On Mon, Aug 12, 2013 at 11:24:03AM -0400, Brian Lee wrote: > Hello everyone, > > I understand this is well documented that we need to block AD from > establishing communication to the LDAP ports, but I've never heard an > explanation on why this is needed. > > Additionally, In our environment, we have a 100+ AD servers. Do I need to > add an iptables rule for each AD server, on each IPA server or only the > ones configured for DNS forwarding? > > Thanks as always
Thank you for bringing up this topic. I've discussed this with Alexander and we think that this recommendation can be dropped. I have updated http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup. The new version now says: """ Previously we recommended that you should make sure that IPA LDAP server is not reachable by AD DC by closing down TCP ports 389 and 636 for AD DC. Our current tests lead to the assumption that this is not necessary anymore. During the early development stage we tried to create a trust between IPA and AD with both IPA and AD tools. It turned out that the AD tools expect an AD like LDAP schema and layout to create a trust. Since the IPA LDAP server does not meet those requirements it is not possible to create a trust between IPA and AD with AD tools only with the 'ipa trust-add' command. By blocking the LDAP ports for the AD DC we tried to force the AD tools to fall back to other means to get the needed information with no success. But we kept the recommendation to block those ports because it was not clear at this time if AD will check the LDAP layout of a trust partner during normal operation as well. Since we have not observed those request the recommendation can be dropped. """ HTH bye, Sumit > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users