Which ports are required in order to authenticate against a ldap server in another domain which is behind a firewall?

Solution 1:

As long as it LDAP auth only (and not AD/Kerberos etc.), 389 should be sufficient.

Solution 2:

You should use TCP ports 389 and/or 636. Port 636 is for LDAPS, which is LDAP over SSL. Encryption on port 389 is also possible using the STARTTLS mechanism, but in that case you should explicitly verify that encryption is being done.

Microsoft's KB article says:

• Start TLS extended request

  LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.

Also see the related Server Fault question.

Solution 3:

This really depends on SSSD configuration, in particular auth_provider. auth_provider=ldap requires either port 389 (with TLS) or 636 (ldaps). auth_provider=krb5 requires port 88.

ipa and AD providers require both actually, because even identity data is encrypted with GSSAPI, so you need port 88 to prime the ccache to do a GSSAPI LDAP bind, then port 389 to search LDAP and then also again port 88 for authentication.

IPA and AD providers also rely heavily on DNS, so port 53 might be appropriate as well.