[Freeipa-users] network ports requirements for a replica

[Alexander Bokovoy]

On ma, 17 loka 2016, Karl Forner wrote:
>On Mon, Oct 17, 2016 at 10:33 AM, Alexander Bokovoy <abokovoy at redhat.com>
>wrote:
>
>> On ma, 17 loka 2016, Karl Forner wrote:
>>
>>> Thanks Alexander, unfortunately I could only find outdated documentation.
>>> I just realized that my question is not precise enough.
>>>
>> The documentation I linked is the up-to-date one.
>>
>
>Yes I know. I was explaining...
>
>
>>
>>
>>> From your answer, I understand that during the replica setup process,
>>> all I need (because I do not use RHEL) is a ssh port between the master
>>> and the replica.
>>>
>> You did not read carefully what I quoted. SSH port is in addition to the
>> ports required to be open for normal IPA master.
>>
>
>I did read.  I wrote "between the master and the replica". Each server has
>its own set of open ports in its own network, used by its clients.
IPA replica is a client of IPA master, there isn't much difference,
except where Kerberos tickets are obtained from as each master/replica
host own KDC with exactly same keys, so they are able to 'short cut' it
here.  However, the rest stands.

>What I want to know is what ports are used by the replication process, i.e.
>what ports must I open on my firewall to enable the replication.
Exactly the same ports as specified in the documentation.

>Maybe all the ports are used for that purpose, but this is not, unless
>mistaken, clearly stated in the documentation.
You are mistaken and the mistake most likely comes from your idea that
somehow IPA master/replica are different from other IPA clients. They
are not, they are IPA clients themselves. Replication exchange is built
on LDAP protocol.

>In that case, this may be a security problem opening that many ports in the
>firewall.
Nothing prevents you from organizing a proper VPN or other types of tunneling
between the networks.

-- 
/ Alexander Bokovoy