websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.6.2

Browse Source
This commit is contained in:
Mario Fetka
2021-07-25 07:32:41 +02:00
commit 8ff3be4216
1788 changed files with 1900965 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
install/tools/man/Makefile.am Normal file
View File

@@ -0,0 +1,35 @@
# This file will be processed with automake-1.7 to create Makefile.in
AUTOMAKE_OPTIONS = 1.7
NULL=
dist_man1_MANS = \
ipa-replica-conncheck.1 \
ipa-replica-install.1 \
ipa-replica-manage.1 \
ipa-csreplica-manage.1 \
ipa-replica-prepare.1 \
ipa-server-certinstall.1 \
ipa-server-install.1 \
ipa-server-upgrade.1 \
ipa-dns-install.1 \
ipa-adtrust-install.1 \
ipa-ca-install.1 \
ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
ipa-nis-manage.1 \
ipa-managed-entries.1 \
ipa-backup.1 \
ipa-restore.1 \
ipa-advise.1 \
ipa-otptoken-import.1 \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \
$(NULL)

702
install/tools/man/Makefile.in Normal file
View File

@@ -0,0 +1,702 @@
# Makefile.in generated by automake 1.15.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2017 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE.
@SET_MAKE@
# This file will be processed with automake-1.7 to create Makefile.in
VPATH = @srcdir@
am__is_gnu_make = { \
if test -z '$(MAKELEVEL)'; then \
false; \
elif test -n '$(MAKE_HOST)'; then \
true; \
elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
true; \
else \
false; \
fi; \
}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
*) echo "am__make_running_with_option: internal error: invalid" \
"target option '$${target_option-}' specified" >&2; \
exit 1;; \
esac; \
has_opt=no; \
sane_makeflags=$$MAKEFLAGS; \
if $(am__is_gnu_make); then \
sane_makeflags=$$MFLAGS; \
else \
case $$MAKEFLAGS in \
*\\[\ \ ]*) \
bs=\\; \
sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
| sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
esac; \
fi; \
skip_next=no; \
strip_trailopt () \
{ \
flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
}; \
for flg in $$sane_makeflags; do \
test $$skip_next = yes && { skip_next=no; continue; }; \
case $$flg in \
*=*|--*) continue;; \
-*I) strip_trailopt 'I'; skip_next=yes;; \
-*I?*) strip_trailopt 'I';; \
-*O) strip_trailopt 'O'; skip_next=yes;; \
-*O?*) strip_trailopt 'O';; \
-*l) strip_trailopt 'l'; skip_next=yes;; \
-*l?*) strip_trailopt 'l';; \
-[dEDm]) skip_next=yes;; \
-[JT]) skip_next=yes;; \
esac; \
case $$flg in \
*$$target_option*) has_opt=yes; break;; \
esac; \
done; \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
install_sh_SCRIPT = $(install_sh) -c
INSTALL_HEADER = $(INSTALL_DATA)
transform = $(program_transform_name)
NORMAL_INSTALL = :
PRE_INSTALL = :
POST_INSTALL = :
NORMAL_UNINSTALL = :
PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
subdir = install/tools/man
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
$(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
$(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
$(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
$(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/VERSION.m4 \
$(top_srcdir)/server.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
am__v_P_1 = :
AM_V_GEN = $(am__v_GEN_@AM_V@)
am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
am__v_GEN_0 = @echo " GEN " $@;
am__v_GEN_1 =
AM_V_at = $(am__v_at_@AM_V@)
am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
am__v_at_0 = @
am__v_at_1 =
SOURCES =
DIST_SOURCES =
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
am__install_max = 40
am__nobase_strip_setup = \
srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
am__nobase_strip = \
for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
am__nobase_list = $(am__nobase_strip_setup); \
for p in $$list; do echo "$$p $$p"; done | \
sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
$(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
if (++n[$$2] == $(am__install_max)) \
{ print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
END { for (dir in files) print dir, files[dir] }'
am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
}
man1dir = $(mandir)/man1
am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
man8dir = $(mandir)/man8
NROFF = nroff
MANS = $(dist_man1_MANS) $(dist_man8_MANS)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
am__DIST_COMMON = $(dist_man1_MANS) $(dist_man8_MANS) \
$(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
API_VERSION = @API_VERSION@
AR = @AR@
AUTOCONF = @AUTOCONF@
AUTOHEADER = @AUTOHEADER@
AUTOMAKE = @AUTOMAKE@
AWK = @AWK@
CC = @CC@
CCDEPMODE = @CCDEPMODE@
CFLAGS = @CFLAGS@
CMOCKA_CFLAGS = @CMOCKA_CFLAGS@
CMOCKA_LIBS = @CMOCKA_LIBS@
CONFIG_STATUS = @CONFIG_STATUS@
CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
DEPDIR = @DEPDIR@
DIRSRV_CFLAGS = @DIRSRV_CFLAGS@
DIRSRV_LIBS = @DIRSRV_LIBS@
DLLTOOL = @DLLTOOL@
DSYMUTIL = @DSYMUTIL@
DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_SCRIPT = @INSTALL_SCRIPT@
INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
INTLLIBS = @INTLLIBS@
INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_LIBS = @KRB5_LIBS@
LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
LIBOBJS = @LIBOBJS@
LIBPDB_NAME = @LIBPDB_NAME@
LIBS = @LIBS@
LIBTOOL = @LIBTOOL@
LIBVERTO_CFLAGS = @LIBVERTO_CFLAGS@
LIBVERTO_LIBS = @LIBVERTO_LIBS@
LIPO = @LIPO@
LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
MK_ASSIGN = @MK_ASSIGN@
MK_ELSE = @MK_ELSE@
MK_ENDIF = @MK_ENDIF@
MK_IFEQ = @MK_IFEQ@
MSGATTRIB = @MSGATTRIB@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
NAMED_GROUP = @NAMED_GROUP@
NDRNBT_CFLAGS = @NDRNBT_CFLAGS@
NDRNBT_LIBS = @NDRNBT_LIBS@
NDRPAC_CFLAGS = @NDRPAC_CFLAGS@
NDRPAC_LIBS = @NDRPAC_LIBS@
NDR_CFLAGS = @NDR_CFLAGS@
NDR_LIBS = @NDR_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
NSPR_CFLAGS = @NSPR_CFLAGS@
NSPR_LIBS = @NSPR_LIBS@
NSS_CFLAGS = @NSS_CFLAGS@
NSS_LIBS = @NSS_LIBS@
NUM_VERSION = @NUM_VERSION@
OBJDUMP = @OBJDUMP@
OBJEXT = @OBJEXT@
ODS_USER = @ODS_USER@
OTOOL = @OTOOL@
OTOOL64 = @OTOOL64@
PACKAGE = @PACKAGE@
PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PKG_CONFIG = @PKG_CONFIG@
PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON2 = @PYTHON2@
PYTHON3 = @PYTHON3@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
SSSCERTMAP_CFLAGS = @SSSCERTMAP_CFLAGS@
SSSCERTMAP_LIBS = @SSSCERTMAP_LIBS@
SSSIDMAP_CFLAGS = @SSSIDMAP_CFLAGS@
SSSIDMAP_LIBS = @SSSIDMAP_LIBS@
SSSNSSIDMAP_CFLAGS = @SSSNSSIDMAP_CFLAGS@
SSSNSSIDMAP_LIBS = @SSSNSSIDMAP_LIBS@
STRIP = @STRIP@
TALLOC_CFLAGS = @TALLOC_CFLAGS@
TALLOC_LIBS = @TALLOC_LIBS@
TEVENT_CFLAGS = @TEVENT_CFLAGS@
TEVENT_LIBS = @TEVENT_LIBS@
UNISTRING_LIBS = @UNISTRING_LIBS@
UNLINK = @UNLINK@
USE_NLS = @USE_NLS@
UUID_CFLAGS = @UUID_CFLAGS@
UUID_LIBS = @UUID_LIBS@
VENDOR_SUFFIX = @VENDOR_SUFFIX@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLRPC_CFLAGS = @XMLRPC_CFLAGS@
XMLRPC_LIBS = @XMLRPC_LIBS@
abs_builddir = @abs_builddir@
abs_srcdir = @abs_srcdir@
abs_top_builddir = @abs_top_builddir@
abs_top_srcdir = @abs_top_srcdir@
ac_ct_AR = @ac_ct_AR@
ac_ct_CC = @ac_ct_CC@
ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__tar = @am__tar@
am__untar = @am__untar@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
build_cpu = @build_cpu@
build_os = @build_os@
build_vendor = @build_vendor@
builddir = @builddir@
datadir = @datadir@
datarootdir = @datarootdir@
docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
host_os = @host_os@
host_vendor = @host_vendor@
htmldir = @htmldir@
i18ntests = @i18ntests@
includedir = @includedir@
infodir = @infodir@
install_sh = @install_sh@
krb5rundir = @krb5rundir@
libdir = @libdir@
libexecdir = @libexecdir@
localedir = @localedir@
localstatedir = @localstatedir@
mandir = @mandir@
mkdir_p = @mkdir_p@
oldincludedir = @oldincludedir@
pdfdir = @pdfdir@
pkgpyexecdir = @pkgpyexecdir@
pkgpythondir = @pkgpythondir@
prefix = @prefix@
program_transform_name = @program_transform_name@
psdir = @psdir@
pyexecdir = @pyexecdir@
pythondir = @pythondir@
sbindir = @sbindir@
sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = 1.7
NULL =
dist_man1_MANS = \
ipa-replica-conncheck.1 \
ipa-replica-install.1 \
ipa-replica-manage.1 \
ipa-csreplica-manage.1 \
ipa-replica-prepare.1 \
ipa-server-certinstall.1 \
ipa-server-install.1 \
ipa-server-upgrade.1 \
ipa-dns-install.1 \
ipa-adtrust-install.1 \
ipa-ca-install.1 \
ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
ipa-nis-manage.1 \
ipa-managed-entries.1 \
ipa-backup.1 \
ipa-restore.1 \
ipa-advise.1 \
ipa-otptoken-import.1 \
ipa-cacert-manage.1 \
ipa-winsync-migrate.1 \
ipa-pkinit-manage.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \
$(NULL)
all: all-am
.SUFFIXES:
$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
&& { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign install/tools/man/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --foreign install/tools/man/Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
mostlyclean-libtool:
-rm -f *.lo
clean-libtool:
-rm -rf .libs _libs
install-man1: $(dist_man1_MANS)
@$(NORMAL_INSTALL)
@list1='$(dist_man1_MANS)'; \
list2=''; \
test -n "$(man1dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.1[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
done | \
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
sed 'N;N;s,\n, ,g' | { \
list=; while read file base inst; do \
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
fi; \
done; \
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
while read files; do \
test -z "$$files" || { \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
done; }
uninstall-man1:
@$(NORMAL_UNINSTALL)
@list='$(dist_man1_MANS)'; test -n "$(man1dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
install-man8: $(dist_man8_MANS)
@$(NORMAL_INSTALL)
@list1='$(dist_man8_MANS)'; \
list2=''; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
{ for i in $$list1; do echo "$$i"; done; \
if test -n "$$list2"; then \
for i in $$list2; do echo "$$i"; done \
| sed -n '/\.8[a-z]*$$/p'; \
fi; \
} | while read p; do \
if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
echo "$$d$$p"; echo "$$p"; \
done | \
sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
sed 'N;N;s,\n, ,g' | { \
list=; while read file base inst; do \
if test "$$base" = "$$inst"; then list="$$list $$file"; else \
echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
$(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
fi; \
done; \
for i in $$list; do echo "$$i"; done | $(am__base_list) | \
while read files; do \
test -z "$$files" || { \
echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
$(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
done; }
uninstall-man8:
@$(NORMAL_UNINSTALL)
@list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
tags TAGS:
ctags CTAGS:
cscope cscopelist:
distdir: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
dist_files=`for file in $$list; do echo $$file; done | \
sed -e "s|^$$srcdirstrip/||;t" \
-e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
case $$dist_files in \
*/*) $(MKDIR_P) `echo "$$dist_files" | \
sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
sort -u` ;; \
esac; \
for file in $$dist_files; do \
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
if test -d "$(distdir)/$$file"; then \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
test -f "$(distdir)/$$file" \
|| cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
check-am: all-am
check: check-am
all-am: Makefile $(MANS)
installdirs:
for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: install-am
install-exec: install-exec-am
install-data: install-data-am
uninstall: uninstall-am
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
installcheck: installcheck-am
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
install; \
else \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
"INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
fi
mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
clean: clean-am
clean-am: clean-generic clean-libtool mostlyclean-am
distclean: distclean-am
-rm -f Makefile
distclean-am: clean-am distclean-generic
dvi: dvi-am
dvi-am:
html: html-am
html-am:
info: info-am
info-am:
install-data-am: install-man
install-dvi: install-dvi-am
install-dvi-am:
install-exec-am:
install-html: install-html-am
install-html-am:
install-info: install-info-am
install-info-am:
install-man: install-man1 install-man8
install-pdf: install-pdf-am
install-pdf-am:
install-ps: install-ps-am
install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
mostlyclean: mostlyclean-am
mostlyclean-am: mostlyclean-generic mostlyclean-libtool
pdf: pdf-am
pdf-am:
ps: ps-am
ps-am:
uninstall-am: uninstall-man
uninstall-man: uninstall-man1 uninstall-man8
.MAKE: install-am install-strip
.PHONY: all all-am check check-am clean clean-generic clean-libtool \
cscopelist-am ctags-am distclean distclean-generic \
distclean-libtool distdir dvi dvi-am html html-am info info-am \
install install-am install-data install-data-am install-dvi \
install-dvi-am install-exec install-exec-am install-html \
install-html-am install-info install-info-am install-man \
install-man1 install-man8 install-pdf install-pdf-am \
install-ps install-ps-am install-strip installcheck \
installcheck-am installdirs maintainer-clean \
maintainer-clean-generic mostlyclean mostlyclean-generic \
mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \
uninstall-am uninstall-man uninstall-man1 uninstall-man8
.PRECIOUS: Makefile
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:

