Provided by: freeipa-server_4.7.0~pre1+git20180411-2ubuntu2_amd64 bug

NAME

       ipa-server-install - Configure an IPA server

SYNOPSIS

       ipa-server-install [OPTION]...

DESCRIPTION

       Configures  the  services needed by an IPA server. This includes setting up a Kerberos Key
       Distribution Center (KDC) and a Kadmin daemon with an LDAP back-end,  configuring  Apache,
       configuring  NTP  and  optionally  configuring  and starting an LDAP-backed DNS server. By
       default a dogtag-based CA will be configured to issue server certificates.

OPTIONS

   BASIC OPTIONS
       -r REALM_NAME, --realm=REALM_NAME
              The Kerberos realm name for the new IPA deployment.

              It is strongly recommended to use an upper-cased name of  the  primary  DNS  domain
              name  of  your  IPA deployment. You will not be able to establish trust with Active
              Directory unless the realm name is the upper-cased domain name.

              The realm name cannot be changed after the installation.

       -n DOMAIN_NAME, --domain=DOMAIN_NAME
              The primary DNS domain of the IPA deployment, e.g.  example.com.  This  DNS  domain
              should contain the SRV records generated by the IPA server installer. The specified
              DNS domain must not contain DNS  records  of  any  other  LDAP  or  Kerberos  based
              management system (like Active Directory or MIT Kerberos).

              It  is  strongly  recommended  to  use a lower-cased name of the IPA Kerberos realm
              name.

              The primary DNS domain name cannot be changed after the installation.

       -p DM_PASSWORD, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user.

       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user.

       --mkhomedir
              Create home directories for users on their first login.

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server.

       --ip-address=IP_ADDRESS
              The IP address of this server. If this address does not match the address the  host
              resolves  to  and  --setup-dns  is not selected, the installation will fail. If the
              server hostname is not resolvable, a record for  the  hostname  and  IP_ADDRESS  is
              added  to  /etc/hosts.   This  option can be used multiple times to specify more IP
              addresses of the server (e.g. multihomed and/or dualstacked server).

       Configure chronyd to use this NTP server. This option can be used multiple times and it is
       used to specify exactly one time server.

       --ntp-server=NTP_SERVER
              Configure  chronyd  to  use this NTP server. This option can be used multiple times
              and it is used to specify exactly one time server.

       --ntp-pool=NTP_SERVER_POOL
              Configure chronyd to use this NTP server pool. This option is meant to be  pool  of
              multiple  servers  resolved as one host name. This pool's servers may vary but pool
              address will be still same and chrony will choose only one server from this pool.

       -N, --no-ntp
              Do not configure NTP client (chronyd).

       --idstart=IDSTART
              The starting user and group id number (default random).

       --idmax=IDMAX
              The maximum user and group id number (default: idstart+199999). If set to zero, the
              default value will be used.

       --no-hbac-allow
              Don't install allow_all HBAC rule. This rule lets any user from any host access any
              service on any other host. It is expected that users will remove this  rule  before
              moving to production.

       --ignore-topology-disconnect
              Ignore  errors  reported  when  IPA  server  uninstall  would  lead to disconnected
              topology. This option can be used only when domain level is 1 or more.

       --ignore-last-of-role
              Ignore errors reported when IPA server uninstall would  lead  to  removal  of  last
              CA/DNS server or DNSSec master. This option can be used only when domain level is 1
              or more.

       --no-ui-redirect
              Do not automatically redirect to the Web UI.

       --ssh-trust-dns
              Configure OpenSSH client to trust DNS SSHFP records.

       --no-ssh
              Do not configure OpenSSH client.

       --no-sshd
              Do not configure OpenSSH server.

       -d, --debug
              Enable debug logging when more verbose output is needed.

       -U, --unattended
              An unattended installation that will never prompt for user input.

       --dirsrv-config-file
              The path to LDIF file that will be used to modify configuration of dse.ldif  during
              installation of the directory server instance.

   CERTIFICATE SYSTEM OPTIONS
       --external-ca
              Generate a CSR for the IPA CA certificate to be signed by an external CA.

       --external-ca-type=TYPE
              Type  of  the external CA. Possible values are "generic", "ms-cs". Default value is
              "generic".  Use  "ms-cs"  to  include  the  template  name  required  by  Microsoft
              Certificate  Services  (MS  CS) in the generated CSR (see --external-ca-profile for
              full details).

       --external-ca-profile=PROFILE_SPEC
              Specify the certificate profile or template to use at the external CA.

              When --external-ca-type is "ms-cs" the following specifiers may be used:

              <oid>:<majorVersion>[:<minorVersion>]
                     Specify a certificate template by OID and  major  version,  optionally  also
                     specifying minor version.

              <name> Specify  a  certificate  template  by  name.  The  name cannot contain any :
                     characters and cannot be an OID (otherwise the OID-based template  specifier
                     syntax takes precedence).

              default
                     If no template is specified, the template name "SubCA" is used.

       --external-cert-file=FILE
              File  containing  the IPA CA certificate and the external CA certificate chain. The
              file is accepted in PEM and DER certificate and PKCS#7 certificate  chain  formats.
              This option may be used multiple times.

       --no-pkinit
              Disables  pkinit  setup  steps.  This  is  the default and only allowed behavior on
              domain level 0.

       --dirsrv-cert-file=FILE
              File containing the Directory Server SSL certificate and private key. The files are
              accepted  in  PEM  and  DER  certificate,  PKCS#7 certificate chain, PKCS#8 and raw
              private key and PKCS#12 formats. This option may be used multiple times.

       --http-cert-file=FILE
              File containing the Apache Server SSL certificate and private key.  The  files  are
              accepted  in  PEM  and  DER  certificate,  PKCS#7 certificate chain, PKCS#8 and raw
              private key and PKCS#12 formats. This option may be used multiple times.

       --pkinit-cert-file=FILE
              File containing the Kerberos KDC SSL certificate and private  key.  The  files  are
              accepted  in  PEM  and  DER  certificate,  PKCS#7 certificate chain, PKCS#8 and raw
              private key and PKCS#12 formats. This option may be used multiple times.

       --dirsrv-pin=PIN
              The password to unlock the Directory Server private key.

       --http-pin=PIN
              The password to unlock the Apache Server private key.

       --pkinit-pin=PIN
              The password to unlock the Kerberos KDC private key.

       --dirsrv-cert-name=NAME
              Name of the Directory Server SSL certificate to install.

       --http-cert-name=NAME
              Name of the Apache Server SSL certificate to install.

       --pkinit-cert-name=NAME
              Name of the Kerberos KDC SSL certificate to install.

       --ca-cert-file=FILE
              File containing the CA certificate of the CA which  issued  the  Directory  Server,
              Apache  Server  and  Kerberos KDC certificates. The file is accepted in PEM and DER
              certificate and PKCS#7 certificate chain formats. This option may be used  multiple
              times.  Use  this  option  if  the CA certificate is not present in the certificate
              files.

       --ca-subject=SUBJECT
              The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs
              are in LDAP order (most specific RDN first).

       --subject-base=SUBJECT
              The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in
              LDAP order (most specific RDN first).

       --ca-signing-algorithm=ALGORITHM
              Signing algorithm of the IPA  CA  certificate.  Possible  values  are  SHA1withRSA,
              SHA256withRSA,  SHA512withRSA. Default value is SHA256withRSA. Use this option with
              --external-ca if the external CA does not support the default signing algorithm.

   SECRET MANAGEMENT OPTIONS
       --setup-kra
              Install and configure a KRA on this server.

   DNS OPTIONS
       IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you
       decide  to  use it, IPA will automatically maintain SRV and other service records when you
       change your topology.

       The DNS component in FreeIPA is optional and you may choose to manage all your DNS records
       manually  on  another third party DNS server. IPA DNS is not a general-purpose DNS server.
       If you need advanced features like DNS views, do not deploy IPA DNS.

       --setup-dns
              Configure an integrated DNS server, create DNS zone specified by --domain, and fill
              it  with  service  records  necessary  for  IPA deployment.  In cases where the IPA
              server name does not belong to the primary DNS domain and is not  resolvable  using
              DNS, create a DNS zone containing the IPA server name as well.

              This option requires that you either specify at least one DNS forwarder through the
              --forwarder option or use the --no-forwarders option.

