Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionChristian Heimes
2016-04-12 15:36:36 UTC
Description of problem:
Regularly people ask which firewall ports must be opened for FreeIPA or why (supposedly) insecure ports are required. Admins are mostly concerned about plain HTTP and LDAP ports.
Version-Release number of selected component (if applicable):
ALL
Actual results:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/prereq-ports-clients.html lists all required ports but don't explain the usage.
Expected results:
The documentation should also explain why 80/TCP & 389/TCP are required and why these ports are not a security issue.
FreeIPA requires HTTP port 80/TCP to serve Dogtag's OCSP responder and as CRL distribution point. OCSP responses and CRL files are signed and therefore secured against MitM attacks. The FreeIPA web ui requires HTTPS.
LDAPS on port 636/TCP is deprecated in favor of 389/TCP with StartTLS. Clients upgrade connections on 389/TCP to TLS protection and encryption. 636/TCP is still required.
Does it also make sense to mention firewalld? firewalld comes with service definitions for FreeIPA, https://github.com/t-woerner/firewalld/tree/master/config/services . Both freeipa service definitions open http, https, kerberos, kpasswd and ntp. freeipa-ldap also opens ldap while freeipa-ldaps opens ldaps. For FreeIPA with DNS, the dns service is required as well. The services files are available in RHEL and Fedora.
To open the firewall ports with firewalld permanently, run:
# firewall-cmd --add-service=freeipa-ldap
# firewall-cmd --add-service=freeipa-ldap --permanent
# firewall-cmd --add-service=freeipa-ldaps
# firewall-cmd --add-service=freeipa-ldaps --permanent
# firewall-cmd --add-service=dns
# firewall-cmd --add-service=dns --permanent
Comment 4Alexander Bokovoy
2016-04-20 09:26:21 UTC
Note also that another recommended use of LDAP 389 port is with SASL GSSAPI authentication. In fact, default SSSD configuration for IPA clients is done with this method.
To enforce encryption and signing of packages when using SASL GSSAPI, one needs to set defaults in ldap.conf(5) for all LDAP clients. See 'GSSAPI OPTIONS' section of ldap.conf(5) manual page. 'GSSAPI_SIGN on' / 'GSSAPI_ENCRYPT on' are the specific options to force.