148
install/tools/man/ipa-adtrust-install.1 Normal file
View File

@@ -0,0 +1,148 @@
.\" A man page for ipa-adtrust-install
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Sumit Bose <sbose@redhat.com>
.\"
.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
.SH "SYNOPSIS"
ipa\-adtrust\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds all necessary objects and configuration to allow an IPA server to create a
trust to an Active Directory domain. This requires that the IPA server is
already installed and configured.
Please note you will not be able to establish a trust to an Active Directory
domain unless the realm name of the IPA server matches its domain name.
ipa\-adtrust\-install can be run multiple times to reinstall deleted objects or
broken configuration files. E.g. a fresh samba configuration (smb.conf) file and
registry based configuration can be created. Other items like e.g. the
configuration of the local range cannot be changed by running
ipa\-adtrust\-install a second time because with changes here other objects
might be affected as well.
.SS "Firewall Requirements"
In addition to the IPA server firewall requirements, ipa\-adtrust\-install requires
the following ports to be open to allow IPA and Active Directory to communicate together:
\fBTCP Ports\fR
.IP
\(bu 135/tcp EPMAP
.IP
\(bu 138/tcp NetBIOS-DGM
.IP
\(bu 139/tcp NetBIOS-SSN
.IP
\(bu 445/tcp Microsoft-DS
.IP
\(bu 1024/tcp through 1300/tcp to allow EPMAP on port 135/tcp to create a TCP listener based
on an incoming request.
.IP
\(bu 3268/tcp Microsoft-GC
.TP
\fBUDP Ports\fR
.IP
\(bu 138/udp NetBIOS-DGM
.IP
\(bu 139/udp NetBIOS-SSN
.IP
\(bu 389/udp LDAP
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-add\-sids\fR
Add SIDs to existing users and groups as one of the final steps of the
ipa\-adtrust\-install run. If there a many existing users and groups and a
couple of replicas in the environment this operation might lead to a high
replication traffic and a performance degradation of all IPA servers in the
environment. To avoid this the SID generation can be run after
ipa\-adtrust\-install is run and scheduled independently. To start this task
you have to load an edited version of ipa-sidgen-task-run.ldif with the
ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first POSIX ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.
.TP
\fB\-A\fR, \fB\-\-admin\-name\fR=\fIADMIN_NAME\fR
The name of the user with administrative privileges for this IPA server. Defaults to 'admin'.
.TP
\fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
.TP
The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.
.TP
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

44
install/tools/man/ipa-advise.1 Normal file
View File

@@ -0,0 +1,44 @@
.\" A man page for ipa-advise
.\" Copyright (C) 2013 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-advise \- Provide configurations advice for various use cases.
.SH "SYNOPSIS"
ipa\-advise ADVICE
.SH "DESCRIPTION"
Provides customized advice for various IPA configuration issues.
.TP
For the list of possible ADVICEs available, run the ipa\-advise with no arguments.
.SH "OPTIONS"
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR
Alias for \-\-verbose
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

84
install/tools/man/ipa-backup.1 Normal file
View File

@@ -0,0 +1,84 @@
.\" A man page for ipa-backup
.\" Copyright (C) 2013 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-backup \- Back up an IPA master
.SH "SYNOPSIS"
ipa\-backup [\fIOPTION\fR]...
.SH "DESCRIPTION"
Two kinds of backups: full and data\-only.
.TP
The back up is optionally encrypted using either the default root GPG key or a named key. No passphrase is supported.
.TP
Backups are stored in a subdirectory in /var/lib/ipa/backup.
.TP
The naming convention for full backups is ipa\-full\-YEAR\-MM\-DD\-HH\-MM\-SS in the GMT time zone.
.TP
The naming convention for data backups is ipa\-data\-YEAR\-MM\-DD\-HH\-MM\-SS In the GMT time zone.
.TP
Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
.TP
A backup can not be restored on another host.
.TP
A backup can not be restored in a different version of IPA.
.SH "OPTIONS"
.TP
\fB\-\-data\fR
Back up data only. The default is to back up all IPA files plus data.
.TP
\fB\-\-gpg\fR
Encrypt the back up file.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
.TP
\fB\-\-logs\fR
Include the IPA service log files in the backup.
.TP
\fB\-\-online\fR
Perform the backup on\-line. Requires the \-\-data option.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR
Alias for \-\-verbose
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
.RS 4
The default directory for storing backup files.
.RE
.PP
\fl/var/log/ipabackup.log\fR
.RS 4
The log file for backups
.PP
.SH "SEE ALSO"
ipa\-restore(1).

