#4977 ipa-adtrust-install still gives recommendation to make the IPA LDAP server not reachable for any AD domain controller.
Closed: Fixed None Opened 8 years ago by tscherf.

In the wiki this it's not longer necessary to make the IPA LDAP server not reachable by any AD domain controller. To be consistence, the setup tool should support this.

https://www.freeipa.org/page/Active_Directory_trust_setup

"""
Previously we recommended that you should make sure that IPA LDAP server is not reachable by AD DC by closing down TCP ports 389 and 636 for AD DC. Our current tests lead to the assumption that this is not necessary anymore. During the early development stage we tried to create a trust between IPA and AD with both IPA and AD tools. It turned out that the AD tools expect an AD like LDAP schema and layout to create a trust. Since the IPA LDAP server does not meet those requirements it is not possible to create a trust between IPA and AD with AD tools only with the 'ipa trust-add' command. By blocking the LDAP ports for the AD DC we tried to force the AD tools to fall back to other means to get the needed information with no success. But we kept the recommendation to block those ports because it was not clear at this time if AD will check the LDAP layout of a trust partner during normal operation as well. Since we have not observed those request the recommendation can be dropped.
"""


freeipa-tscherf-0004-Removed-recommendation-from-ipa-adtrust-install.patch
freeipa-tscherf-0004-Removed-recommendation-from-ipa-adtrust-install.patch

master:

  • 22d3a93 Removed recommendation from ipa-adtrust-install

ipa-4-1:

  • f838e80 Removed recommendation from ipa-adtrust-install

Metadata Update from @tscherf:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.1.5

7 years ago

Login to comment on this ticket.

Metadata