8

I have a Linux domain running with sssd, let's call this domain NJ.

I'd like machines on the NJ domain to be able to authenticate against an Active Directory ldap server which resides on a different domain (called NY) which is behind a firewall.

Would it be enough to allow only port 389 between both domains or are there any other ports which are required in order for the machines on the NJ domain to authenticate against ldap servers in the NY domain?

Itai Ganot
  • 10,424
  • 27
  • 88
  • 143

4 Answers4

13

You should use TCP ports 389 and/or 636. Port 636 is for LDAPS, which is LDAP over SSL. Encryption on port 389 is also possible using the STARTTLS mechanism, but in that case you should explicitly verify that encryption is being done.

Microsoft's KB article says:

  • Start TLS extended request

    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.

Also see the related Server Fault question.

200_success
  • 4,701
  • 1
  • 24
  • 42
4

As long as it LDAP auth only (and not AD/Kerberos etc.), 389 should be sufficient.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • 1
    +1, but he might also want to check w/ the firewall admin on the NY side to make sure they're doing things standard and not doing some freaky port forwarding, or the like. – MDMoore313 Apr 14 '15 at 15:42
  • Thanks for your answer Sven, but active directory also uses kerberos for authentication as far as I know, does it not require to open another port? – Itai Ganot Apr 14 '15 at 16:13
  • @ItaiGanot: AD uses Kerberos, yes, and if you want any of that, just port 389 is not sufficient. However, it's possible to authenticate just against the LDAP part of ActiveDirectory and it will not be all that different to an OpenLDAP or 389DS server. – Sven Apr 14 '15 at 16:16
1

This really depends on SSSD configuration, in particular auth_provider. auth_provider=ldap requires either port 389 (with TLS) or 636 (ldaps). auth_provider=krb5 requires port 88.

ipa and AD providers require both actually, because even identity data is encrypted with GSSAPI, so you need port 88 to prime the ccache to do a GSSAPI LDAP bind, then port 389 to search LDAP and then also again port 88 for authentication.

IPA and AD providers also rely heavily on DNS, so port 53 might be appropriate as well.

jhrozek
  • 1,320
  • 6
  • 5
1

SSSD can be configured to retrieve user information from the Active Directory Global Catalog. That would require port 3268 https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

If you will access any SAMBA shares, then dynamic ports will be necessary to verify access to folders before opening them.

This TechNet document lists all potential ports, depending on the features you will use. It also has a link to restricting dynamic ports if you want to limit the number of potential ports. https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Zach Bolinger
  • 304
  • 1
  • 6