98
install/tools/man/ipa-ca-install.1 Normal file
View File

@@ -0,0 +1,98 @@
.\" A man page for ipa-ca-install
.\" Copyright (C) 2011-2017 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
.SS "DOMAIN LEVEL 0"
.TP
ipa\-ca\-install [\fIOPTION\fR]... [replica_file]
.SS "DOMAIN LEVEL 1"
.TP
ipa\-ca\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds a CA as an IPA\-managed service. This requires that the IPA server is already installed and configured.
In a domain at domain level 0, you can run ipa\-ca\-install without replica_file to upgrade from CA-less to CA-full, or with replica_file to install the CA service on the replica.
The replica_file is created using the ipa\-replica\-prepare utility and should be the same one used when originally installing the replica.
In a domain at domain level 1, ipa\-ca\-install can be used to upgrade from CA-less to CA-full or to install the CA service on a replica, and does not require any replica file.
.SH "OPTIONS"
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
Admin user Kerberos password used for connection check
.TP
\fB\-\-external\-ca\fR
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-skip\-conncheck\fR
Skip connection check to remote master
.TP
\fB\-\-skip\-schema\-check\fR
Skip check for updated CA DS schema on the remote master
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

129
install/tools/man/ipa-cacert-manage.1 Normal file
View File

@@ -0,0 +1,129 @@
.\" A man page for ipa-cacert-manage
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] renew
.RE
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] install \fICERTFILE\fR
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
.SH "COMMANDS"
.TP
\fBrenew\fR
\- Renew the IPA CA certificate
.sp
.RS
This command can be used to manually renew the CA certificate of the IPA CA (NSS database nickname: "caSigningCert cert-pki-ca"). To renew other certificates, use getcert-resubmit(1).
.sp
When the IPA CA is the root CA (the default), it is not usually necessary to manually renew the CA certificate, as it will be renewed automatically when it is about to expire, but you can do so if you wish.
.sp
When the IPA CA is subordinate of an external CA, the renewal process involves submitting a CSR to the external CA and installing the newly issued certificate in IPA, which cannot be done automatically. It is necessary to manually renew the CA certificate in this setup.
.sp
When the IPA CA is not configured, this command is not available.
.RE
.TP
\fBinstall\fR
\- Install a CA certificate
.sp
.RS
This command can be used to install the certificate contained in \fICERTFILE\fR as an additional CA certificate to IPA.
.sp
Important: this does not replace IPA CA but adds the provided certificate as a known CA. This is useful for instance when using ipa-server-certinstall to replace HTTP/LDAP certificates with third-party certificates signed by this additional CA.
.sp
Please do not forget to run ipa-certupdate on the master, all the replicas and all the clients after this command in order to update IPA certificates databases.
.RE
.SH "COMMON OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.RE
.SH "RENEW OPTIONS"
.TP
\fB\-\-self\-signed\fR
Sign the renewed certificate by itself.
.TP
\fB\-\-external\-ca\fR
Sign the renewed certificate by external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.RE
.SH "INSTALL OPTIONS"
.TP
\fB\-n\fR \fINICKNAME\fR, \fB\-\-nickname\fR=\fINICKNAME\fR
Nickname for the certificate.
.TP
\fB\-t\fR \fITRUST_FLAGS\fR, \fB\-\-trust\-flags\fR=\fITRUST_FLAGS\fR
Trust flags for the certificate in certutil format. Trust flags are of the form "A,B,C" or "A,B,C,D" where A is for SSL, B is for S/MIME, C is for code signing, and D is for PKINIT. Use ",," for no explicit trust.
.sp
The supported trust flags are:
.RS
.IP
C \- CA trusted to issue server certificates
.IP
T \- CA trusted to issue client certificates
.IP
p \- not trusted
.RE
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "SEE ALSO"
.BR getcert-resubmit(1)

47
install/tools/man/ipa-compat-manage.1 Normal file
View File

@@ -0,0 +1,47 @@
.\" A man page for ipa-compat-manage
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"
ipa\-compat\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable the compat plugin.
Run the command with the \fBdisable\fR option to disable the compat plugin.
Run the command with the \fBstatus\fR to determine the current status of the compat plugin.
In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
Directory Server will need to be restarted after the schema compatibility plugin has been enabled.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-y\fR \fIfile\fR
File containing the Directory Manager password
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the plugin is already in the required status (enabled or disabled)

103
install/tools/man/ipa-csreplica-manage.1 Normal file
View File

@@ -0,0 +1,103 @@
.\" A man page for ipa-csreplica-manage
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"
ipa\-csreplica\-manage [\fIOPTION\fR]... [connect|disconnect|del|list|re\-initialize|force\-sync]
.SH "DESCRIPTION"
Manages the CA replication agreements of an IPA server for domain at domain level 0.
To manage CA replication agreements in a domain at domain level 1, use IPA CLI or Web UI, see `ipa help topology` for additional information.
.TP
\fBconnect\fR [SERVER_A] <SERVER_B>
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
.TP
\fBdisconnect\fR [SERVER_A] <SERVER_B>
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. Applicable only at domain level 0.
.TP
\fBdel\fR <SERVER>
\- Removes all replication agreements and data about SERVER. Applicable only at domain level 0.
.TP
\fBlist\fR [SERVER]
\- Lists all the servers or the list of agreements of SERVER
.TP
\fBre\-initialize\fR
\- Forces a full re\-initialization of the IPA CA server retrieving data from the server specified with the \-\-from option
.TP
\fBforce\-sync\fR
\- Immediately flush any data to be replicated from a server specified with the \-\-from option
.TP
\fBset\-renewal\-master\fR [SERVER]
\- Set CA server which handles renewal of CA subsystem certificates to SERVER
.TP
The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas.
.TP
The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.
.TP
If a replica is deleted and then re\-added within a short time-frame then the 389\-ds instance on the master that created it should be restarted before re\-installing the replica. The master will have the old service principals cached which will cause replication to fail.
.SH "OPTIONS"
.TP
\fB\-H\fR \fIHOST\fR, \fB\-\-host\fR=\fIHOST\fR
The IPA server to manage.
The default is the machine on which the command is run
Not honoured by the re\-initialize command.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Provide additional information
.TP
\fB\-f\fR, \fB\-\-force\fR
Ignore some types of errors
.TP
\fB\-\-from\fR=\fISERVER\fR
The server to pull the data from, used by the re\-initialize and force\-sync commands.
.SH "EXAMPLES"
.TP
List a server's replication agreements.
# ipa\-csreplica\-manage list srv1.example.com
srv2.example.com
srv3.example.com
.TP
Re\-initialize a replica:
# ipa\-csreplica\-manage re\-initialize \-\-from srv2.example.com
This will re\-initialize the data on the server where you execute the command, retrieving the data from the srv2.example.com replica
.TP
Add a new replication agreement:
# ipa\-csreplica\-manage connect srv2.example.com srv4.example.com
.TP
Remove an existing replication agreement:
# ipa\-csreplica\-manage disconnect srv1.example.com srv3.example.com
.TP
Completely remove a replica at domain level 0:
# ipa\-csreplica\-manage del srv4.example.com
.TP
Completely remove a replica at domain level 1:
# ipa\-replica\-manage del srv4.example.com
.TP
Using connect/disconnect you can manage the replication topology.
.SH "EXIT STATUS"
0 if the command was successful
.TP
1 if an error occurred

79
install/tools/man/ipa-dns-install.1 Normal file
View File

@@ -0,0 +1,79 @@
.\" A man page for ipa-dns-install
.\" Copyright (C) 2010-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-dns\-install \- Add DNS as a service to an IPA server
.SH "SYNOPSIS"
ipa\-dns\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configure an integrated DNS server on this IPA server, create DNS zone with the name of the IPA primary DNS domain, and fill it in with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
This command requires that an IPA server is already installed and configured.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of the IPA server. If not provided then this is determined based on the hostname of the server.
This this option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
\fB\-\-forwarder\fR=\fIFORWARDER\fR
A forwarder is a DNS server where queries for a specific non\-resolvable address can be directed. To define multiple forwarders use multiple instances of \fB\-\-forwarder\fR
.TP
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders, send non\-resolvable addresses to the DNS root servers.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
.TP
\fB\-\-auto\-reverse\fR
Try to resolve reverse records and reverse zones for server IP addresses and if neither is resolvable creates these reverse zones.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.TP
\fB\-\-dnssec\-master\fR
Setup server to be DNSSEC key master.
.TP
\fB\-\-disable\-dnssec\-master\fR
Disable the DNSSEC master on this server.
.TP
\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
.TP
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-allow\-zone\-overlap\fR
Allow creatin of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.SH "DEPRECATED OPTIONS"
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

64
install/tools/man/ipa-kra-install.1 Normal file
View File

@@ -0,0 +1,64 @@
.\" A man page for ipa-kra-install
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Ade Lee <alee@redhat.com>
.\"
.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-kra\-install \- Install a KRA on a server
.SH "SYNOPSIS"
.SS "DOMAIN LEVEL 0"
.TP
ipa\-kra\-install [\fIOPTION\fR]... [replica_file]
.SS "DOMAIN LEVEL 1"
.TP
ipa\-kra\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Adds a KRA as an IPA\-managed service. This requires that the IPA server is already installed and configured, including a CA.
The KRA (Key Recovery Authority) is a component used to securely store secrets such as passwords, symmetric keys and private asymmetric keys. It is used as the back-end repository for the IPA Password Vault.
In a domain at domain level 0, ipa\-kra\-install can be run without replica_file to add KRA to the existing CA, or with replica_file to install the KRA service on the replica.
ipa\-kra\-install will contact the CA to determine if a KRA has already been installed on another replica, and if so, will exit indicating that a replica_file is required.
The replica_file is created using the ipa\-replica\-prepare utility. A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
In a domain at domain level 1, ipa\-kra\-install can be used to add KRA to the existing CA, or to install the KRA service on a replica, and does not require any replica file.
KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
.SH "OPTIONS"
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-\-no-host-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Enable debug output when more verbose output is needed
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log-file\fR=\fRFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

97
install/tools/man/ipa-ldap-updater.1 Normal file
View File

@@ -0,0 +1,97 @@
.\" A man page for ipa-ldap-updater
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
ipa\-ldap\-updater [options] input_file(s)
.SH "DESCRIPTION"
ipa\-ldap\-updater is utility which can be used to update the IPA LDAP server.
An update file describes an LDAP entry and a set of operations to be performed on that entry. It can be used to add new entries or modify existing entries.
Blank lines and lines beginning with # are ignored.
There are 7 keywords:
* default: the starting value
* add: add a value to an attribute
* remove: remove a value from an attribute
* only: set an attribute to this
* onlyifexist: set an attribute to this only if the entry exists
* deleteentry: remove the entry
* replace: replace an existing value, format is old::new
* addifnew: add a new attribute and value only if the attribute doesn't already exist. Only works with single\-value attributes.
* addifexist: add a new attribute and value only if the entry exists. This is used to update optional entries.
The difference between the default and add keywords is if the DN of the entry exists then default is ignored. So for updating something like schema, which will be under cn=schema, you must always use add (because cn=schema is guaranteed to exist). It will not re\-add the same information again and again.
It also provides some things that can be templated such as architecture (for plugin paths), realm and domain name.
The available template variables are:
* $REALM \- the kerberos realm (EXAMPLE.COM)
* $FQDN \- the fully\-qualified domain name of the IPA server being updated (ipa.example.com)
* $DOMAIN \- the domain name (example.com)
* $SUFFIX \- the IPA LDAP suffix (dc=example,dc=com)
* $ESCAPED_SUFFIX \- the ldap\-escaped IPA LDAP suffix
* $LIBARCH \- set to 64 on x86_64 systems to be used for plugin paths
* $TIME \- an integer representation of current time
For base64 encoded values a double colon ('::') must be used between attribute and value.
Base64 format examples:
add:binaryattr::d2UgbG92ZSBiYXNlNjQ=
replace:binaryattr::SVBBIGlzIGdyZWF0::SVBBIGlzIHJlYWxseSBncmVhdA==
A few rules:
1. Only one rule per line
2. Each line stands alone (e.g. an only followed by an only results in the last only being used)
3. Adding a value that exists is ok. The request is ignored, duplicate values are not added
4. Removing a value that doesn't exist is ok. It is simply ignored.
5. If a DN doesn't exist it is created from the 'default' entry and all updates are applied
6. If a DN does exist the default values are skipped
7. Only the first rule on a line is respected
ipa-ldap-updater allows to execute update plugins.
Plugins to be executed are specified with following keyword, in update files:
* plugin: name of plugin
This keyword is not bounded to DN, and plugin names have to be registered in API.
Additionally, ipa-ldap-updater can update the schema based on LDIF files.
Any missing object classes and attribute types are added, and differing ones are updated to match the LDIF file.
To enable this behavior, use the \-\-schema-file options.
Schema files should be in LDIF format, and may only specify attributeTypes and objectClasses attributes of cn=schema.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-u\fR, \fB\-\-upgrade\fR
Upgrade an installed server in offline mode (implies \-\-schema)
.TP
\fB\-S\fR, \fB\-\-schema\-file\fR
Specify a schema file. May be used multiple times. Implies \-\-schema.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

56
install/tools/man/ipa-managed-entries.1 Normal file
View File

@@ -0,0 +1,56 @@
.\" A man page for ipa-managed-entries
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Jr Aquino <jr.aquino@citrix.com>
.\"
.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
.SH "SYNOPSIS"
ipa\-managed\-entries [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable the Managed Entry plugin.
Run the command with the \fBdisable\fR option to disable the Managed Entry plugin.
Run the command with the \fBstatus\fR to determine the current status of the Managed Entry plugin.
In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-p\fR is used.
Directory Server will need to be restarted after the Managed Entry plugin has been enabled.
.SH "OPTIONS"
.TP
\fB\-h\fR, \fB\-\-help\fR
Show a help message and exit
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-e\fR, \fB\-\-entry\fR
DN for the Managed Entry Definition
.TP
\fB\-l\fR, \fB-\-list\fR
List available Managed Entries
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the plugin is already in the required status (enabled or disabled)

51
install/tools/man/ipa-nis-manage.1 Normal file
View File

@@ -0,0 +1,51 @@
.\" A man page for ipa-nis-manage
.\" Copyright (C) 2009 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-nis-manage" "1" "April 25 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-nis\-manage \- Enables or disables the NIS listener plugin
.SH "SYNOPSIS"
ipa\-nis\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable the NIS plugin.
Run the command with the \fBdisable\fR option to disable the NIS plugin.
Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin.
In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
Directory Server will need to be restarted after the NIS listener plugin has been enabled.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-y\fR \fIfile\fR
File containing the Directory Manager password
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the plugin is already in the required status (enabled or disabled)
3 if RPC services cannot be enabled.
4 if status command detected plugin in disabled state.

36
install/tools/man/ipa-otptoken-import.1 Normal file
View File

@@ -0,0 +1,36 @@
.\" A man page for ipa-otptoken-import
.\" Copyright (C) 2014 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Nathaniel McCallum <npmccallum@redhat.com>
.\"
.TH "ipa-otptoken-import" "1" "Jun 12 2014" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
.SH "SYNOPSIS"
ipa\-otptoken\-import [options] <infile> <outfile>
.SH "DESCRIPTION"
Running the command will attempt to import all tokens specified in \fBinfile\fR. If the command is unable to import a token, the reason for the failure will be printed to standard error and all failed tokens will be written to the \fBoutfile\fR for further inspection.
If the \fBinfile\fR contains encrypted token data, then the \fIkeyfile\fR (\fB-k\fR) option MUST be specified.
.SH "OPTIONS"
.TP
\fB\-k\fR \fIkeyfile\fR
File containing the key used to decrypt the token data.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

34
install/tools/man/ipa-pkinit-manage.1 Normal file
View File

@@ -0,0 +1,34 @@
.\"
.\" Copyright (C) 2017 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-pkinit\-manage \- Enables or disables PKINIT
.SH "SYNOPSIS"
ipa\-pkinit\-manage [options] <enable|disable|status>
.SH "DESCRIPTION"
Run the command with the \fBenable\fR option to enable PKINIT.
Run the command with the \fBdisable\fR option to disable PKINIT.
Run the command with the \fBstatus\fR to determine the current status of PKINIT.
.SH "OPTIONS"
.TP
\fB\-\-version\fR
Show the program's version and exit.
.TP
\fB\-h\fR, \fB\-\-help\fR
Show the help for this program.
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors.
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

87
install/tools/man/ipa-replica-conncheck.1 Normal file
View File

@@ -0,0 +1,87 @@
.\" A man page for ipa-replica-conncheck
.\" Copyright (C) 2011 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Martin Kosek <mkosek@redhat.com>
.\"
.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
.SH "SYNOPSIS"
ipa\-replica\-conncheck [\fIOPTION\fR]...
.SH "DESCRIPTION"
When an IPA replica is being installed a network connection between a replica machine and a replicated IPA master machine has to be prepared for master\-replica communication. In case of a flawed connection the installation may fail with inconvenient error messages. A common connection problem is a misconfigured firewall with closed required port on a replica or master machine.
The connection is checked by running a set of tests from both master and replica machines. The program is incorporated to ipa\-replica\-install(1) but can be also run separately.
.SH "OPTIONS"
.SS "REPLICA MACHINE OPTIONS"
This set of options is used when the connection check is run on a prepared IPA replica machine.
.TP
\fB\-m\fR \fIMASTER\fR, \fB\-\-master\fR=\fIMASTER\fR
Remote master machine address
.TP
\fB\-a\fR, \fB\-\-auto\-master\-check\fR
Automatically log in to master machine and execute the master machine part of the connection check. The following options for replica part are only evaluated when this option is set
.TP
\fB\-r\fR \fIREALM\fR, \fB\-\-realm\fR=\fIREALM\fR
The Kerberos realm name for the IPA server
.TP
\fB\-k\fR \fIKDC\fR, \fB\-\-kdc\fR=\fIKDC\fR
KDC server address. Defaults to \fIMASTER\fR
.TP
\fB\-p\fR \fIPRINCIPAL\fR, \fB\-\-principal\fR=\fIPRINCIPAL\fR
Authorized Kerberos principal to use to log in to master machine. Defaults to \fIadmin\fR
.TP
\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
Password for given principal. The password will be prompted interactively when this option is missing
.SS "MASTER MACHINE OPTIONS"
This set of options is used when the connection check is run on a master machine against a running ipa\-replica\-conncheck(1) on a replica machine.
.TP
\fB\-R\fR \fIREPLICA\fR, \fB\-\-replica\fR=\fIREPLICA\fR
Remote replica machine address
.SS "COMMON OPTIONS"
.TP
\fB\-c\fR, \fB\-\-check\-ca\fR
Include in a check also a set of dogtag connection requirements. Only needed when the master was installed with Dogtag 9 or lower.
.TP
\fB\-h\fR \fIHOSTNAME\fR, \fB\-\-hostname\fR=\fIHOSTNAME\fR
The hostname of this server (FQDN). By default the result of getfqdn() call from Python's socket module is used.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Print debugging information
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.SH "EXAMPLES"
.TP
\fBipa\-replica\-conncheck \-m master.example.com\fR
Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
.TP
\fBipa\-replica\-conncheck \-R replica.example.com\fR
Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica machine.
.TP
\fBipa\-replica\-conncheck \-m master.example.com \-a \-r EXAMPLE.COM \-w password\fR
Run a replica\-master connection check. In case of a success switch to listening mode, automatically log to \fImaster.example.com\fR in a realm \fIEXAMPLE.COM\fR with a password \fIpassword\fR and run the second part of the connection check.
.SH "EXIT STATUS"
0 if the connection check was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa-replica-install (1)

283
install/tools/man/ipa-replica-install.1 Normal file
View File

@@ -0,0 +1,283 @@
.\" A man page for ipa-replica-install
.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-install \- Create an IPA replica
.SH "SYNOPSIS"
.SS "DOMAIN LEVEL 0"
.TP
ipa\-replica\-install [\fIOPTION\fR]... [replica_file]
.SS "DOMAIN LEVEL 1"
.TP
ipa\-replica\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.
To create a replica in a domain at domain level 0, you need to provide an replica file. The replica_file is created using the ipa\-replica\-prepare utility.
To create a replica in a domain at domain level 1, you don't have to provide a replica file, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica.
To promote a blank machine into a replica, you have two options, you can either run ipa\-client\-install in a separate step, or pass the enrollment related options to the ipa\-replica\-install (see DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS). In the latter case, ipa\-replica\-install will join the machine to the IPA realm automatically and will proceed with the promotion step.
If the installation fails you may need to run ipa\-server\-install \-\-uninstall and ipa\-client\-install before running ipa\-replica\-install again.
The installation will fail if the host you are installing the replica on exists as a host in IPA or an existing replication agreement exists (for example, from a previously failed installation).
A replica should only be installed on the same or higher version of IPA on the remote system.
.SH "OPTIONS"
.SS "DOMAIN LEVEL 1 OPTIONS"
.TP
\fB\-P\fR, \fB\-\-principal\fR
The user principal which will be used to promote the client to the replica and enroll the client itself, if necessary.
.TP
\fB\-w\fR, \fB\-\-admin\-password\fR
The Kerberos password for the given principal.
.SS "DOMAIN LEVEL 1 CLIENT ENROLLMENT OPTIONS"
To install client and promote it to replica using a host keytab or One Time Password, the host needs to be a member of ipaservers group. This requires to create a host entry and add it to the host group prior replica installation.
\-\-server, \-\-domain, \-\-realm options are autodiscovered via DNS records by default. See manual page
.BR ipa\-client\-install (1)
for further details about these options.
.TP
\fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
One Time Password for joining a machine to the IPA realm.
.TP
\fB\-k\fR, \fB\-\-keytab\fR
Path to host keytab.
.TP
\fB\-\-server\fR
The fully qualified domain name of the IPA server to enroll to.
.TP
\fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR
The primary DNS domain of an existing IPA deployment, e.g. example.com.
This DNS domain should contain the SRV records generated by the IPA server installer.
.TP
\fB\-r\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm of an existing IPA deployment.
.TP
\fB\-\-hostname\fR
The hostname of this machine (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot.
.TP
\fB\-\-force\-join\fR
Join the host even if it is already enrolled.
.SS "DOMAIN LEVEL 0 OPTIONS"
.TP
\fB\-p\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-w\fR, \fB\-\-admin\-password\fR
Admin user Kerberos password used for connection check
.SS "BASIC OPTIONS"
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
This this option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
\fB\-\-mkhomedir\fR
Create home directories for users on their first login
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP
.TP
\fB\-\-no\-ui\-redirect\fR
Do not automatically redirect to the Web UI.
.TP
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
\fB\-\-no\-ssh\fR
Do not configure OpenSSH client.
.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-\-skip\-conncheck\fR
Skip connection check to remote master
.TP
\fB\-d\fR, \fB\-\-debug
Enable debug logging when more verbose output is needed
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input
.TP
\fB\-\-dirsrv\-config\-file\fR
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-setup\-ca\fR
Install and configure a CA on this replica. If a CA is not configured then
certificate operations will be forwarded to a master with a CA installed.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=FILE
File containing the Directory Server SSL certificate and private key
.TP
\fB\-\-http\-cert\-file\fR=FILE
File containing the Apache Server SSL certificate and private key
.TP
\fB\-\-pkinit\-cert\-file\fR=FILE
File containing the Kerberos KDC SSL certificate and private key
.TP
\fB\-\-dirsrv\-pin\fR=PIN
The password to unlock the Directory Server private key
.TP
\fB\-\-http\-pin\fR=PIN
The password to unlock the Apache Server private key
.TP
\fB\-\-pkinit\-pin\fR=PIN
The password to unlock the Kerberos KDC private key
.TP
\fB\-\-dirsrv\-cert\-name\fR=NAME
Name of the Directory Server SSL certificate to install
.TP
\fB\-\-http\-cert\-name\fR=NAME
Name of the Apache Server SSL certificate to install
.TP
\fB\-\-pkinit\-cert\-name\fR=NAME
Name of the Kerberos KDC SSL certificate to install
.TP
\fB\-\-skip\-schema\-check\fR
Skip check for updated CA DS schema on the remote master
.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
Install and configure a KRA on this replica. If a KRA is not configured then
vault operations will be forwarded to a master with a KRA installed.
.SS "DNS OPTIONS"
.TP
\fB\-\-setup\-dns\fR
Configure an integrated DNS server, create a primary DNS zone (name specified by \-\-domain or taken from an existing deployment), and fill it with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
This option requires that you either specify at least one DNS forwarder through
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
Note that you can set up a DNS at any time after the initial IPA server install by running
.B ipa-dns-install
(see
.BR ipa-dns-install (1)).
IPA DNS cannot be uninstalled.
.TP
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
Add a DNS forwarder to the DNS configuration. You can use this option multiple
times to specify more forwarders, but at least one must be provided, unless
the \fB\-\-no\-forwarders\fR option is specified.
.TP
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders. Root DNS servers will be used instead.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create new reverse DNS zone. If a reverse DNS zone already exists for the subnet, it will be used.
.TP
\fB\-\-auto-reverse\fR
Create necessary reverse zones
.TP
\fB\-\-allow-zone-overlap\fR
Create DNS zone even if it already exists
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability on a replica.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-add\-sids\fR
Add SIDs to existing users and groups as on of final steps of the
ipa\-adtrust\-install run. If there a many existing users and groups and a
couple of replicas in the environment this operation might lead to a high
replication traffic and a performance degradation of all IPA servers in the
environment. To avoid this the SID generation can be run after
ipa\-adtrust\-install is run and scheduled independently. To start this task
you have to load an edited version of ipa-sidgen-task-run.ldif with the
ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first Posix ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same Posix ID. See the online help of the
idrange CLI for details.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
3 if the host exists in the IPA server or a replication agreement to the remote master already exists

