Bug 765972

Summary: Mimic firewall behavior
Product: [Fedora] Fedora Reporter: Dmitri Pal <dpal>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: edewata, nhosoi, nkinder, rmeggins, sbose, shaines
Target Milestone: ---Keywords: screened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-13 11:53:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dmitri Pal 2011-12-09 19:36:00 UTC 
For the cross realm trust use case AD needs to be able to connect to IPA on some ports but not on others. Usually AD connects on the CLDAP port which runs as a plugin inside DS. This plugin could record the IP of the AD inside some predefined area that would constitute the blacklist of clients.
The bind logic then should consult this list and ignore requests coming from the IP addresses.

The list should not be replicated. The list also should have a timestamp which is updated every time a request comes in for a blacklisted client. This timestamp would help later to identify when client tried to access DS last time and clean this list if the client was decommissioned.
Alternatively the entry can be removed after some period of time if there is already a mechanism to perform such internal cleanup in the DS.

This functionality would be nice to have to avoid complexity of setting up trust relationships and reduce the burden of setting per port firewall rules between AD and IPA environment.

Related IPA ticket is 
https://fedorahosted.org/freeipa/ticket/1830
 
Target release IPA 3.1.
Comment 1 Scott Haines 2011-12-12 22:44:16 UTC 
Just verifying -- Is this still needed?
Comment 2 Dmitri Pal 2011-12-12 22:56:35 UTC 
Unclear(In reply to comment #1)
> Just verifying -- Is this still needed?

Unclear, Sumit is testing. Please with him directly.
Comment 3 Sumit Bose 2011-12-13 11:53:16 UTC 
Recent test show that it is not necessary to block the tcp LDAP port to make AD play nice with IPA. I will close this ticket as NOTABUG. Sorry for the noise.