Bug 1326418

Summary: System ports doc should explain port usage
Product: Red Hat Enterprise Linux 7 Reporter: Christian Heimes <cheimes>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Marc Muehlfeld <mmuehlfe>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: low Docs Contact:
Priority: unspecified    
Version: 7.2CC: abokovoy, apetrova, cheimes, mmuehlfe, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-10 11:54:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Christian Heimes 2016-04-12 15:36:36 UTC 
Description of problem:

Regularly people ask which firewall ports must be opened for FreeIPA or why (supposedly) insecure ports are required. Admins are mostly concerned about plain HTTP and LDAP ports.


Version-Release number of selected component (if applicable):
ALL

Actual results:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/prereq-ports-clients.html lists all required ports but don't explain the usage.

Expected results:
The documentation should also explain why 80/TCP & 389/TCP are required and why these ports are not a security issue.

FreeIPA requires HTTP port 80/TCP to serve Dogtag's OCSP responder and as CRL distribution point. OCSP responses and CRL files are signed and therefore secured against MitM attacks. The FreeIPA web ui requires HTTPS.

LDAPS on port 636/TCP is deprecated in favor of 389/TCP with StartTLS. Clients upgrade connections on 389/TCP to TLS protection and encryption. 636/TCP is still required.
Comment 3 Christian Heimes 2016-04-13 11:12:42 UTC 
Does it also make sense to mention firewalld? firewalld comes with service definitions for FreeIPA, https://github.com/t-woerner/firewalld/tree/master/config/services . Both freeipa service definitions open http, https, kerberos, kpasswd and ntp. freeipa-ldap also opens ldap while freeipa-ldaps opens ldaps. For FreeIPA with DNS, the dns service is required as well. The services files are available in RHEL and Fedora. 

To open the firewall ports with firewalld permanently, run:

# firewall-cmd --add-service=freeipa-ldap
# firewall-cmd --add-service=freeipa-ldap --permanent
# firewall-cmd --add-service=freeipa-ldaps
# firewall-cmd --add-service=freeipa-ldaps --permanent
# firewall-cmd --add-service=dns
# firewall-cmd --add-service=dns --permanent
Comment 4 Alexander Bokovoy 2016-04-20 09:26:21 UTC 
Note also that another recommended use of LDAP 389 port is with SASL GSSAPI authentication. In fact, default SSSD configuration for IPA clients is done with this method.

To enforce encryption and signing of packages when using SASL GSSAPI, one needs to set defaults in ldap.conf(5) for all LDAP clients. See 'GSSAPI OPTIONS' section of ldap.conf(5) manual page.  'GSSAPI_SIGN on' / 'GSSAPI_ENCRYPT on' are the specific options to force.
Comment 6 Marc Muehlfeld 2016-05-10 11:20:33 UTC 
I added the information to the "Note" in this section.
Comment 9 Aneta Šteflová Petrová 2016-06-10 11:54:57 UTC 
Published in an asynchronous update.