236
install/tools/man/ipa-replica-manage.1 Normal file
View File

@@ -0,0 +1,236 @@
.\" A man page for ipa-replica-manage
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"
ipa\-replica\-manage [\fIOPTION\fR]... [COMMAND]
.SH "DESCRIPTION"
Manages the replication agreements of an IPA server.
To manage IPA replication agreements in a domain at domain level 1, use IPA CLI
or Web UI, see `ipa help topology` for additional information.
The available commands are:
.TP
\fBconnect\fR [SERVER_A] <SERVER_B>
\- Adds a new replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements.
.TP
\fBdisconnect\fR [SERVER_A] <SERVER_B>
\- Removes a replication agreement between SERVER_A/localhost and SERVER_B. At domain level 1 applicable only for winsync agreements.
.TP
\fBdel\fR <SERVER>
\- Removes all replication agreements and data about SERVER. At domain level 1 it removes data and agreements for both suffixes - domain and ca.
.TP
\fBlist\fR [SERVER]
\- Lists all the servers or the list of agreements of SERVER
.TP
\fBre\-initialize\fR
\- Forces a full re\-initialization of the IPA server retrieving data from the server specified with the \-\-from option
.TP
\fBforce\-sync\fR
\- Immediately flush any data to be replicated from a server specified with the \-\-from option
.TP
\fBlist\-ruv\fR
\- List the replication IDs on this server.
.TP
\fBclean\-ruv\fR [REPLICATION_ID]
\- Run the CLEANALLRUV task to remove a replication ID.
.TP
\fBclean\-dangling\-ruv\fR
\- Cleans all RUVs and CS\-RUVs that are left in the system from uninstalled replicas.
.TP
\fBabort\-clean\-ruv\fR [REPLICATION_ID]
\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing.
.TP
\fBlist\-clean\-ruv\fR
\- List all running CLEANALLRUV and abort CLEANALLRUV tasks.
.TP
\fBdnarange\-show [SERVER]\fR
\- List the DNA ranges
.TP
\fBdnarange\-set SERVER START\-END\fR
\- Set the DNA range on a master
.TP
\fBdnanextrange\-show [SERVER]\fR
\- List the next DNA ranges
.TP
\fBdnanextrange\-set SERVER START\-END\fR
\- Set the DNA next range on a master
.TP
The connect and disconnect options are used to manage the replication topology. When a replica is created it is only connected with the master that created it. The connect option may be used to connect it to other existing replicas.
.TP
The disconnect option cannot be used to remove the last link of a replica. To remove a replica from the topology use the del option.
.TP
If a replica is deleted and then re\-added within a short time\-frame then the 389\-ds instance on the master that created it should be restarted before re\-installing the replica. The master will have the old service principals cached which will cause replication to fail.
.TP
Each IPA master server has a unique replication ID. This ID is used by 389\-ds\-base when storing information about replication status. The output consists of the masters and their respective replication ID. See \fBclean\-ruv\fR
.TP
When a master is removed, all other masters need to remove its replication ID from the list of masters. Normally this occurs automatically when a master is deleted with ipa\-replica\-manage. If one or more masters was down or unreachable when ipa\-replica\-manage was executed then this replica ID may still exist. The clean\-ruv command may be used to clean up an unused replication ID.
.TP
\fBNOTE\fR: clean\-ruv is \fBVERY DANGEROUS\fR. Execution against the wrong replication ID can result in inconsistent data on that master. The master should be re\-initialized from another if this happens.
.TP
The replication topology is examined when a master is deleted and will attempt to prevent a master from being orphaned. For example, if your topology is A <\-> B <\-> C and you attempt to delete master B it will fail because that would leave masters and A and C orphaned.
.TP
The list of masters is stored in cn=masters,cn=ipa,cn=etc,dc=example,dc=com. This should be cleaned up automatically when a master is deleted. If it occurs that you have deleted the master and all the agreements but these entries still exist then you will not be able to re\-install IPA on it, the installation will fail with:
.TP
An IPA master host cannot be deleted or disabled using standard commands (host\-del, for example).
.TP
An orphaned master may be cleaned up using the del directive with the \-\-cleanup option. This will remove the entries from cn=masters,cn=ipa,cn=etc that otherwise prevent host\-del from working, its dna profile, s4u2proxy configuration, service principals and remove it from the default DUA profile defaultServerList.
.SH "OPTIONS"
.TP
\fB\-H\fR \fIHOST\fR, \fB\-\-host\fR=\fIHOST\fR
The IPA server to manage.
The default is the machine on which the command is run
Not honoured by the re\-initialize command.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
The Directory Manager password to use for authentication
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Provide additional information
.TP
\fB\-f\fR, \fB\-\-force\fR
Ignore some types of errors, don't prompt when deleting a master
.TP
\fB\-c\fR, \fB\-\-cleanup\fR
When deleting a master with the \-\-force flag, remove leftover references to an already deleted master.
.TP
\fB\-\-no\-lookup\fR
Do not perform DNS lookup checks.
.TP
\fB\-\-binddn\fR=\fIADMIN_DN\fR
Bind DN to use with remote server (default is cn=Directory Manager) \- Be careful to quote this value on the command line
.TP
\fB\-\-bindpw\fR=\fIADMIN_PWD\fR
Password for Bind DN to use with remote server (default is the DM_PASSWORD above)
.TP
\fB\-\-winsync\fR
Specifies to create/use a Windows Sync Agreement
.TP
\fB\-\-cacert\fR=\fI/path/to/cacertfile\fR
Full path and filename of CA certificate to use with TLS/SSL to the remote server \- this CA certificate will be installed in the directory server's certificate database
.TP
\fB\-\-win\-subtree\fR=\fIcn=Users,dc=example,dc=com\fR
DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix> \- this is typically what Windows AD uses as the default value) \- Be careful to quote this value on the command line
.TP
\fB\-\-passsync\fR=\fIPASSSYNC_PWD\fR
Password for the IPA system user used by the Windows PassSync plugin to synchronize passwords. Required when using \-\-winsync. This does not mean you have to use the PassSync service.
.TP
\fB\-\-from\fR=\fISERVER\fR
The server to pull the data from, used by the re\-initialize and force\-sync commands.
.TP
.SH "RANGES"
IPA uses the 389\-ds Distributed Numeric Assignment (DNA) Plugin to allocate POSIX ids for users and groups. A range is created when IPA is installed and half the range is assigned to the first IPA master for the purposes of allocation.
.TP
New IPA masters do not automatically get a DNA range assignment. A range assignment is done only when a user or POSIX group is added on that master.
.TP
The DNA plugin also supports an "on\-deck" or next range configuration. When the primary range is exhaused, rather than going to another master to ask for more, it will use its on\-deck range if one is defined. Each master can have only one range and one on\-deck range defined.
.TP
When a master is removed an attempt is made to save its DNA range(s) onto another master in its on\-deck range. IPA will not attempt to extend or merge ranges. If there are no available on\-deck range slots then this is reported to the user. The range is effectively lost unless it is manually merged into the range of another master.
.TP
The DNA range and on\-deck (next) values can be managed using the dnarange\-set and dnanextrange\-set commands. The rules for managing these ranges are:
\- The range must be completely contained within a local range as defined by the ipa idrange command.
\- The range cannot overlap the DNA range or on\-deck range on another IPA master.
\- The range cannot overlap the ID range of an AD Trust.
\- The primary DNA range cannot be removed.
\- An on\-deck range range can be removed by setting it to 0\-0. The assumption is that the range will be manually moved or merged elsewhere.
.TP
The range and next range of a specific master can be displayed by passing the FQDN of that master to the dnarange\-show or dnanextrange\-show command.
.TP
Performing range changes as a delegated administrator (e.g. not using the Directory Manager password) requires additional 389\-ds ACIs. These are installed in upgraded masters but not existing ones. The changs are made in cn=config which is not replicated. The result is that DNA ranges cannot be managed on non\-upgraded masters as a delegated administrator.
.SH "EXAMPLES"
.TP
List all masters:
# ipa\-replica\-manage list
srv1.example.com: master
srv2.example.com: master
srv3.example.com: master
srv4.example.com: master
.TP
List a server's replication agreements.
# ipa\-replica\-manage list srv1.example.com
srv2.example.com: replica
srv3.example.com: replica
.TP
Re\-initialize a replica:
# ipa\-replica\-manage re\-initialize \-\-from srv2.example.com
This will re\-initialize the data on the server where you execute the command, retrieving the data from the srv2.example.com replica
.TP
Add a new replication agreement:
# ipa\-replica\-manage connect srv2.example.com srv4.example.com
.TP
Remove an existing replication agreement:
# ipa\-replica\-manage disconnect srv1.example.com srv3.example.com
.TP
Completely remove a replica:
# ipa\-replica\-manage del srv4.example.com
.TP
Using connect/disconnect you can manage the replication topology.
.TP
List the replication IDs in use:
# ipa\-replica\-manage list\-ruv
Replica Update Vectors:
srv1.example.com:389: 7
srv2.example.com:389: 4
Certificate Server Replica Update Vectors:
srv1.example.com:389: 9
.TP
Remove references to an orphaned and deleted master:
# ipa\-replica\-manage del \-\-force \-\-cleanup master.example.com
.SH "WINSYNC"
Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.
A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a Windows synchronization agreement but setting a password for the user is required.
The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read\-access to the subtree.
.TP
1. Transfer the base64\-encoded Windows AD CA Certificate to your IPA Server
.TP
2. Remove any existing kerberos credentials
# kdestroy
.TP
3. Add the winsync replication agreement
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> \-\-cacert=/path/to/adscacert/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" \-\-bindpw <ads_administrator_password> \-v <adserver.fqdn>
.TP
You will be prompted to supply the Directory Manager's password.
.TP
Create a winsync replication agreement:
# ipa\-replica\-manage connect \-\-winsync \-\-passsync=MySecret
\-\-cacert=/root/WIN\-CA.cer \-\-binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com"
\-\-bindpw MySecret \-v windows.ad.example.com
.TP
Remove a winsync replication agreement:
# ipa\-replica\-manage disconnect windows.ad.example.com
.SH "PASSSYNC"
PassSync is a Windows service that runs on AD Domain Controllers to intercept password changes. It sends these password changes to the IPA LDAP server over TLS. These password changes bypass normal IPA password policy settings and the password is not set to immediately expire. This is because by the time IPA receives the password change it has already been accepted by AD so it is too late to reject it.
.TP
IPA maintains a list of DNs that are exempt from password policy. A special user is added automatically when a winsync replication agreement is created. The DN of this user is added to the exemption list stored in passSyncManagersDNs in the entry cn=ipa_pwd_extop,cn=plugins,cn=config.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

80
install/tools/man/ipa-replica-prepare.1 Normal file
View File

@@ -0,0 +1,80 @@
.\" A man page for ipa-replica-prepare
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-prepare" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-replica\-prepare \- Create an IPA replica file
.SH "SYNOPSIS"
ipa\-replica\-prepare [\fIOPTION\fR]... hostname
.SH "DESCRIPTION"
Generates a replica file that may be used with ipa\-replica\-install to create a replica of an IPA server.
A replica can be created on any IPA master or replica server.
You must provide the fully\-qualified hostname of the machine you want to install the replica on and a host\-specific replica_file will be created. It is host\-specific because SSL server certificates are generated as part of the process and they are specific to a particular hostname.
If IPA manages the DNS for your domain, you should either use the \fB\-\-ip\-address\fR option or add the forward and reverse records manually using IPA plugins.
Once the file has been created it will be named replica\-hostname. This file can then be moved across the network to the target machine and a new IPA replica setup by running ipa\-replica\-install replica\-hostname.
.SS "Limitations"
A replica should only be installed on the same or higher version of IPA on the remote system.
A replica with PKI can only be installed from a replica file prepared on a master with PKI.
.SH "OPTIONS"
.TP
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-http\-cert\-file\fR=\fIFILE\fR
File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-dirsrv\-pin\fR=\fIPIN\fR
The password to unlock the Directory Server private key
.TP
\fB\-\-http\-pin\fR=\fIPIN\fR
The password to unlock the Apache Server private key
.TP
\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
Name of the Directory Server SSL certificate to install
.TP
\fB\-\-http\-cert\-name\fR=\fINAME\fR
Name of the Apache Server SSL certificate to install
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
Directory Manager (existing master) password
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
IPv4 or IPv6 address of the replica server. This option can be specified multiple times for each interface of the server
(e.g. multihomed and/or dualstacked server), or for each IPv4 and IPv6 address of the server. The corresponding A or AAAA and
PTR records will be added to the DNS if they do not exist already.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create reverse DNS zone
.TP
\fB\-\-ca\fR=\fICA_FILE\fR
Location of CA PKCS#12 file, default /root/cacert.p12
.TP
\fB\-\-debug\fR
Prints info log messages to the output
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

