Bug 1326418 - System ports doc should explain port usage
Summary: System ports doc should explain port usage
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.2
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: ---
Assignee: Marc Muehlfeld
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-12 15:36 UTC by Christian Heimes
Modified: 2019-03-06 00:54 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-10 11:54:57 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Christian Heimes 2016-04-12 15:36:36 UTC 
Description of problem:

Regularly people ask which firewall ports must be opened for FreeIPA or why (supposedly) insecure ports are required. Admins are mostly concerned about plain HTTP and LDAP ports.


Version-Release number of selected component (if applicable):
ALL

Actual results:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/prereq-ports-clients.html lists all required ports but don't explain the usage.

Expected results:
The documentation should also explain why 80/TCP & 389/TCP are required and why these ports are not a security issue.

FreeIPA requires HTTP port 80/TCP to serve Dogtag's OCSP responder and as CRL distribution point. OCSP responses and CRL files are signed and therefore secured against MitM attacks. The FreeIPA web ui requires HTTPS.

LDAPS on port 636/TCP is deprecated in favor of 389/TCP with StartTLS. Clients upgrade connections on 389/TCP to TLS protection and encryption. 636/TCP is still required.
Comment 3 Christian Heimes 2016-04-13 11:12:42 UTC 
Does it also make sense to mention firewalld? firewalld comes with service definitions for FreeIPA, https://github.com/t-woerner/firewalld/tree/master/config/services . Both freeipa service definitions open http, https, kerberos, kpasswd and ntp. freeipa-ldap also opens ldap while freeipa-ldaps opens ldaps. For FreeIPA with DNS, the dns service is required as well. The services files are available in RHEL and Fedora. 

To open the firewall ports with firewalld permanently, run:

# firewall-cmd --add-service=freeipa-ldap
# firewall-cmd --add-service=freeipa-ldap --permanent
# firewall-cmd --add-service=freeipa-ldaps
# firewall-cmd --add-service=freeipa-ldaps --permanent
# firewall-cmd --add-service=dns
# firewall-cmd --add-service=dns --permanent
Comment 4 Alexander Bokovoy 2016-04-20 09:26:21 UTC 
Note also that another recommended use of LDAP 389 port is with SASL GSSAPI authentication. In fact, default SSSD configuration for IPA clients is done with this method.

To enforce encryption and signing of packages when using SASL GSSAPI, one needs to set defaults in ldap.conf(5) for all LDAP clients. See 'GSSAPI OPTIONS' section of ldap.conf(5) manual page.  'GSSAPI_SIGN on' / 'GSSAPI_ENCRYPT on' are the specific options to force.
Comment 6 Marc Muehlfeld 2016-05-10 11:20:33 UTC 
I added the information to the "Note" in this section.
Comment 9 Aneta Šteflová Petrová 2016-06-10 11:54:57 UTC 
Published in an asynchronous update.
Note You need to log in before you can comment on or make changes to this bug.