[Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional
Petr Viktorin
pviktori at redhat.com
Fri Sep 5 13:49:58 UTC 2014
On 09/05/2014 02:03 PM, Petr Viktorin wrote:
> On 08/07/2014 05:46 PM, Petr Viktorin wrote:
>> On 08/06/2014 09:42 AM, Jan Cholasta wrote:
>>> Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a):
>>>> Hi,
>>>>
>>>> the attached patch fixes the code part of
>>>> <https://fedorahosted.org/freeipa/ticket/4457>.
>>
>> Works for me, thanks!
>
> Pushed to:
> master: 6ad8c464a43260f8f58dc262f841c35be35b57b5
> ipa-4-0: 7c690d7e1238133677e49236595eb24483876ef8
> ipa-4-1: be6568234002165fe11dd55407f8eb8e9b357790
>
Just after pushing I noticed the note in the ticket that Dmitri wants to
take a look :(
Dmitri, please reopen the ticket if there are more improvements to be made.
I'm attaching the changed docs for reference.
--
Petr³
-------------- next part --------------
Usage: ipa-server-install [options]
Options:
--version show program's version number and exit
-h, --help show this help message and exit
basic options:
-r REALM_NAME, --realm=REALM_NAME
realm name
-n DOMAIN_NAME, --domain=DOMAIN_NAME
domain name
-p DM_PASSWORD, --ds-password=DM_PASSWORD
admin password
-P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
kerberos master password (normally autogenerated)
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
admin user kerberos password
--mkhomedir create home directories for users on their first login
--hostname=HOST_NAME
fully qualified name of server
--ip-address=IP_ADDRESS
Master Server IP Address
-N, --no-ntp do not configure ntp
--idstart=IDSTART The starting value for the IDs range (default random)
--idmax=IDMAX The max value value for the IDs range (default:
idstart+199999)
--no_hbac_allow Don't install allow_all HBAC rule
--no-ui-redirect Do not automatically redirect to the Web UI
--ssh-trust-dns configure OpenSSH client to trust DNS SSHFP records
--no-ssh do not configure OpenSSH client
--no-sshd do not configure OpenSSH server
-d, --debug print debugging information
-U, --unattended unattended (un)installation never prompts the user
certificate system options:
--external-ca Generate a CSR for the IPA CA certificate to be signed
by an external CA
--external_cert_file=EXTERNAL_CERT_FILE
File containing the IPA CA certificate signed by the
external CA in PEM format
--external_ca_file=EXTERNAL_CA_FILE
File containing the external CA certificate chain in
PEM format
--no-pkinit disables pkinit setup steps
--dirsrv_pkcs12=DIRSRV_PKCS12
PKCS#12 file containing the Directory Server SSL
certificate
--http_pkcs12=HTTP_PKCS12
PKCS#12 file containing the Apache Server SSL
certificate
--pkinit_pkcs12=PKINIT_PKCS12
PKCS#12 file containing the Kerberos KDC SSL
certificate
--dirsrv_pin=DIRSRV_PIN
The password of the Directory Server PKCS#12 file
--http_pin=HTTP_PIN
The password of the Apache Server PKCS#12 file
--pkinit_pin=PKINIT_PIN
The password of the Kerberos KDC PKCS#12 file
--root-ca-file=ROOT_CA_FILE
PEM file containing the CA certificate for the PKCS#12
files
--subject=SUBJECT The certificate subject base (default O=<realm-name>)
DNS options:
--setup-dns configure bind with our zone
--forwarder=FORWARDERS
Add a DNS forwarder
--no-forwarders Do not add any DNS forwarders, use root servers
instead
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use
--no-reverse Do not create reverse DNS zone
--zonemgr=ZONEMGR DNS zone manager e-mail address. Defaults to
hostmaster at DOMAIN
--no-host-dns Do not use DNS for hostname lookup during installation
--no-dns-sshfp Do not automatically create DNS SSHFP records
uninstall options:
--uninstall uninstall an existing installation. The uninstall can
be run with --unattended option
-------------- next part --------------
ipa-server-install(1) FreeIPA Manual Pages ipa-server-install(1)
NAME
ipa-server-install - Configure an IPA server
SYNOPSIS
ipa-server-install [OPTION]...
DESCRIPTION
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS
server. By default a dogtag-based CA will be configured to issue server certificates.
OPTIONS
BASIC OPTIONS
-r REALM_NAME, --realm=REALM_NAME
The Kerberos realm name for the IPA server. You will not be able to estabilish trust with Active Directory unless the realm name is uppercased domain name.
-n DOMAIN_NAME, --domain=DOMAIN_NAME
Your DNS domain name
-p DM_PASSWORD, --ds-password=DM_PASSWORD
The password to be used by the Directory Server for the Directory Manager user
-P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
The kerberos master password (normally autogenerated)
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
The password for the IPA admin user
--mkhomedir
Create home directories for users on their first login
--hostname=HOST_NAME
The fully-qualified DNS name of this server. If the hostname does not match system hostname, the system hostname will be updated accordingly to prevent service failures.
--ip-address=IP_ADDRESS
The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to
/etc/hosts.
-N, --no-ntp
Do not configure NTP
--idstart=IDSTART
The starting user and group id number (default random)
--idmax=IDMAX
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.
--no_hbac_allow
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
--no-ui-redirect
Do not automatically redirect to the Web UI.
--ssh-trust-dns
Configure OpenSSH client to trust DNS SSHFP records.
--no-ssh
Do not configure OpenSSH client.
--no-sshd
Do not configure OpenSSH server.
-d, --debug
Enable debug logging when more verbose output is needed
-U, --unattended
An unattended installation that will never prompt for user input
CERTIFICATE SYSTEM OPTIONS
--external-ca
Generate a CSR for the IPA CA certificate to be signed by an external CA.
--external_cert_file=FILE
File containing the IPA CA certificate signed by the external CA in PEM format. Must be given with --external_ca_file.
--external_ca_file=FILE
File containing the external CA certificate chain in PEM format. Must be given with --external_cert_file.
If the CA certificate chain is in PKCS#7 format you can convert it to PEM using:
openssl pkcs7 -in PKCS7_FILE -print_certs -out PEM_FILE
--no-pkinit
Disables pkinit setup steps
--dirsrv_pkcs12=FILE
PKCS#12 file containing the Directory Server SSL Certificate
--http_pkcs12=FILE
PKCS#12 file containing the Apache Server SSL Certificate
--pkinit_pkcs12=FILE
PKCS#12 file containing the Kerberos KDC SSL certificate
--dirsrv_pin=DIRSRV_PIN
The password of the Directory Server PKCS#12 file
--http_pin=HTTP_PIN
The password of the Apache Server PKCS#12 file
--pkinit_pin=PKINIT_PIN
The password of the Kerberos KDC PKCS#12 file
--root-ca-file=FILE
PEM file containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC SSL certificates. Use this option if the CA certificate is not present in the PKCS#12 files.
--subject=SUBJECT
The certificate subject base (default O=REALM.NAME)
DNS OPTIONS
--setup-dns
Generate a DNS zone if it does not exist already and configure the DNS server. This option requires that you either specify at least one DNS forwarder through the --forwarder option or use the --no-forwarders option.
Note that you can set up a DNS at any time after the initial IPA server install by running ipa-dns-install (see ipa-dns-install(1)).
--forwarder=IP_ADDRESS
Add a DNS forwarder to the DNS configuration. You can use this option multiple times to specify more forwarders, but at least one must be provided, unless the --no-forwarders option is specified.
--no-forwarders
Do not add any DNS forwarders. Root DNS servers will be used instead.
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use
--no-reverse
Do not create reverse DNS zone
--zonemgr
The e-mail address of the DNS zone manager. Defaults to hostmaster at DOMAIN
--no-host-dns
Do not use DNS for hostname lookup during installation
--no-dns-sshfp
Do not automatically create DNS SSHFP records.
UNINSTALL OPTIONS
--uninstall
Uninstall an existing IPA installation
-U, --unattended
An unattended uninstallation that will never prompt for user input
EXIT STATUS
0 if the (un)installation was successful
1 if an error occurred
SEE ALSO
ipa-dns-install(1)
FreeIPA Jun 28 2012 ipa-server-install(1)
More information about the Freeipa-devel
mailing list