106
install/tools/man/ipa-restore.1 Normal file
View File

@@ -0,0 +1,106 @@
.\" A man page for ipa-restore
.\" Copyright (C) 2013 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-restore \- Restore an IPA master
.SH "SYNOPSIS"
ipa\-restore [\fIOPTION\fR]... BACKUP
.SH "DESCRIPTION"
Only the name of the backup needs to be passed in, not the full path. Backups are stored in a subdirectory in /var/lib/ipa/backup. If a backup is in another location then the full path must be provided.
.TP
The naming convention for full backups is ipa\-full\-YEAR\-MM\-DD\-HH\-MM\-SS in the GMT time zone.
.TP
The naming convention for data backups is ipa\-data\-YEAR\-MM\-DD\-HH\-MM\-SS In the GMT time zone.
.TP
The type of backup is automatically detected. A data restore can be done from either type.
.TP
\fBWARNING\fR: A full restore will restore files like /etc/passwd, /etc/group, /etc/resolv.conf as well. Any file that IPA may have touched is backed up and restored.
.TP
An encrypted backup is also automatically detected and the root keyring is used by default. The \-\-keyring option can be used to define the full path to the private and public keys.
.TP
Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
.TP
A backup can not be restored on another host.
.TP
A backup can not be restored in a different version of IPA.
.TP
Restoring from backup sets the server as the new data master. All other masters will need to be re\-initialized. The first step in restoring a backup is to disable replication on all the other masters. This is to prevent the changelog from overwriting the data in the backup.
.TP
Use the ipa\-replica\-manage and ipa\-csreplica\-manage commands to re\-initialize other masters. ipa\-csreplica\-manage only needs to be executed on masters that have a CA installed.
.SH "REPLICATION"
The restoration on other masters needs to be done carefully, to match the replication topology, working outward from the restored master. For example, if your topology is A <\-> B <\-> C and you restored master A you would restore B first, then C.
.TP
Replication is disabled on all masters that are available when a restoration is done. If a master is down at the time of the restoration you will need to proceed with extreme caution. If this master is brought back up after the restoration is complete it may send out replication updates that apply the very changes you were trying to back out. The only safe answer is to reinstall the master. This would involve deleting all replication agreements to the master. This could have a cascading effect if the master is a hub to other masters. They would need to be connected to other masters before removing the downed master.
.TP
If the restore point is from a period prior to a replication agreement then the master will need to be re\-installed. For example, you have masters A and B and you create a backup. You then add master C from B. Then you restore from the backup. The restored data is going to lose the replication agreement to C. The master on C will have a replication agreement pointing to B, but B won't have the reverse agreement. Master C won't be registered as an IPA master. It may be possible to manually correct these and re\-connect C to B but it would be very prone to error.
.TP
If re\-initializing on an IPA master version prior to 3.2 then the replication agreements will need to be manually re\-enabled otherwise the re\-initialization will never complete. To manually enable an agreement use ldapsearch to find the agreement name in cn=mapping tree,cn=config. The value of nsds5ReplicaEnabled needs to be on, and enabled on both sides. Remember that CA replication is done through a separate agreement and will need to be updated separately.
.TP
If you have older masters you should consider re\-creating them rather than trying to re\-initialize them.
.SH "OPTIONS"
.TP
\fB\-p\fR, \fB\-\-password\fR=\fIPASSWORD\fR
The Directory Manager password.
.TP
\fB\-\-data\fR
Restore the data only. The default is to restore everything in the backup.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
.TP
\fB\-\-no\-logs\fR
Exclude the IPA service log files in the backup (if they were backed up).
.TP
\fB\-\-online\fR
Perform the restore on\-line. Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-instance\fR=\fIINSTANCE\fR
Restore only the databases in this 389\-ds instance. The default is to restore all found (at most this is the IPA REALM instance and the PKI\-IPA instance). Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-backend\fR=\fIBACKEND\fR
The backend to restore within an instance or instances. Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR
Alias for \-\-verbose
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB\-\-log\-file\fR=\fIFILE\fR
Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
.RS 4
The default directory for storing backup files.
.RE
.PP
\fl/var/log/iparestore.log\fR
.RS 4
The log file for restoration
.PP
.SH "SEE ALSO"
ipa\-backup(1).

55
install/tools/man/ipa-server-certinstall.1 Normal file
View File

@@ -0,0 +1,55 @@
.\" A man page for ipa-server-certinstall
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
ipa\-server\-certinstall [\fIOPTION\fR]... FILE...
.SH "DESCRIPTION"
Replace the current Directory server SSL certificate, Apache server SSL certificate and/or Kerberos KDC certificate with the certificate in the specified files. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats.
PKCS#12 is a file format used to safely transport SSL certificates and public/private keypairs.
They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command.
The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-dirsrv\fR
Install the certificate on the Directory Server
.TP
\fB\-w\fR, \fB\-\-http\fR
Install the certificate in the Apache Web Server
.TP
\fB\-k\fR, \fB\-\-kdc\fR
Install the certificate in the Kerberos KDC
.TP
\fB\-\-pin\fR=\fIPIN\fR
The password to unlock the private key
.TP
\fB\-\-cert\-name\fR=\fINAME\fR
Name of the certificate to install
.TP
\fB\-\-dirman\-password\fR=\fIDIRMAN_PASSWORD\fR
Directory Manager password
.SH "EXIT STATUS"
0 if the installation was successful
1 if an error occurred

288
install/tools/man/ipa-server-install.1 Normal file
View File

@@ -0,0 +1,288 @@
.\" A man page for ipa-server-install
.\" Copyright (C) 2008-2017 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
ipa\-server\-install [\fIOPTION\fR]...
.SH "DESCRIPTION"
Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back\-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By default a dogtag\-based CA will be configured to issue server certificates.
.SH "OPTIONS"
.SS "BASIC OPTIONS"
.TP
\fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR
The Kerberos realm name for the new IPA deployment.
It is strongly recommended to \fBuse an upper-cased name of the primary DNS domain name\fR of your IPA deployment. You will not be able to establish trust with Active Directory unless the realm name is the upper-cased domain name.
The realm name cannot be changed after the installation.
.TP
\fB\-n\fR \fIDOMAIN_NAME\fR, \fB\-\-domain\fR=\fIDOMAIN_NAME\fR
The primary DNS domain of the IPA deployment, e.g. example.com. This DNS domain should contain the SRV records generated by the IPA server installer. The specified DNS domain must not contain DNS records of any other LDAP or Kerberos based management system (like Active Directory or MIT Kerberos).
It is strongly recommended to \fBuse a lower-cased name of the IPA Kerberos realm name.\fR
The primary DNS domain name cannot be changed after the installation.
.TP
\fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-ds\-password\fR=\fIDM_PASSWORD\fR
The password to be used by the Directory Server for the Directory Manager user.
.TP
\fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR
The password for the IPA admin user.
.TP
\fB\-\-mkhomedir\fR
Create home directories for users on their first login.
.TP
\fB\-\-hostname\fR=\fIHOST_NAME\fR
The fully\-qualified DNS name of this server.
.TP
\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR
The IP address of this server. If this address does not match the address the host resolves to and \-\-setup\-dns is not selected, the installation will fail. If the server hostname is not resolvable, a record for the hostname and IP_ADDRESS is added to /etc/hosts.
This option can be used multiple times to specify more IP addresses of the server (e.g. multihomed and/or dualstacked server).
.TP
\fB\-N\fR, \fB\-\-no\-ntp\fR
Do not configure NTP.
.TP
\fB\-\-idstart\fR=\fIIDSTART\fR
The starting user and group id number (default random).
.TP
\fB\-\-idmax\fR=\fIIDMAX\fR
The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.
.TP
\fB\-\-no-hbac-allow\fR
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
.TP
\fB\-\-ignore-topology-disconnect\fR
Ignore errors reported when IPA server uninstall would lead to disconnected topology. This option can be used only when domain level is 1 or more.
.TP
\fB\-\-ignore-last-of-role\fR
Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master. This option can be used only when domain level is 1 or more.
.TP
\fB\-\-no\-ui\-redirect\fR
Do not automatically redirect to the Web UI.
.TP
\fB\-\-ssh\-trust\-dns\fR
Configure OpenSSH client to trust DNS SSHFP records.
.TP
\fB\-\-no\-ssh\fR
Do not configure OpenSSH client.
.TP
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended installation that will never prompt for user input.
.TP
\fB\-\-dirsrv\-config\-file\fR
The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance.
.SS "CERTIFICATE SYSTEM OPTIONS"
.TP
\fB\-\-external\-ca\fR
Generate a CSR for the IPA CA certificate to be signed by an external CA.
.TP
\fB\-\-external\-ca\-type\fR=\fITYPE\fR
Type of the external CA. Possible values are "generic", "ms-cs". Default value is "generic". Use "ms-cs" to include the template name required by Microsoft Certificate Services (MS CS) in the generated CSR (see \fB\-\-external\-ca\-profile\fR for full details).
.TP
\fB\-\-external\-ca\-profile\fR=\fIPROFILE_SPEC\fR
Specify the certificate profile or template to use at the external CA.
When \fB\-\-external\-ca\-type\fR is "ms-cs" the following specifiers may be used:
.RS
.TP
\fB<oid>:<majorVersion>[:<minorVersion>]\fR
Specify a certificate template by OID and major version, optionally also specifying minor version.
.TP
\fB<name>\fR
Specify a certificate template by name. The name cannot contain any \fI:\fR characters and cannot be an OID (otherwise the OID-based template specifier syntax takes precedence).
.TP
\fBdefault\fR
If no template is specified, the template name "SubCA" is used.
.RE
.TP
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
.TP
\fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-http\-cert\-file\fR=\fIFILE\fR
File containing the Apache Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-pkinit\-cert\-file\fR=\fIFILE\fR
File containing the Kerberos KDC SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
.TP
\fB\-\-dirsrv\-pin\fR=\fIPIN\fR
The password to unlock the Directory Server private key.
.TP
\fB\-\-http\-pin\fR=\fIPIN\fR
The password to unlock the Apache Server private key.
.TP
\fB\-\-pkinit\-pin\fR=\fIPIN\fR
The password to unlock the Kerberos KDC private key.
.TP
\fB\-\-dirsrv\-cert\-name\fR=\fINAME\fR
Name of the Directory Server SSL certificate to install.
.TP
\fB\-\-http\-cert\-name\fR=\fINAME\fR
Name of the Apache Server SSL certificate to install.
.TP
\fB\-\-pkinit\-cert\-name\fR=\fINAME\fR
Name of the Kerberos KDC SSL certificate to install.
.TP
\fB\-\-ca\-cert\-file\fR=\fIFILE\fR
File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
.TP
\fB\-\-ca\-subject\fR=\fISUBJECT\fR
The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-subject\-base\fR=\fISUBJECT\fR
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
Install and configure a KRA on this server.
.SS "DNS OPTIONS"
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
.TP
\fB\-\-setup\-dns\fR
Configure an integrated DNS server, create DNS zone specified by \-\-domain, and fill it with service records necessary for IPA deployment.
In cases where the IPA server name does not belong to the primary DNS domain and is not resolvable using DNS, create a DNS zone containing the IPA server name as well.
This option requires that you either specify at least one DNS forwarder through
the \fB\-\-forwarder\fR option or use the \fB\-\-no\-forwarders\fR option.
Note that you can set up a DNS at any time after the initial IPA server install by running
.B ipa-dns-install
(see
.BR ipa-dns-install (1)).
IPA DNS cannot be uninstalled.
.TP
\fB\-\-forwarder\fR=\fIIP_ADDRESS\fR
Add a DNS forwarder to the DNS configuration. You can use this option multiple
times to specify more forwarders, but at least one must be provided, unless
the \fB\-\-no\-forwarders\fR option is specified.
.TP
\fB\-\-no\-forwarders\fR
Do not add any DNS forwarders. Root DNS servers will be used instead.
.TP
\fB\-\-auto\-forwarders\fR
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
.TP
\fB\-\-forward\-policy\fR=\fIfirst|only\fR
DNS forwarding policy for global forwarders specified using other options.
Defaults to first if no IP address belonging to a private or reserved ranges is
detected on local interfaces (RFC 6303). Defaults to only if a private
IP address is detected.
.TP
\fB\-\-reverse\-zone\fR=\fIREVERSE_ZONE\fR
The reverse DNS zone to use. This option can be used multiple times to specify multiple reverse zones.
.TP
\fB\-\-no\-reverse\fR
Do not create reverse DNS zone.
.TP
\fB\-\-auto\-reverse\fR
Try to resolve reverse records and reverse zones for server IP addresses. If neither is resolvable, creates the reverse zones.
.TP
\fB\-\-zonemgr\fR
The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation.
.TP
\fB\-\-no\-dns\-sshfp\fR
Do not automatically create DNS SSHFP records.
.TP
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.TP
\fB\-\-allow\-zone\-overlap\fR
Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability.
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided, this is determined
based on the leading component of the DNS domain name. Running
ipa\-adtrust\-install for a second time with a different NetBIOS name will
change the name. Please note that changing the NetBIOS name might break
existing trust relationships to other domains.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first POSIX ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
idrange CLI for details.
.TP
\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.
SSSD supports trusted domains natively starting with version 1.9. For platforms that
lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi\-nis package
needs to be installed and schema\-compat\-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and groups will be
available under \fBcn=users,cn=compat,$SUFFIX\fR and \fBcn=groups,cn=compat,$SUFFIX\fR trees.
SSSD will normalize names of users and groups to lower case.
.IP
In addition to providing these users and groups through the compat tree, this option enables
authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN
\fBuid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX\fR.
.IP
LDAP authentication performed by the compat tree is done via PAM '\fBsystem\-auth\fR' service.
This service exists by default on Linux systems and is provided by pam package as /etc/pam.d/system\-auth.
If your IPA install does not have default HBAC rule 'allow_all' enabled, then make sure
to define in IPA special service called '\fBsystem\-auth\fR' and create an HBAC
rule to allow access to anyone to this rule on IPA masters.
.IP
As '\fBsystem\-auth\fR' PAM service is not used directly by any other
application, it is safe to use it for trusted domain users via compatibility
path.
.SS "UNINSTALL OPTIONS"
.TP
\fB\-\-uninstall\fR
Uninstall an existing IPA installation.
.TP
\fB\-U\fR, \fB\-\-unattended\fR
An unattended uninstallation that will never prompt for user input.
.SH "DEPRECATED OPTIONS"
.TP
\fB\-P\fR \fIMASTER_PASSWORD\fR, \fB\-\-master\-password\fR=\fIMASTER_PASSWORD\fR
The kerberos master password (normally autogenerated).
.SH "EXIT STATUS"
0 if the (un)installation was successful
1 if an error occurred
.SH "SEE ALSO"
.BR ipa-dns-install (1)
.BR ipa-adtrust-install (1)

46
install/tools/man/ipa-server-upgrade.1 Normal file
View File

@@ -0,0 +1,46 @@
.\"
.\" Copyright (C) 2015 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-upgrade" "1" "April 02 2015" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
ipa\-server\-upgrade will:
* update LDAP schema
* process all files with the extension .update in /usr/share/ipa/updates (including update plugins).
* upgrade local configurations of IPA services
.SH "OPTIONS"
.TP
\fB\-\-skip\-version\-check\fR
Skip version check. WARNING: this option may break your system
.TP
\fB\-\-force\fR
Force upgrade (alias for --skip-version-check)
.TP
\fB\-\-version\fR
Show IPA version
.TP
\fB\-h\fR, \fB\-\-help\fR
Show help message and exit
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Output only errors
.TP
\fB-\-log-file=FILE\fR
Log to given file
.TP
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred

52
install/tools/man/ipa-winsync-migrate.1 Normal file
View File

@@ -0,0 +1,52 @@
.\" A man page for ipa-advise
.\" Copyright (C) 2013 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
.SH "SYNOPSIS"
ipa\-winsync\-migrate
.SH "DESCRIPTION"
Migrates AD users created by winsync agreement to ID overrides in
the Default Trust View, thus preserving the actual POSIX attributes
already established.
Prior to the actual migration, the winsync replication agreement
will be removed to protect the removal of the user accounts
on the Active Directory side.
During the migration, group, assigned roles, HBAC rules and SELinux
memberships of the synced users will be preserved. Any local copies
(created by winsync) of the migrated users will be removed.
.SH "WARNINGS"
After the migration, any PassSync agreements need to be removed
from Active Directory Domain Controllers, otherwise they might
attempt to update passwords for accounts that no longer exist
on the IPA server.
.SH "OPTIONS"
.TP
\fB\-\-realm\fR
The Active Directory realm the winsynced users belong to.
.TP
\fB\-\-server\fR
The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
.TP
\fB\-\-unattended\fR
Never prompts for user input.

54
install/tools/man/ipactl.8 Normal file
View File

@@ -0,0 +1,54 @@
.\" A man page for ipactl
.\" Copyright (C) 2008 Red Hat, Inc.
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation, either version 3 of the License, or
.\" (at your option) any later version.
.\"
.\" This program is distributed in the hope that it will be useful, but
.\" WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
.\" General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.SH "NAME"
ipactl \- IPA Server Control Interface
.SH "SYNOPSIS"
ipactl \fIcommand\fR
.SH "DESCRIPTION"
A tool to help an administer control an IPA environment.
IPA glues several discrete services together to work in concert and the order that these services are started and stopped is important. ipactl ensures that they are started and stopped in the correct order.
IPA stores the available masters and the services configured on each one. The first thing ipactl does is start (if it is not already running) the IPA 389\-ds instance to query what services it controls. The hostname used in the query needs to match the hostname of the value stored in LDAP. This can be controlled with the host option in \fI/etc/ipa/default.conf\fR. This should be a fully\-qualified hostname.
.SH "OPTIONS"
.TP
start
Start all of the services that make up IPA
.TP
stop
Stop all of the services that make up IPA
.TP
restart
Stop then start all of the services that make up IPA
.TP
status
Provides status of all the services that make up IPA
.TP
\fB\-d\fR, \fB\-\-debug\fR
Display debugging information
.TP
\fB\-\-skip\-version\-check\fR
Skip version check
.TP
\fB\-\-ignore\-service\-failures\fR
If any service start fails, do not rollback the services, continue with the operation
.TP
\fB\-f\fR, \fB\-\-force\fR
Force IPA to start. Combine options --skip-version-check and --ignore-service-failures