#1830 Find a better way to block AD to access IPA LDAP server
Closed: Invalid None Opened 12 years ago by sbose.

In a trust environment AD server expect other LDAP server to have the same directory tree layout as AD has and looks for specific objects and attributes to e.g. determine the functional domain level. When it tries to access the IPA LDAP server during an operation in general it will fail because the requested information cannot be found. To prevent AD from using LDAP operations and use RPC calls instead we currently rely on firewall rules to block the LDAP ports for AD servers.

This is cumbersome and error-prone since all AD servers have to be added manually to the rules.

It would be nice if it would be possible to determine at connection time if the connection is coming from an AD server and if yes terminate the connection immediately.

Before this is implemented (if it is even possible) we have to check if AD handles this kind of termination in the same way as it does a firewall reject.


Simo had the idea that the CLDAP plugin (https://fedorahosted.org/freeipa/ticket/1950) can add it IP address of the system connection to the CLDAP service on a blacklist. Another plugin which work at the earliest possible stage of a connection 389ds can handle will use this blacklist to deny access to theses systems.

Recent test show that it is not necessary to block the tcp LDAP port to make AD play nice with IPA. I will close this ticket as 'worksforme'. Sorry for the noise.

Metadata Update from @sbose:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 3.0 Trust Effort Backlog

7 years ago

Login to comment on this ticket.

Metadata