ipa-server-install man page

ipa-server-install — Configure an IPA server

Synopsis

ipa-server-install [OPTION]...

Description

Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By default a dogtag-based CA will be configured to issue server certificates.

Options

Basic Options

-r REALM_NAME, --realm=REALM_NAME

The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.

-n DOMAIN_NAME, --domain=DOMAIN_NAME

Your DNS domain name

-p DM_PASSWORD, --ds-password=DM_PASSWORD

The password to be used by the Directory Server for the Directory Manager user

-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD

The password for the IPA admin user

--mkhomedir

Create home directories for users on their first login

--hostname=HOST_NAME

The fully-qualified DNS name of this server.

--ip-address=IP_ADDRESS

The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts. This this option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).

-N, --no-ntp

Do not configure NTP

--idstart=IDSTART

The starting user and group id number (default random)

--idmax=IDMAX

The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.

--no_hbac_allow

Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.

--ignore-topology-disconnect

Ignore errors reported when IPA server uninstall would lead to disconnected topology. This option can be used only when domain level is 1 or more.

--no-ui-redirect

Do not automatically redirect to the Web UI.

--ssh-trust-dns

Configure OpenSSH client to trust DNS SSHFP records.

--no-ssh

Do not configure OpenSSH client.

--no-sshd

Do not configure OpenSSH server.

-d, --debug

Enable debug logging when more verbose output is needed

-U, --unattended

An unattended installation that will never prompt for user input

--dirsrv-config-file

The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance

Certificate System Options

--external-ca

Generate a CSR for the IPA CA certificate to be signed by an external CA.

--external-ca-type=TYPE

Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include template name required by Microsoft Certificate Services (MS CS) in the generated CSR.

--external-cert-file=FILE

File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.

--no-pkinit

Disables pkinit setup steps

--dirsrv-cert-file=FILE

File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.

--http-cert-file=FILE

File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.

--pkinit-cert-file=FILE

File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.

--dirsrv-pin=PIN

The password to unlock the Directory Server private key

--http-pin=PIN

The password to unlock the Apache Server private key

--pkinit-pin=PIN

The password to unlock the Kerberos KDC private key

--dirsrv-cert-name=NAME

Name of the Directory Server SSL certificate to install

--http-cert-name=NAME

Name of the Apache Server SSL certificate to install

--pkinit-cert-name=NAME

Name of the Kerberos KDC SSL certificate to install

--ca-cert-file=FILE

File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.

--subject=SUBJECT

The certificate subject base (default O=REALM.NAME)

--ca-signing-algorithm=ALGORITHM

Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

DNS Options

--setup-dns

Generate a DNS zone if it does not exist already and configure the DNS server. This option requires that you either specify at least one DNS forwarder through the --forwarder option or use the --no-forwarders option.

Note that you can set up a DNS at any time after the initial IPA server install by running ipa-dns-install (see ipa-dns-install(1)).

--forwarder=IP_ADDRESS

Add a DNS forwarder to the DNS configuration. You can use this option multiple times to specify more forwarders, but at least one must be provided, unless the --no-forwarders option is specified.

--no-forwarders

Do not add any DNS forwarders. Root DNS servers will be used instead.

--auto-forwarders

Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.

--forward-policy=first|only

DNS forwarding policy for global forwarders specified using other options. Defaults to first if no IP address belonging to a private or reserved ranges is detected on local interfaces (RFC 6303). Defaults to only if a private IP address is detected.

--reverse-zone=REVERSE_ZONE

The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.

--no-reverse

Do not create reverse DNS zone

--auto-reverse

Try to resolve reverse records and reverse zones for server IP addresses and if neither is resolvable creates these reverse zones.

--zonemgr

The e-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN

--no-host-dns

Do not use DNS for hostname lookup during installation

--no-dns-sshfp

Do not automatically create DNS SSHFP records.

--no-dnssec-validation

Disable DNSSEC validation on this server.

--allow-zone-overlap

Allow creatin of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.

Uninstall Options

--uninstall

Uninstall an existing IPA installation

-U, --unattended

An unattended uninstallation that will never prompt for user input

Deprecated Options

-P MASTER_PASSWORD, --master-password=MASTER_PASSWORD

The kerberos master password (normally autogenerated).

Exit Status

0 if the (un)installation was successful

1 if an error occurred

See Also

ipa-dns-install(1)

Referenced By

ipa(1).

Jun 28 2012 FreeIPA Manual Pages