused without STARTTLS
command.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list