Sandy, I'm a fan of your suggested FreeIPA implementation, but some real planning is
required ahead of time.
You need to dig into the documentation and look at what your real requirements are.
I'd suggest you plan yourself with something similar to this:
root CA - CentOS 7.x with 389-directory server and dogtag-pki CA configuration (may not be
necessary depending on your requirement)
- this can be kept offline and secure
two or more identity management servers setup to replicated- Centos 7.x with IdM installed
(IdM is part of the baseline install for CentOS
I've successfully used IdM to support an ovirt virtualization cluster, and I'm
told that IdM to Windows AD is relatively painless (but have not done it myself).
Clients - IdM will support Fedora, CentOS 6 and CentOS 7 clients, plus all kinds of other
capabilities
Built this way, you will look a lot like the Redhat upstream solution, and you can even
use the upstream documentation to plan
- Root CA = RHEL 7 Redhat Certificate Server on Redhat Directory Server
- IdM servers = RHEL 7 servers with IdM
- ovirt virt cluster = Redhat Enterprise Virtualization
Your actual Root CA, IdM servers and test clients can even exist within the ovirt cluster
as clients.
Steve