Provided by: freeipa-server_4.7.0~pre1+git20180411-2ubuntu2_amd64 
NAME
ipa-server-install - Configure an IPA server
SYNOPSIS
ipa-server-install [OPTION]...
DESCRIPTION
Configures the services needed by an IPA server. This includes setting up a Kerberos Key
Distribution Center (KDC) and a Kadmin daemon with an LDAP back-end, configuring Apache,
configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By
default a dogtag-based CA will be configured to issue server certificates.
OPTIONS
BASIC OPTIONS
-r REALM_NAME, --realm=REALM_NAME
The Kerberos realm name for the new IPA deployment.
It is strongly recommended to use an upper-cased name of the primary DNS domain
name of your IPA deployment. You will not be able to establish trust with Active
Directory unless the realm name is the upper-cased domain name.
The realm name cannot be changed after the installation.
-n DOMAIN_NAME, --domain=DOMAIN_NAME
The primary DNS domain of the IPA deployment, e.g. example.com. This DNS domain
should contain the SRV records generated by the IPA server installer. The specified
DNS domain must not contain DNS records of any other LDAP or Kerberos based
management system (like Active Directory or MIT Kerberos).
It is strongly recommended to use a lower-cased name of the IPA Kerberos realm
name.
The primary DNS domain name cannot be changed after the installation.
-p DM_PASSWORD, --ds-password=DM_PASSWORD
The password to be used by the Directory Server for the Directory Manager user.
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
The password for the IPA admin user.
--mkhomedir
Create home directories for users on their first login.
--hostname=HOST_NAME
The fully-qualified DNS name of this server.
--ip-address=IP_ADDRESS
The IP address of this server. If this address does not match the address the host
resolves to and --setup-dns is not selected, the installation will fail. If the
server hostname is not resolvable, a record for the hostname and IP_ADDRESS is
added to /etc/hosts. This option can be used multiple times to specify more IP
addresses of the server (e.g. multihomed and/or dualstacked server).
Configure chronyd to use this NTP server. This option can be used multiple times and it is
used to specify exactly one time server.
--ntp-server=NTP_SERVER
Configure chronyd to use this NTP server. This option can be used multiple times
and it is used to specify exactly one time server.
--ntp-pool=NTP_SERVER_POOL
Configure chronyd to use this NTP server pool. This option is meant to be pool of
multiple servers resolved as one host name. This pool's servers may vary but pool
address will be still same and chrony will choose only one server from this pool.
-N, --no-ntp
Do not configure NTP client (chronyd).
--idstart=IDSTART
The starting user and group id number (default random).
--idmax=IDMAX
The maximum user and group id number (default: idstart+199999). If set to zero, the
default value will be used.
--no-hbac-allow
Don't install allow_all HBAC rule. This rule lets any user from any host access any
service on any other host. It is expected that users will remove this rule before
moving to production.
--ignore-topology-disconnect
Ignore errors reported when IPA server uninstall would lead to disconnected
topology. This option can be used only when domain level is 1 or more.
--ignore-last-of-role
Ignore errors reported when IPA server uninstall would lead to removal of last
CA/DNS server or DNSSec master. This option can be used only when domain level is 1
or more.
--no-ui-redirect
Do not automatically redirect to the Web UI.
--ssh-trust-dns
Configure OpenSSH client to trust DNS SSHFP records.
--no-ssh
Do not configure OpenSSH client.
--no-sshd
Do not configure OpenSSH server.
-d, --debug
Enable debug logging when more verbose output is needed.
-U, --unattended
An unattended installation that will never prompt for user input.
--dirsrv-config-file
The path to LDIF file that will be used to modify configuration of dse.ldif during
installation of the directory server instance.
CERTIFICATE SYSTEM OPTIONS
--external-ca
Generate a CSR for the IPA CA certificate to be signed by an external CA.
--external-ca-type=TYPE
Type of the external CA. Possible values are "generic", "ms-cs". Default value is
"generic". Use "ms-cs" to include the template name required by Microsoft
Certificate Services (MS CS) in the generated CSR (see --external-ca-profile for
full details).
--external-ca-profile=PROFILE_SPEC
Specify the certificate profile or template to use at the external CA.
When --external-ca-type is "ms-cs" the following specifiers may be used:
<oid>:<majorVersion>[:<minorVersion>]
Specify a certificate template by OID and major version, optionally also
specifying minor version.
<name> Specify a certificate template by name. The name cannot contain any :
characters and cannot be an OID (otherwise the OID-based template specifier
syntax takes precedence).
default
If no template is specified, the template name "SubCA" is used.
--external-cert-file=FILE
File containing the IPA CA certificate and the external CA certificate chain. The
file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
This option may be used multiple times.
--no-pkinit
Disables pkinit setup steps. This is the default and only allowed behavior on
domain level 0.
--dirsrv-cert-file=FILE
File containing the Directory Server SSL certificate and private key. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw
private key and PKCS#12 formats. This option may be used multiple times.
--http-cert-file=FILE
File containing the Apache Server SSL certificate and private key. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw
private key and PKCS#12 formats. This option may be used multiple times.
--pkinit-cert-file=FILE
File containing the Kerberos KDC SSL certificate and private key. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw
private key and PKCS#12 formats. This option may be used multiple times.
--dirsrv-pin=PIN
The password to unlock the Directory Server private key.
--http-pin=PIN
The password to unlock the Apache Server private key.
--pkinit-pin=PIN
The password to unlock the Kerberos KDC private key.
--dirsrv-cert-name=NAME
Name of the Directory Server SSL certificate to install.
--http-cert-name=NAME
Name of the Apache Server SSL certificate to install.
--pkinit-cert-name=NAME
Name of the Kerberos KDC SSL certificate to install.
--ca-cert-file=FILE
File containing the CA certificate of the CA which issued the Directory Server,
Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER
certificate and PKCS#7 certificate chain formats. This option may be used multiple
times. Use this option if the CA certificate is not present in the certificate
files.
--ca-subject=SUBJECT
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs
are in LDAP order (most specific RDN first).
--subject-base=SUBJECT
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in
LDAP order (most specific RDN first).
--ca-signing-algorithm=ALGORITHM
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA,
SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with
--external-ca if the external CA does not support the default signing algorithm.
SECRET MANAGEMENT OPTIONS
--setup-kra
Install and configure a KRA on this server.
DNS OPTIONS
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you
decide to use it, IPA will automatically maintain SRV and other service records when you
change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records
manually on another third party DNS server. IPA DNS is not a general-purpose DNS server.
If you need advanced features like DNS views, do not deploy IPA DNS.
--setup-dns
Configure an integrated DNS server, create DNS zone specified by --domain, and fill
it with service records necessary for IPA deployment. In cases where the IPA
server name does not belong to the primary DNS domain and is not resolvable using
DNS, create a DNS zone containing the IPA server name as well.
This option requires that you either specify at least one DNS forwarder through the
--forwarder option or use the --no-forwarders option.
Note that you can set up a DNS at any time after the initial IPA server install by
running ipa-dns-install (see ipa-dns-install(1)). IPA DNS cannot be uninstalled.
--forwarder=IP_ADDRESS
Add a DNS forwarder to the DNS configuration. You can use this option multiple
times to specify more forwarders, but at least one must be provided, unless the
--no-forwarders option is specified.
--no-forwarders
Do not add any DNS forwarders. Root DNS servers will be used instead.
--auto-forwarders
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by
IPA DNS.
--forward-policy=first|only
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private IP address
is detected.
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use. This option can be used multiple times to specify
multiple reverse zones.
--no-reverse
Do not create reverse DNS zone.
--auto-reverse
Try to resolve reverse records and reverse zones for server IP addresses. If
neither is resolvable, creates the reverse zones.
--zonemgr
The e-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
--no-host-dns
Do not use DNS for hostname lookup during installation.
--no-dns-sshfp
Do not automatically create DNS SSHFP records.
--no-dnssec-validation
Disable DNSSEC validation on this server.
--allow-zone-overlap
Allow creation of (reverse) zone even if the zone is already resolvable. Using this
option is discouraged as it result in later problems with domain name resolution.
AD TRUST OPTIONS
--setup-adtrust
Configure AD Trust capability.
--netbios-name=NETBIOS_NAME
The NetBIOS name for the IPA domain. If not provided, this is determined based on
the leading component of the DNS domain name. Running ipa-adtrust-install for a
second time with a different NetBIOS name will change the name. Please note that
changing the NetBIOS name might break existing trust relationships to other
domains.
--rid-base=RID_BASE
First RID value of the local domain. The first POSIX ID of the local domain will be
assigned to this RID, the second to RID+1 etc. See the online help of the idrange
CLI for details.
--secondary-rid-base=SECONDARY_RID_BASE
Start value of the secondary RID range, which is only used in the case a user and a
group share numerically the same POSIX ID. See the online help of the idrange CLI
for details.
--enable-compat
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with version
1.9. For platforms that lack SSSD or run older SSSD version one needs to use this
option. When enabled, slapi-nis package needs to be installed and
schema-compat-plugin will be configured to provide lookup of users and groups from
trusted domains via SSSD on IPA server. These users and groups will be available
under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will
normalize names of users and groups to lower case.
In addition to providing these users and groups through the compat tree, this
option enables authentication over LDAP for trusted domain users with DN under
compat tree, i.e. using bind DN
uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
LDAP authentication performed by the compat tree is done via PAM 'system-auth'
service. This service exists by default on Linux systems and is provided by pam
package as /etc/pam.d/system-auth. If your IPA install does not have default HBAC
rule 'allow_all' enabled, then make sure to define in IPA special service called
'system-auth' and create an HBAC rule to allow access to anyone to this rule on IPA
masters.
As 'system-auth' PAM service is not used directly by any other application, it is
safe to use it for trusted domain users via compatibility path.
UNINSTALL OPTIONS
--uninstall
Uninstall an existing IPA installation.
-U, --unattended
An unattended uninstallation that will never prompt for user input.
DEPRECATED OPTIONS
-P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
The kerberos master password (normally autogenerated).
EXIT STATUS
0 if the (un)installation was successful
1 if an error occurred
SEE ALSO
ipa-dns-install(1) ipa-adtrust-install(1)