In the wiki this it's not longer necessary to make the IPA LDAP server not reachable by any AD domain controller. To be consistence, the setup tool should support this.
https://www.freeipa.org/page/Active_Directory_trust_setup
""" Previously we recommended that you should make sure that IPA LDAP server is not reachable by AD DC by closing down TCP ports 389 and 636 for AD DC. Our current tests lead to the assumption that this is not necessary anymore. During the early development stage we tried to create a trust between IPA and AD with both IPA and AD tools. It turned out that the AD tools expect an AD like LDAP schema and layout to create a trust. Since the IPA LDAP server does not meet those requirements it is not possible to create a trust between IPA and AD with AD tools only with the 'ipa trust-add' command. By blocking the LDAP ports for the AD DC we tried to force the AD tools to fall back to other means to get the needed information with no success. But we kept the recommendation to block those ports because it was not clear at this time if AD will check the LDAP layout of a trust partner during normal operation as well. Since we have not observed those request the recommendation can be dropped. """
freeipa-tscherf-0004-Removed-recommendation-from-ipa-adtrust-install.patch freeipa-tscherf-0004-Removed-recommendation-from-ipa-adtrust-install.patch
master:
ipa-4-1:
Metadata Update from @tscherf: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.1.5
Login to comment on this ticket.