For the cross realm trust use case AD needs to be able to connect to IPA on some ports but not on others. Usually AD connects on the CLDAP port which runs as a plugin inside DS. This plugin could record the IP of the AD inside some predefined area that would constitute the blacklist of clients. The bind logic then should consult this list and ignore requests coming from the IP addresses. The list should not be replicated. The list also should have a timestamp which is updated every time a request comes in for a blacklisted client. This timestamp would help later to identify when client tried to access DS last time and clean this list if the client was decommissioned. Alternatively the entry can be removed after some period of time if there is already a mechanism to perform such internal cleanup in the DS. This functionality would be nice to have to avoid complexity of setting up trust relationships and reduce the burden of setting per port firewall rules between AD and IPA environment. Related IPA ticket is https://fedorahosted.org/freeipa/ticket/1830 Target release IPA 3.1.
Just verifying -- Is this still needed?
Unclear(In reply to comment #1) > Just verifying -- Is this still needed? Unclear, Sumit is testing. Please with him directly.
Recent test show that it is not necessary to block the tcp LDAP port to make AD play nice with IPA. I will close this ticket as NOTABUG. Sorry for the noise.