              Note that you can set up a DNS at any time after the initial IPA server install  by
              running ipa-dns-install (see ipa-dns-install(1)).  IPA DNS cannot be uninstalled.

       --forwarder=IP_ADDRESS
              Add  a  DNS  forwarder  to  the DNS configuration. You can use this option multiple
              times to specify more forwarders, but at least one must  be  provided,  unless  the
              --no-forwarders option is specified.

       --no-forwarders
              Do not add any DNS forwarders. Root DNS servers will be used instead.

       --auto-forwarders
              Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by
              IPA DNS.

       --forward-policy=first|only
              DNS  forwarding  policy  for  global  forwarders  specified  using  other  options.
              Defaults  to  first  if  no IP address belonging to a private or reserved ranges is
              detected on local interfaces (RFC 6303). Defaults to only if a private  IP  address
              is detected.

       --reverse-zone=REVERSE_ZONE
              The  reverse  DNS  zone  to  use. This option can be used multiple times to specify
              multiple reverse zones.

       --no-reverse
              Do not create reverse DNS zone.

       --auto-reverse
              Try to resolve reverse records and  reverse  zones  for  server  IP  addresses.  If
              neither is resolvable, creates the reverse zones.

       --zonemgr
              The e-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN

       --no-host-dns
              Do not use DNS for hostname lookup during installation.

       --no-dns-sshfp
              Do not automatically create DNS SSHFP records.

       --no-dnssec-validation
              Disable DNSSEC validation on this server.

       --allow-zone-overlap
              Allow creation of (reverse) zone even if the zone is already resolvable. Using this
              option is discouraged as it result in later problems with domain name resolution.

   AD TRUST OPTIONS
       --setup-adtrust
              Configure AD Trust capability.

       --netbios-name=NETBIOS_NAME
              The NetBIOS name for the IPA domain. If not provided, this is determined  based  on
              the  leading  component  of  the DNS domain name. Running ipa-adtrust-install for a
              second time with a different NetBIOS name will change the name.  Please  note  that
              changing  the  NetBIOS  name  might  break  existing  trust  relationships to other
              domains.

       --rid-base=RID_BASE
              First RID value of the local domain. The first POSIX ID of the local domain will be
              assigned  to  this RID, the second to RID+1 etc. See the online help of the idrange
              CLI for details.

       --secondary-rid-base=SECONDARY_RID_BASE
              Start value of the secondary RID range, which is only used in the case a user and a
              group  share  numerically the same POSIX ID. See the online help of the idrange CLI
              for details.

       --enable-compat
              Enables  support  for  trusted  domains  users  for  old  clients  through   Schema
              Compatibility plugin.  SSSD supports trusted domains natively starting with version
              1.9. For platforms that lack SSSD or run older SSSD version one needs to  use  this
              option.   When   enabled,   slapi-nis   package   needs   to   be   installed   and
              schema-compat-plugin will be configured to provide lookup of users and groups  from
              trusted  domains  via  SSSD on IPA server. These users and groups will be available
              under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees.  SSSD  will
              normalize names of users and groups to lower case.

              In  addition  to  providing  these  users  and groups through the compat tree, this
              option enables authentication over LDAP for trusted  domain  users  with  DN  under
              compat            tree,            i.e.           using           bind           DN
              uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

              LDAP authentication performed by the compat tree  is  done  via  PAM  'system-auth'
              service.   This  service  exists by default on Linux systems and is provided by pam
              package as /etc/pam.d/system-auth.  If your IPA install does not have default  HBAC
              rule  'allow_all'  enabled,  then make sure to define in IPA special service called
              'system-auth' and create an HBAC rule to allow access to anyone to this rule on IPA
              masters.

              As  'system-auth'  PAM service is not used directly by any other application, it is
              safe to use it for trusted domain users via compatibility path.

   UNINSTALL OPTIONS
       --uninstall
              Uninstall an existing IPA installation.

       -U, --unattended
              An unattended uninstallation that will never prompt for user input.

DEPRECATED OPTIONS

       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated).

EXIT STATUS

       0 if the (un)installation was successful

       1 if an error occurred

SEE ALSO

       ipa-dns-install(1) ipa-adtrust-install(1)