hi,

sorry, replied to OP directly, not the list.

On Mon, Dec 20, 2021 at 1:11 PM Ronald Wimmer <ronaldw@ronzo.at> wrote:

On 20.12.21 10:21, Natxo Asenjo via FreeIPA-users wrote:
> hi,
>
> On Mon, Dec 20, 2021 at 8:36 AM Ronald Wimmer via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi,
>>
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#prereq-ports
>> states a list of required ports but is a little vague.
>>
>> Besides NTP and DNS which ports are really essential to be open? And in
>> which direction? TCP/UDP?
>>
>> - on an IPA server (all of the listed ports in both directions?)
>>
>
> take a look at table 2.1 on the document you link to. If you do not run dns
> or ntp, you do not need to open those ports obviously. The basic
> functionality is ldap (389/636 tcp) and kerberos (88/464 udp/tcp). Plus the
> api which requires 80/443 tcp. DNS and ntp can be run on other hosts but it
> makes it harder really.

OK. All these ports have to be open on the server side. Even port 80? I
know about STARTTLS for port 389 but can't a connection be established
on port 636 from the beginning?

ocsp checks need to happen on port 80.

You may close port 389, stuff might break, you keep all the little pieces ;-)

This is specifically indicated on the document you link to, under table 2.1, see 'note'.

Kerberos needs both, TCP and UDP?

yes

But which ports have to be open on an IPA client? None?

re-read my reply earlier.

regards,

natxo