Ports requirement between IPA master and clients

Latest response

Is access to these ports between IDM and it's clients/replicas bi-directional ( communication on both directions)?
- 80, 443
- 389, 636
- 88, 464
- 53
- 123

Also, If we do not need DNS and NTP management from IDM, can we just skip ports 53 & 123 during firewall requests? Thanks in advance.

SG
Log in to join the conversation

Responses

SW Red Hat Guru 4022 points
11 April 2018 8:07 PM

Hello, the Port Requirements section of the Linux Domain Identity, Authentication, and Policy Guide has the list of ports. It does not explicitly say the ports are for incoming connections to the IdM server, but to me its seems that way from the context (and my testing).

I will raise this issue with the guide maintainer.

SG Pro 585 points
11 April 2018 8:45 PM

Hello Stephen, Thank you. I did some telnet testings on my test machines ( I checked multiple ports ) and I noticed that from IDM server to client, the connection is refused, however, from client to the IDM server, the connection says "connected". ( Please see below ). However, I can see the IPA users from both machine. I can edit users on the client and still see that on IPA master server and vice versa. So, I am confused if the communication is bi-directional or not.

Telnet test from IPA master server to the IPA Client server;

telnet srtest.XXX.XX.XXX 636

Trying 156.xxx.xx.xxx... telnet: connect to address 156.xxx.xx.xxx: Connection refused

Telnet test from the IPA Client to the IPA master server;

telnet sripa-test.xxx.xx.xxx 636

Trying 156.xxx.xx.xxx... Connected to sripa-test.xxx.xx.xxx.

ir. Jan Gerrit Kootstra's picture Guru 6222 points
11 April 2018 9:00 PM

Hello Shisheer,

Telnet test from the IPA Client to the IPA master server;

telnet sripa-test.xxx.xx.xxx 636

Trying yyy.xxx.xx.xxx... Connected to sripa-test.xxx.xx.xxx.

This connection would not make sense. It would mean your ipa-client would be a LDAPs server, where you would expect the directory server part of the IPA server to perform that function.

Regards,

Jan Gerrit

ir. Jan Gerrit Kootstra's picture Guru 6222 points
11 April 2018 9:01 PM

Similar test should that has to fail: telnet from AD servers to the kerberos server ports of the IPA clients

MA Red Hat Community Member 83 points
23 April 2018 4:14 AM

Stephen,

Thanks for raising this bug.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.