xenial (1) ipa-server-install.1.gz

Provided by: freeipa-server_4.3.1-0ubuntu1_amd64 bug

NAME

       ipa-server-install - Configure an IPA server

SYNOPSIS

       ipa-server-install [OPTION]...

DESCRIPTION

       Configures  the  services  needed  by an IPA server. This includes setting up a Kerberos Key Distribution
       Center (KDC) and a Kadmin  daemon  with  an  LDAP  back-end,  configuring  Apache,  configuring  NTP  and
       optionally  configuring  and  starting  an  LDAP-backed  DNS server. By default a dogtag-based CA will be
       configured to issue server certificates.

OPTIONS

   BASIC OPTIONS
       -r REALM_NAME, --realm=REALM_NAME
              The Kerberos realm name for the IPA server. You will not be able to estabilish trust  with  Active
              Directory unless the realm name is uppercased domain name.

       -n DOMAIN_NAME, --domain=DOMAIN_NAME
              Your DNS domain name

       -p DM_PASSWORD, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       --mkhomedir
              Create home directories for users on their first login

       --hostname=HOST_NAME
              The  fully-qualified  DNS name of this server. If the hostname does not match system hostname, the
              system hostname will be updated accordingly to prevent service failures.

       --ip-address=IP_ADDRESS
              The IP address of this server. If this address does not match the address the host resolves to and
              --setup-dns  is not selected the installation will fail. If the server hostname is not resolvable,
              a record for the hostname and IP_ADDRESS is added to /etc/hosts.  This this  option  can  be  used
              multiple  times  to  specify  more  IP addresses of the server (e.g. multihomed and/or dualstacked
              server).

       -N, --no-ntp
              Do not configure NTP

       --idstart=IDSTART
              The starting user and group id number (default random)

       --idmax=IDMAX
              The maximum user and group id number (default: idstart+199999). If set to zero, the default  value
              will be used.

       --no_hbac_allow
              Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any
              other host. It is expected that users will remove this rule before moving to production.

       --ignore-topology-disconnect
              Ignore errors reported when IPA server uninstall would lead to disconnected topology. This  option
              can be used only when domain level is 1 or more.

       --no-ui-redirect
              Do not automatically redirect to the Web UI.

       --ssh-trust-dns
              Configure OpenSSH client to trust DNS SSHFP records.

       --no-ssh
              Do not configure OpenSSH client.

       --no-sshd
              Do not configure OpenSSH server.

       -d, --debug
              Enable debug logging when more verbose output is needed

       -U, --unattended
              An unattended installation that will never prompt for user input

       --dirsrv-config-file
              The path to LDIF file that will be used to modify configuration of dse.ldif during installation of
              the directory server instance

   CERTIFICATE SYSTEM OPTIONS
       --external-ca
              Generate a CSR for the IPA CA certificate to be signed by an external CA.

       --external-ca-type=TYPE
              Type of the external CA. Possible values are "generic", "ms-cs". Default value is  "generic".  Use
              "ms-cs"  to  include  template  name  required  by  Microsoft  Certificate Services (MS CS) in the
              generated CSR.

       --external-cert-file=FILE
              File containing the IPA CA certificate and the external CA certificate chain. The file is accepted
              in  PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple
              times.

       --no-pkinit
              Disables pkinit setup steps

       --dirsrv-cert-file=FILE
              File containing the Directory Server SSL certificate and private key. The files  are  accepted  in
              PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
              This option may be used multiple times.

       --http-cert-file=FILE
              File containing the Apache Server SSL certificate and private key. The files are accepted  in  PEM
              and  DER  certificate,  PKCS#7  certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
              This option may be used multiple times.

       --pkinit-cert-file=FILE
              File containing the Kerberos KDC SSL certificate and private key. The files are  accepted  in  PEM
              and  DER  certificate,  PKCS#7  certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
              This option may be used multiple times.

       --dirsrv-pin=PIN
              The password to unlock the Directory Server private key

       --http-pin=PIN
              The password to unlock the Apache Server private key

       --pkinit-pin=PIN
              The password to unlock the Kerberos KDC private key

       --dirsrv-cert-name=NAME
              Name of the Directory Server SSL certificate to install

       --http-cert-name=NAME
              Name of the Apache Server SSL certificate to install

       --pkinit-cert-name=NAME
              Name of the Kerberos KDC SSL certificate to install

       --ca-cert-file=FILE
              File containing the CA certificate of the CA which issued the Directory Server, Apache Server  and
              Kerberos  KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate
              chain formats. This option may be used multiple times. Use this option if the  CA  certificate  is
              not present in the certificate files.

       --subject=SUBJECT
              The certificate subject base (default O=REALM.NAME)

       --ca-signing-algorithm=ALGORITHM
              Signing  algorithm  of  the  IPA  CA  certificate. Possible values are SHA1withRSA, SHA256withRSA,
              SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the  external
              CA does not support the default signing algorithm.

   DNS OPTIONS
       --setup-dns
              Generate  a  DNS  zone  if  it  does  not exist already and configure the DNS server.  This option
              requires that you either specify at least one DNS forwarder through the --forwarder option or  use
              the --no-forwarders option.

              Note  that  you  can set up a DNS at any time after the initial IPA server install by running ipa-
              dns-install (see ipa-dns-install(1)).

       --forwarder=IP_ADDRESS
              Add a DNS forwarder to the DNS configuration. You can use this option multiple  times  to  specify
              more  forwarders,  but  at  least  one  must  be  provided,  unless  the --no-forwarders option is
              specified.

       --no-forwarders
              Do not add any DNS forwarders. Root DNS servers will be used instead.

       --auto-forwarders
              Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.

       --reverse-zone=REVERSE_ZONE
              The reverse DNS zone to use. This option can be used multiple times to  specify  multiple  reverse
              zones.

       --no-reverse
              Do not create reverse DNS zone

       --auto-reverse
              Try  to  resolve  reverse  records  and  reverse  zones  for server IP addresses and if neither is
              resolvable creates these reverse zones.

       --zonemgr
              The e-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN

       --no-host-dns
              Do not use DNS for hostname lookup during installation

       --no-dns-sshfp
              Do not automatically create DNS SSHFP records.

       --no-dnssec-validation
              Disable DNSSEC validation on this server.

       --allow-zone-overlap
              Allow creatin of (reverse) zone even if the zone is  already  resolvable.  Using  this  option  is
              discouraged as it result in later problems with domain name resolution.

   UNINSTALL OPTIONS
       --uninstall
              Uninstall an existing IPA installation

       -U, --unattended
              An unattended uninstallation that will never prompt for user input

DEPRECATED OPTIONS

       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated).

EXIT STATUS

       0 if the (un)installation was successful

       1 if an error occurred

SEE ALSO

       ipa-dns-install(1)