Re: 389-DS on CentOS 6.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You are correct that a CA is included in IdM.  But many organizations design their root CA as an independent device, often kept offline for security.  The IdM CA is then configured as a Sub-CA, responsible for its own security domain.  The benefit here is that the root CA can also provide certificates to other security sub domains, like AD, or a VMware cluster.

Steve

On Tue, Feb 19, 2019, 16:34 William Brown, <wbrown@xxxxxxx> wrote:


> On 20 Feb 2019, at 03:21, Steve Kuervers <kuervers.sj@xxxxxxxxx> wrote:
>
> Sandy, I'm a fan of your suggested FreeIPA implementation, but some real planning is required ahead of time.
>
> You need to dig into the documentation and look at what your real requirements are.  I'd suggest you plan yourself with something similar to this:
>
> root CA - CentOS 7.x with 389-directory server and dogtag-pki CA configuration (may not be necessary depending on your requirement)
> - this can be kept offline and secure

I would advise *not* using the CA functionality in IPA, and just bringing in p12 bundles instead. You could automate this with let’s encrypt or other CA that you may use.

>
> two or more identity management servers setup to replicated- Centos 7.x with IdM installed (IdM is part of the baseline install for CentOS
>
> I've successfully used IdM to support an ovirt virtualization cluster, and I'm told that IdM to Windows AD is relatively painless (but have not done it myself).
>
> Clients - IdM will support Fedora, CentOS 6 and CentOS 7 clients, plus all kinds of other capabilities
>
> Built this way, you will look a lot like the Redhat upstream solution, and you can even use the upstream documentation to plan
>
> - Root CA = RHEL 7 Redhat Certificate Server on Redhat Directory Server

The CA is part of IDM, not seperate.

> - IdM servers = RHEL 7 servers with IdM
> - ovirt virt cluster = Redhat Enterprise Virtualization
>
> Your actual Root CA, IdM servers and test clients can even exist within the ovirt cluster as clients.
>
> Steve
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx


Sincerely,

William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx

[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux