I've got CentOS 7.6 installed and working just fine.

I looked into LDAP; 389-DS; and FreeIPA and LDAP wanted me to install DNS so I did. I've added all of the machines static IP addresses to both forward and backward modules. I've added the my DNS server to all Linux and 2 Windows machines. I tested the results using nslookup and it appears to be working correctly.

First question: Since my DNS is working can I remove those entries from my hosts file so I have only a single maintenance point?


Before starting to install my virtual machines on my Linux machines I have built the required Bridge network.

Second question: Does it make since to install openvswitch and what will that buy me as far as networking is concerned?


I've installed 389-DS but I've not started using it. When I worked for a living all of our RHEL Servers (~1800 of them) was connected to our Windows AD servers.

Third question: I worked last in 01/2016 so my memory is questionable, but isn't that something I can do using 389-DS?
Forth question: What, exactly, does this buy me (other than trying to look like a fortune 500 company) as far as security is concerned?


Fifth question: Is this making things too complicated for a environment with only 12 machines?

TIA Gene

Yes, as long as your DNS works as it should and you aren't messing around with it all the time (bringing up the service up and down 60 times a minute) you should be fine.

Unless you plan of using vlans or some virtual port security, you don't need openvswitch, I run barebones KVM with more then 100 machines on a single bridge interface (x2 10g bonded interfaces) and it works just fine.

You can use LDAP + kerberos to give you something close to AD (you won't be able to push policys to linux machines (cant do it in AD either) or update SSL certificates (with AD and SSSD you can do this).

Done right TGT tickets (kerberos) are very hard to forge, it gives you some advantages with some slight maintenance (SSL certs group/user management and DNS records)but gives you so much more... think single sign on, think login from anywhere without worrying if you sync'ed accounts, has somewhat better accounting for accounts then just standard UNIX does, has better password polices, enable/disable once, enable/disable everywhere! Your VM's are small now, but in time they will probably grow, wouldn't be nice if you had a proper way to maintain the vms/ other hardware? It also bring down the maintince of every box (VM in your case) because you don't have to worry about anything related to user accounts, set it and forget it and just worry about the LDAP side of things.

No, in my opinion the point in time where you have to manage more then one account list is when you are doing it wrong, nevermind 12

1 members found this post helpful.

Which virtualisation product are you using? From experience I know oVirt relies heavily on DNS. If there is any interruption in DNS then oVirt will become rediculously slow and appear like it's not working. To overcome this, update the /etc/hosts with the manager and hosts DNS mappings. I do this in production with Openstack and RHV (the Red Hat oVirt).

I know it does seem silly to do it and I've argued this point but if you don't do it then you leave yourself open to frustrations. You dont need to add mappings for any VM, only the manager and the physical hosts.

1 members found this post helpful.

For most of my machines running virtualization, I'm using KVM. On a single machine I'm using VirtualBox because VirtualBox is the only one where ArcaOS | eComStation | OS/2 works.
Gene