1
.\" A man page for ipa-server-install
2
.\" Copyright (C) 2008 Red Hat, Inc.
4
.\" This program is free software; you can redistribute it and/or modify
5
.\" it under the terms of the GNU General Public License as published by
6
.\" the Free Software Foundation, either version 3 of the License, or
7
.\" (at your option) any later version.
9
.\" This program is distributed in the hope that it will be useful, but
10
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
11
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12
.\" General Public License for more details.
14
.\" You should have received a copy of the GNU General Public License
15
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
17
.\" Author: Rob Crittenden <rcritten@redhat.com>
19
.TH "ipa-server-install" "1" "Sep 5 2011" "FreeIPA" "FreeIPA Manual Pages"
21
ipa\-server\-install \- Configure an IPA server
23
ipa\-server\-install [\fIOPTION\fR]...
25
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back\-end, configuring Apache, configuring NTP and starting the ipa_kpasswd service provided by IPA. By default a dogtag\-based CA will be configured to issue server certificates.
29
\fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
30
The Kerberos realm name for the IPA server
32
\fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
35
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
36
The password to be used by the Directory Server for the Directory Manager user
38
\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
39
The kerberos master password (normally autogenerated)
41
\fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
42
The password for the IPA admin user
44
\fB\-\-hostname\fR=\fIHOST_NAME\fR
45
The fully\-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
47
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
48
The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail.
50
\fB\-N\fR, \fB\-\-no\-ntp\fR
53
\fB\-\-idstart\fR=\fIIDSTART\fR
54
The starting user and group id number (default random)
56
\fB\-\-idmax\fR=\fIIDMAX\fR
57
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.
59
\fB\-\-no_hbac_allow\fR
60
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
62
\fB\-\-no\-ui\-redirect\fR
63
Do not automatically redirect to the Web UI.
65
\fB\-d\fR, \fB\-\-debug\fR
66
Enable debug logging when more verbose output is needed
68
\fB\-U\fR, \fB\-\-unattended\fR
69
An unattended installation that will never prompt for user input
72
.SS "CERTIFICATE SYSTEM OPTIONS"
74
\fB\-\-external\-ca\fR
75
Generate a CSR to be signed by an external CA
77
\fB\-\-external_cert_file\fR=\fIFILE\fR
78
File containing PKCS#10 certificate
80
\fB\-\-external_ca_file\fR=\fIFILE\fR
81
File containing PKCS#10 of the external CA chain
84
Disables pkinit setup steps
86
\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR
87
PKCS#12 file containing the Directory Server SSL Certificate
89
\fB\-\-http_pkcs12\fR=\fIFILE\fR
90
PKCS#12 file containing the Apache Server SSL Certificate
92
\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR
93
PKCS#12 file containing the Kerberos KDC SSL certificate
95
\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR
96
The password of the Directory Server PKCS#12 file
98
\fB\-\-http_pin\fR=\fIHTTP_PIN\fR
99
The password of the Apache Server PKCS#12 file
101
\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR
102
The password of the Kerberos KDC PKCS#12 file
104
\fB\-\-subject\fR=\fISUBJECT\fR
105
The certificate subject base (default O=REALM.NAME)
108
Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates.
110
WARNING: Using this option will restrain the server certificate management capabilities. Please, keep in mind that there is no way to change this setting later.
115
Generate a DNS zone if it does not exist already and configure the DNS server.
116
This option requires that you either specify at least one DNS forwarder through
117
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
119
Note that you can set up a DNS at any time after the initial IPA server install by running
122
.BR ipa-dns-install (1)).
124
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
125
Add a DNS forwarder to the DNS configuration. You can use this option multiple
126
times to specify more forwarders, but at least one must be provided, unless
127
the \fB\-\-no\-forwarders\fR option is specified.
129
\fB\-\-no\-forwarders\fR
130
Do not add any DNS forwarders. Root DNS servers will be used instead.
132
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
133
The reverse DNS zone to use
135
\fB\-\-no\-reverse\fR
136
Do not create reverse DNS zone
139
The e\-mail address of the DNS zone manager. Defaults to root@host.domain
141
\fB\-\-zone\-notif\fR
142
Let name server receive notifications when a new zone is added. New zone is then immediately loaded by the name server. This feature uses an LDAP Persistent Search mechanism to receive the data. Zone refresh is turned off when zone notifications are enabled.
144
\fB\-\-zone\-refresh=\fIZONE_REFRESH\fR
145
Number of seconds between regular checks for new DNS zones. When set to 0 the name server does not check for new zones and it needs to be reloaded when a new DNS zone is added.
147
\fB\-\-no\-host\-dns\fR
148
Do not use DNS for hostname lookup during installation
150
.SS "UNINSTALL OPTIONS"
153
Uninstall an existing IPA installation
155
\fB\-U\fR, \fB\-\-unattended\fR
156
An unattended uninstallation that will never prompt for user input
159
0 if the (un)installation was successful
161
1 if an error occurred
164
.BR ipa-dns-install (1)