Which ports are required in order to authenticate against a ldap server in another domain which is behind a firewall?

active-directory authentication centos6 port sssd
53,785

Solution 1

As long as it LDAP auth only (and not AD/Kerberos etc.), 389 should be sufficient.

Solution 2

You should use TCP ports 389 and/or 636. Port 636 is for LDAPS, which is LDAP over SSL. Encryption on port 389 is also possible using the STARTTLS mechanism, but in that case you should explicitly verify that encryption is being done.

Microsoft's KB article says:

  • Start TLS extended request

    LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.

Also see the related Server Fault question.

Solution 3

This really depends on SSSD configuration, in particular auth_provider. auth_provider=ldap requires either port 389 (with TLS) or 636 (ldaps). auth_provider=krb5 requires port 88.

ipa and AD providers require both actually, because even identity data is encrypted with GSSAPI, so you need port 88 to prime the ccache to do a GSSAPI LDAP bind, then port 389 to search LDAP and then also again port 88 for authentication.

IPA and AD providers also rely heavily on DNS, so port 53 might be appropriate as well.

Solution 4

SSSD can be configured to retrieve user information from the Active Directory Global Catalog. That would require port 3268 https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

If you will access any SAMBA shares, then dynamic ports will be necessary to verify access to folders before opening them.

This TechNet document lists all potential ports, depending on the features you will use. It also has a link to restricting dynamic ports if you want to limit the number of potential ports. https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

Share:
53,785

Related videos on Youtube

Itai Ganot
Author by

Itai Ganot

Architect and Lecturer in the field of DevOps Engineering. LinkedIn: https://www.linkedin.com/in/itaiganot Personal Website: http://geek-kb.com

Updated on September 18, 2022

Comments

  • Itai Ganot
    Itai Ganot over 1 year

    I have a Linux domain running with sssd, let's call this domain NJ.

    I'd like machines on the NJ domain to be able to authenticate against an Active Directory ldap server which resides on a different domain (called NY) which is behind a firewall.

    Would it be enough to allow only port 389 between both domains or are there any other ports which are required in order for the machines on the NJ domain to authenticate against ldap servers in the NY domain?

  • MDMoore313
    MDMoore313 about 9 years
    +1, but he might also want to check w/ the firewall admin on the NY side to make sure they're doing things standard and not doing some freaky port forwarding, or the like.
  • Itai Ganot
    Itai Ganot about 9 years
    Thanks for your answer Sven, but active directory also uses kerberos for authentication as far as I know, does it not require to open another port?
  • FooBee
    FooBee about 9 years
    @ItaiGanot: AD uses Kerberos, yes, and if you want any of that, just port 389 is not sufficient. However, it's possible to authenticate just against the LDAP part of ActiveDirectory and it will not be all that different to an OpenLDAP or 389DS server.
  • GuitarPicker
    GuitarPicker about 9 years
    Thank you for mentioning the other ports in your answer.
  • Itai Ganot
    Itai Ganot about 9 years
    Thanks for your answer, I'll try it tomorrow when i'm at work and will let you know.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Where do I specify the Bind DN and password for sss+ldap?
Make sssd respect Acctive Directory nested groups
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
Authenticate Oracle Database with Active Directory Users
C# netcore ldap authentication using Novell.Directory.Ldap.NETStandard library
How to check AD user credentials when the user password is expired or "user must change password at next logon"
Microsoft Active Directory Port
Auto Signin with Active Directory Account in c# ASP.Net Website
SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue