Bug 765972 - Mimic firewall behavior
Mimic firewall behavior
Product: Fedora
Classification: Fedora
Component: 389-ds-base (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Rich Megginson
Fedora Extras Quality Assurance
: screened
Depends On:
  Show dependency treegraph
Reported: 2011-12-09 14:36 EST by Dmitri Pal
Modified: 2012-01-10 15:56 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-12-13 06:53:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2011-12-09 14:36:00 EST
For the cross realm trust use case AD needs to be able to connect to IPA on some ports but not on others. Usually AD connects on the CLDAP port which runs as a plugin inside DS. This plugin could record the IP of the AD inside some predefined area that would constitute the blacklist of clients.
The bind logic then should consult this list and ignore requests coming from the IP addresses.

The list should not be replicated. The list also should have a timestamp which is updated every time a request comes in for a blacklisted client. This timestamp would help later to identify when client tried to access DS last time and clean this list if the client was decommissioned.
Alternatively the entry can be removed after some period of time if there is already a mechanism to perform such internal cleanup in the DS.

This functionality would be nice to have to avoid complexity of setting up trust relationships and reduce the burden of setting per port firewall rules between AD and IPA environment.

Related IPA ticket is 
Target release IPA 3.1.
Comment 1 Scott Haines 2011-12-12 17:44:16 EST
Just verifying -- Is this still needed?
Comment 2 Dmitri Pal 2011-12-12 17:56:35 EST
Unclear(In reply to comment #1)
> Just verifying -- Is this still needed?

Unclear, Sumit is testing. Please with him directly.
Comment 3 Sumit Bose 2011-12-13 06:53:16 EST
Recent test show that it is not necessary to block the tcp LDAP port to make AD play nice with IPA. I will close this ticket as NOTABUG. Sorry for the noise.

Note You need to log in before you can comment on or make changes to this bug.