Steve
On Tue, Feb 19, 2019, 16:34 William Brown, <wbrown@xxxxxxx> wrote:
> On 20 Feb 2019, at 03:21, Steve Kuervers <kuervers.sj@xxxxxxxxx> wrote:
>
> Sandy, I'm a fan of your suggested FreeIPA implementation, but some real planning is required ahead of time.
>
> You need to dig into the documentation and look at what your real requirements are. I'd suggest you plan yourself with something similar to this:
>
> root CA - CentOS 7.x with 389-directory server and dogtag-pki CA configuration (may not be necessary depending on your requirement)
> - this can be kept offline and secure
I would advise *not* using the CA functionality in IPA, and just bringing in p12 bundles instead. You could automate this with let’s encrypt or other CA that you may use.
>
> two or more identity management servers setup to replicated- Centos 7.x with IdM installed (IdM is part of the baseline install for CentOS
>
> I've successfully used IdM to support an ovirt virtualization cluster, and I'm told that IdM to Windows AD is relatively painless (but have not done it myself).
>
> Clients - IdM will support Fedora, CentOS 6 and CentOS 7 clients, plus all kinds of other capabilities
>
> Built this way, you will look a lot like the Redhat upstream solution, and you can even use the upstream documentation to plan
>
> - Root CA = RHEL 7 Redhat Certificate Server on Redhat Directory Server
The CA is part of IDM, not seperate.
> - IdM servers = RHEL 7 servers with IdM
> - ovirt virt cluster = Redhat Enterprise Virtualization
>
> Your actual Root CA, IdM servers and test clients can even exist within the ovirt cluster as clients.
>
> Steve
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx