websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Import Upstream version 4.12.4

Browse Source
This commit is contained in:
geos_one
2025-08-12 22:28:56 +02:00
parent 03a8170b15
commit 9181ee2487
1629 changed files with 874094 additions and 554378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
install/tools/Makefile.am
View File

@@ -6,6 +6,7 @@ SUBDIRS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-ccache-sweeper.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
@@ -36,6 +37,9 @@ dist_noinst_DATA = \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
ipa-acme-manage.in \
ipa-subids.in \
ipa-migrate.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -64,16 +68,20 @@ nodist_sbin_SCRIPTS = \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
ipa-acme-manage \
ipa-migrate \
$(NULL)
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-ccache-sweeper \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
ipa-subids \
$(NULL)
PYTHON_SHEBANG = \

55
install/tools/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -130,10 +132,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
am__installdirs = "$(DESTDIR)$(appdir)" "$(DESTDIR)$(sbindir)"
SCRIPTS = $(nodist_app_SCRIPTS) $(nodist_sbin_SCRIPTS)
@@ -190,8 +191,6 @@ am__define_uniq_tagged_files = \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in \
$(top_srcdir)/Makefile.pythonscripts.am
@@ -240,6 +239,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -253,8 +254,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -262,6 +265,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -274,9 +278,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -285,6 +292,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -344,6 +353,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -352,9 +363,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -393,8 +407,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -440,6 +456,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -453,6 +470,7 @@ SUBDIRS = \
dist_noinst_DATA = \
ipa-ca-install.in \
ipa-ccache-sweeper.in \
ipa-dns-install.in \
ipa-kra-install.in \
ipa-server-install.in \
@@ -483,6 +501,9 @@ dist_noinst_DATA = \
ipa-httpd-pwdreader.in \
ipa-pki-retrieve-key.in \
ipa-pki-wait-running.in \
ipa-acme-manage.in \
ipa-subids.in \
ipa-migrate.in \
$(NULL)
nodist_sbin_SCRIPTS = \
@@ -511,16 +532,20 @@ nodist_sbin_SCRIPTS = \
ipa-pkinit-manage \
ipa-crlgen-manage \
ipa-cert-fix \
ipa-acme-manage \
ipa-migrate \
$(NULL)
appdir = $(libexecdir)/ipa/
nodist_app_SCRIPTS = \
ipa-ccache-sweeper \
ipa-custodia \
ipa-custodia-check \
ipa-httpd-kdcproxy \
ipa-httpd-pwdreader \
ipa-pki-retrieve-key \
ipa-pki-wait-running \
ipa-subids \
$(NULL)
PYTHON_SHEBANG = \
@@ -737,7 +762,6 @@ cscopelist-am: $(am__tagged_files)
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -826,11 +850,11 @@ install-strip:
mostlyclean-generic:
clean-generic:
-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
-$(am__rm_f) $(CLEANFILES)
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -932,3 +956,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

8
install/tools/ipa-acme-manage.in Executable file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_acme_manage import IPAACMEManage
IPAACMEManage.run_cli()

24
install/tools/ipa-adtrust-install.in
View File

@@ -29,19 +29,17 @@ import sys
import six
from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module
from ipalib.install import sysrestore
from ipaserver.install import adtrust, service
from ipaserver.install.installutils import (
read_password,
check_server_configuration,
run_script)
from ipapython.admintool import ScriptError
from ipapython.admintool import ScriptError, admin_cleanup_global_argv
from ipapython import version
from ipapython import ipautil
from ipalib import api, errors, krb_utils
from ipapython.config import IPAOptionParser
from ipapython.config import IPAOptionParser, SUPPRESS_HELP
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import standard_logging_setup
@@ -50,7 +48,7 @@ if six.PY3:
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
log_file_name = paths.IPASERVER_ADTRUST_INSTALL_LOG
def parse_options():
@@ -64,10 +62,11 @@ def parse_options():
parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
default=False, help=SUPPRESS_HELP)
parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
parser.add_option("--rid-base", dest="rid_base", type=int,
default=adtrust.DEFAULT_PRIMARY_RID_BASE,
help="Start value for mapping UIDs and GIDs to RIDs")
parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
type=int, default=100000000,
type=int, default=adtrust.DEFAULT_SECONDARY_RID_BASE,
help="Start value of the secondary range for mapping "
"UIDs and GIDs to RIDs")
parser.add_option("-U", "--unattended", dest="unattended",
@@ -94,6 +93,7 @@ def parse_options():
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
return safe_options, options
@@ -141,11 +141,11 @@ def main():
"==============")
print("This program will setup components needed to establish trust to "
"AD domains for")
print("the FreeIPA Server.")
print("the IPA Server.")
print("")
print("This includes:")
print(" * Configure Samba")
print(" * Add trust related objects to FreeIPA LDAP server")
print(" * Add trust related objects to IPA LDAP server")
# TODO:
# print " * Add a SID to all users and Posix groups"
print("")
@@ -161,7 +161,7 @@ def main():
api.bootstrap(
in_server=True,
debug=options.debug,
context='install',
context='installer',
confdir=paths.ETC_IPA
)
api.finalize()
@@ -201,7 +201,7 @@ def main():
if not (user['uid'][0] in group['member_user'] and
group['cn'][0] in user['memberof_group']):
raise errors.RequirementError(name='admins group membership')
except errors.RequirementError as e:
except errors.RequirementError:
raise ScriptError(
"Must have administrative privileges to setup AD trusts on server"
)
@@ -209,6 +209,8 @@ def main():
raise ScriptError(
"Unrecognized error during check of admin rights: %s" % e)
# Force options.setup_adtrust
options.setup_adtrust = True
adtrust.install_check(True, options, api)
adtrust.install(True, options, fstore, api)

41
install/tools/ipa-ca-install.in
View File

@@ -42,6 +42,7 @@ from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
from ipaplatform.paths import paths
from ipapython.admintool import admin_cleanup_global_argv
logger = logging.getLogger(os.path.basename(__file__))
@@ -81,7 +82,7 @@ def parse_options():
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA')
ca_algos = ('SHA1withRSA', 'SHA256withRSA', 'SHA384withRSA', 'SHA512withRSA')
parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
type="choice", choices=ca_algos,
metavar="{{{0}}}".format(",".join(ca_algos)),
@@ -101,13 +102,38 @@ def parse_options():
"The CA certificate subject DN "
"(default CN=Certificate Authority,O=<realm-name>). "
"RDNs are in LDAP order (most specific RDN first)."))
parser.add_option("--token-name", dest="token_name",
default=None,
help=(
"The PKCS#11 token name if using an HSM to store "
"and generate private keys."))
parser.add_option("--token-library-path", dest="token_library_path",
default=None,
help=(
"The full path to the PKCS#11 shared library "
"needed to access the HSM device."))
parser.add_option("--token-password", dest="token_password",
default=None,
sensitive=True,
help=(
"The PKCS#11 token password for the HSM."))
parser.add_option("--token-password-file", dest="token_password_file",
default=None,
help=(
"The full path to a file containing the PKCS#11 "
" token password."))
parser.add_option("--pki-config-override", dest="pki_config_override",
default=None,
help="Path to ini file with config overrides.")
parser.add_option("--random-serial-numbers", dest="random_serial_numbers",
default=False, help="Enable random serial numbers",
action="store_true")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
if args:
parser.error("Too many arguments provided")
@@ -162,7 +188,9 @@ def install_replica(safe_options, options):
# Run ipa-certupdate to ensure we have the CA cert. This is
# necessary if the admin has just promoted the topology from
# CA-less to CA-ful, and ipa-certupdate has not been run yet.
print("Running ipa-certupdate...", end="", flush=True)
ipa_certupdate.run_with_args(api)
print("done")
# CertUpdate restarts DS causing broken pipe on the original
# connection, so reconnect the backend.
@@ -226,6 +254,10 @@ def install_master(safe_options, options):
options.ca_subject = str(
installutils.default_ca_subject_dn(options.subject_base))
try:
ca.random_serial_numbers_validator(options.random_serial_numbers)
except ValueError as e:
sys.exit(str(e))
try:
ca.subject_validator(ca.VALID_SUBJECT_BASE_ATTRS, options.subject_base)
except ValueError as e:
@@ -270,6 +302,11 @@ def install(safe_options, options):
if ca_host is None:
install_master(safe_options, options)
else:
if options.random_serial_numbers:
if ca.lookup_random_serial_number_version(api) == 0:
sys.exit(
"\nRandom serial numbers cannot be enabled in an "
"existing CA installation.\n")
install_replica(safe_options, options)
@@ -294,7 +331,7 @@ def main():
# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
context='installer', confdir=paths.ETC_IPA,
in_server=True, ra_plugin='dogtag'
)
api.finalize()

75
install/tools/ipa-ccache-sweeper.in Normal file
View File

@@ -0,0 +1,75 @@
#!/usr/bin/python3
# Based heavily on
# https://github.com/gssapi/mod_auth_gssapi/blob/master/contrib/sweeper.py
# Copyright (C) 2016 mod_auth_gssapi contributors - See COPYING for (C) terms
# If one uses both sessions and unique ccache names, then the filesystem will
# become littered with ccache files unless the accessed application cleans
# them up itself. This script will minimize ccache file proliferation by
# removing any ccaches that have expired from the filesystem, and serves as an
# example of how this cleaning can be performed.
import argparse
import os
import stat
import sys
import time
from ipalib.krb_utils import get_credentials_if_valid
from ipaplatform.paths import paths
def should_delete(fname, t, minlife):
"""Process file as a ccache and indicate whether it is expired"""
# skip directories and other non-files
st = os.stat(fname)
if not stat.S_ISREG(st.st_mode):
return False
# ignore files that are newer than minlife minutes
if t - st.st_mtime < minlife * 60:
return False
# gssproxy inquires input credentials. If they are expired
# then gssproxy acquires creds from cred_store according to
# the configuration of gssproxy's service, which in this case
# hasn't cred_store(besides `keytab:`, used for decryption of
# ccache). If there is no ccache within cred_store then gssproxy
# adds its own one("MEMORY:internal_%d"), which hasn't
# any credentials, thus, scan_ccache fails with KRB5_FCC_NOFILE.
# Since the caller requires INITIATE-ONLY and the client keytab
# is not provided in cred_store the result of gss_acquire_cred_from
# is KRB5_FCC_NOFILE, which is mapped by gssproxy to
# 0x04200000 + KRB5_FCC_NOFILE.
creds = get_credentials_if_valid(ccache_name=fname)
return creds is None
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Sweep expired ccaches")
parser.add_argument("-m", dest="minlife", type=int,
help="ignore newer files than this (default: 30)",
default=30)
args = parser.parse_args()
os.environ["GSS_USE_PROXY"] = "yes"
os.environ["GSSPROXY_BEHAVIOR"] = "REMOTE_ONLY"
os.environ["GSSPROXY_SOCKET"] = paths.IPA_CCACHE_SWEEPER_GSSPROXY_SOCK
print("Running sweeper...")
t = time.time()
os.chdir(paths.IPA_CCACHES)
for fname in os.listdir(paths.IPA_CCACHES):
try:
if should_delete(fname, t, args.minlife):
os.unlink(fname)
except FileNotFoundError:
# someone else did the work for us
pass
print("Sweeper finished successfully!")
sys.exit(0)

9
install/tools/ipa-compat-manage.in
View File

@@ -24,13 +24,13 @@ from __future__ import print_function
import sys
from ipaplatform.paths import paths
try:
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.admintool import admin_cleanup_global_argv
except ImportError as e:
print("""\
There was a problem importing one of the required Python modules. The
@@ -46,7 +46,8 @@ nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
def parse_options():
usage = "%prog [options] <enable|disable|status>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
@@ -55,6 +56,7 @@ def parse_options():
config.add_standard_options(parser)
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
return options, args
@@ -131,8 +133,9 @@ def main():
else:
print("Enabling plugin")
# https://github.com/PyCQA/pylint/issues/872
if entry is None:
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={})
ld = LDAPUpdate()
if not ld.update(files):
print("Updating Directory Server failed.")
retval = 1

50
install/tools/ipa-csreplica-manage.in
View File

@@ -30,9 +30,10 @@ from ipaplatform.paths import paths
from ipaserver.install import (replication, installutils, bindinstance,
cainstance)
from ipalib import api, errors
from ipalib.util import has_managed_topology
from ipapython import ipautil, ipaldap, version
from ipapython.admintool import ScriptError
from ipalib.constants import FQDN
from ipalib.util import has_managed_topology, print_replication_status
from ipapython import ipautil, ipaldap, version, config
from ipapython.admintool import admin_cleanup_global_argv, ScriptError
from ipapython.dn import DN
logger = logging.getLogger(os.path.basename(__file__))
@@ -53,11 +54,10 @@ commands = {
def parse_options():
from optparse import OptionParser # pylint: disable=deprecated-module
parser = OptionParser(version=version.VERSION)
parser = config.IPAOptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True,
help="Directory Manager password")
parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="provide additional information")
parser.add_option("-f", "--force", dest="force", action="store_true", default=False,
@@ -65,23 +65,27 @@ def parse_options():
parser.add_option("--from", dest="fromhost", help="Host to get data from")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
valid_syntax = False
if len(args):
n = len(args) - 1
for cmd in commands:
for cmd, args_info in commands.items():
if cmd == args[0]:
v = commands[cmd]
err = None
if n < v[0]:
err = v[3]
elif n > v[1]:
if n < args_info[0]:
err = args_info[3]
elif n > args_info[1]:
err = "too many arguments"
else:
valid_syntax = True
if err:
parser.error("Invalid syntax: %s\nUsage: %s [options] %s" % (err, cmd, v[2]))
parser.error(
"Invalid syntax: %s\nUsage: %s [options] %s" % (
err, cmd, args_info[2]
)
)
if not valid_syntax:
cmdstr = " | ".join(commands.keys())
@@ -132,19 +136,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
for entry in entries:
print('%s' % entry.single_value.get('nsds5replicahost'))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
print_replication_status(entry, verbose)
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
@@ -343,7 +335,7 @@ def re_initialize(realm, options):
if not options.fromhost:
sys.exit("re-initialize requires the option --from <host name>")
thishost = installutils.get_fqdn()
thishost = FQDN
try:
repl = replication.get_cs_replication_manager(realm, options.fromhost,
@@ -383,7 +375,7 @@ def force_sync(realm, thishost, fromhost, dirman_passwd):
def set_renewal_master(realm, replica):
if not replica:
replica = installutils.get_fqdn()
replica = FQDN
ca = cainstance.CAInstance(realm)
if ca.is_renewal_master(replica):
@@ -434,7 +426,7 @@ def main():
if options.host:
host = options.host
else:
host = installutils.get_fqdn()
host = FQDN
options.host = host

27
install/tools/ipa-custodia-check.in
View File

@@ -9,10 +9,9 @@ import argparse
import logging
import os
import platform
import socket
import warnings
from custodia.message.kem import KEY_USAGE_SIG, KEY_USAGE_ENC, KEY_USAGE_MAP
from ipaserver.custodia.message.kem import KEY_USAGE_SIG, KEY_USAGE_ENC, KEY_USAGE_MAP
from jwcrypto.common import json_decode
from jwcrypto.jwk import JWK
@@ -49,6 +48,8 @@ KEYS = [
'dm/DMHash',
'ra/ipaCert',
'ca/auditSigningCert cert-pki-ca',
'ca_wrapped/auditSigningCert cert-pki-ca',
'ca_wrapped/auditSigningCert cert-pki-ca/1.2.840.113549.3.7',
'ca/caSigningCert cert-pki-ca',
'ca/ocspSigningCert cert-pki-ca',
'ca/subsystemCert cert-pki-ca',
@@ -134,7 +135,6 @@ class IPACustodiaTester:
def check(self):
self.status()
self.check_fqdn()
self.check_files()
self.check_client()
self.check_jwk()
@@ -154,13 +154,6 @@ class IPACustodiaTester:
if self.host == self.args.server:
self.warning("Performing self-test only.")
def check_fqdn(self):
fqdn = socket.getfqdn()
if self.host != fqdn:
self.warning(
"socket.getfqdn() reports hostname '{}'".format(fqdn)
)
def check_files(self):
for filename in self.files:
if not os.path.isfile(filename):
@@ -191,7 +184,7 @@ class IPACustodiaTester:
pkey = JWK(**dictkeys[usage_id])
local_pubkey = json_decode(pkey.export_public())
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Failed to load and parse local JWK.", fatal=True
)
else:
@@ -199,10 +192,10 @@ class IPACustodiaTester:
usage, IPA_CUSTODIA_KEYFILE
))
if pkey.key_id != self.host_spn:
raise self.error(
if pkey.get('kid') != self.host_spn:
raise self.error( # pylint: disable=raising-bad-type, #4772
"KID '{}' != host service principal name '{}' "
"(usage: {})".format(pkey.key_id, self.host_spn, usage),
"(usage: {})".format(pkey.get('kid'), self.host_spn, usage),
fatal=True
)
else:
@@ -217,7 +210,7 @@ class IPACustodiaTester:
try:
host_pubkey = json_decode(find_key(self.host_spn, usage_id))
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Fetching host keys {} (usage: {}) failed.".format(
self.host_spn, usage),
fatal=True
@@ -230,7 +223,7 @@ class IPACustodiaTester:
if host_pubkey != local_pubkey:
self.debug("LDAP: '{}'".format(host_pubkey))
self.debug("Local: '{}'".format(local_pubkey))
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Host key in LDAP does not match local key.",
fatal=True
)
@@ -242,7 +235,7 @@ class IPACustodiaTester:
try:
server_pubkey = json_decode(find_key(self.server_spn, usage_id))
except Exception:
raise self.error(
raise self.error( # pylint: disable=raising-bad-type, #4772
"Fetching server keys {} (usage: {}) failed.".format(
self.server_spn, usage),
fatal=True

4
install/tools/ipa-dns-install.in
View File

@@ -38,7 +38,7 @@ from ipaserver.install import dns as dns_installer
logger = logging.getLogger(os.path.basename(__file__))
log_file_name = paths.IPASERVER_INSTALL_LOG
log_file_name = paths.IPASERVER_DNS_INSTALL_LOG
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
@@ -131,7 +131,7 @@ def main():
# Initialize the ipalib api
api.bootstrap(
context='install', confdir=paths.ETC_IPA,
context='installer', confdir=paths.ETC_IPA,
in_server=True, debug=options.debug,
)
api.finalize()

8
install/tools/ipa-managed-entries.in
View File

@@ -24,7 +24,6 @@ import logging
import os
import re
import sys
from optparse import OptionParser # pylint: disable=deprecated-module
from ipaplatform.paths import paths
from ipapython import config
@@ -32,6 +31,7 @@ from ipaserver.install import installutils
from ipalib import api, errors
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.admintool import admin_cleanup_global_argv
logger = logging.getLogger(os.path.basename(__file__))
@@ -39,7 +39,8 @@ logger = logging.getLogger(os.path.basename(__file__))
def parse_options():
usage = "%prog [options] <status|enable|disable>\n"
usage += "%prog [options]\n"
parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
parser = config.IPAOptionParser(usage=usage,
formatter=config.IPAFormatter())
parser.add_option("-d", "--debug", action="store_true", dest="debug",
help="Display debugging information about the update(s)")
@@ -50,9 +51,10 @@ def parse_options():
action="store_true",
help="List available Managed Entries")
parser.add_option("-p", "--password", dest="dirman_password",
help="Directory Manager password")
sensitive=True, help="Directory Manager password")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
return options, args

10
install/tools/ipa-migrate.in Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/python3
#
# Copyright (C) 2023 FreeIPA Contributors see COPYING for license
#
# PYTHON_ARGCOMPLETE_OK
from ipaserver.install.ipa_migrate import IPAMigrate
ipa_migrate = IPAMigrate()
ipa_migrate.run()

2
install/tools/ipa-nis-manage.in
View File

@@ -149,7 +149,7 @@ def main():
# could be turned off, handle both cases.
if entry is None:
print("Enabling plugin")
ld = LDAPUpdate(dm_password=dirman_password, sub_dict={}, ldapi=True)
ld = LDAPUpdate()
if ld.update(files) != True:
retval = 1
elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':

1
install/tools/ipa-pki-retrieve-key.in
View File

@@ -34,7 +34,6 @@ def main():
"File '{}' missing or not readable.\n".format(filename)
)
# pylint: disable=no-member
client = CustodiaClient(
client_service="{}@{}".format(service, env.host),
server=args.servername,

18
install/tools/ipa-pki-wait-running.in
View File

@@ -13,6 +13,7 @@ import logging
import sys
import time
from xml.etree import ElementTree
import json
from ipalib import api
from ipaplatform.paths import paths
@@ -74,10 +75,19 @@ def get_status(conn, timeout):
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logging.debug("Got status '%s', error '%s'", status, error)
status = None
error = None
try:
json_response = json.loads(response)
status = json_response['Response']['Status']
except KeyError as e:
error = repr(e)
except json.JSONDecodeError:
logger.debug("Response is not valid JSON, try XML")
root = ElementTree.fromstring(response)
status = root.findtext("Status")
error = root.findtext("Error")
logger.debug("Got status '%s', error '%s'", status, error)
return status, error

20
install/tools/ipa-replica-conncheck.in
View File

@@ -23,14 +23,15 @@ from __future__ import print_function
import logging
from ipapython import ipachangeconf
from ipapython.config import IPAOptionParser
from ipapython.config import (IPAOptionParser, OptionGroup,
OptionValueError)
from ipapython.admintool import admin_cleanup_global_argv
from ipapython.dn import DN
from ipapython import version
from ipapython import ipautil, certdb
from ipalib import api, errors, x509
from ipalib.constants import FQDN
from ipaserver.install import installutils
# pylint: disable=deprecated-module
from optparse import OptionGroup, OptionValueError
# pylint: enable=deprecated-module
from ipapython.ipa_log_manager import standard_logging_setup
import copy
@@ -44,7 +45,7 @@ import time
import threading
import traceback
from socket import SOCK_STREAM, SOCK_DGRAM
import distutils.spawn
import shutil
from ipaplatform.paths import paths
import gssapi
@@ -61,7 +62,7 @@ class SshExec:
def __init__(self, user, addr):
self.user = user
self.addr = addr
self.cmd = distutils.spawn.find_executable('ssh')
self.cmd = shutil.which('ssh')
# Bail if ssh is not installed
if self.cmd is None:
raise RuntimeError("ssh not installed")
@@ -188,6 +189,7 @@ def parse_options():
options, _args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
admin_cleanup_global_argv(parser, options, sys.argv)
if options.master and options.replica:
parser.error("on-master and on-replica options are mutually exclusive!")
@@ -205,7 +207,7 @@ def parse_options():
parser.error("No action: you should select either --replica or --master option.")
if not options.hostname:
options.hostname = socket.getfqdn()
options.hostname = FQDN
return safe_options, options
@@ -290,7 +292,7 @@ class PortResponder(threading.Thread):
self._sockets = []
self._close = False
self._close_lock = threading.Lock()
self.responder_data = b'FreeIPA'
self.responder_data = b'IPA'
self.ports_opened = False
self.ports_open_cond = threading.Condition()
@@ -318,7 +320,7 @@ class PortResponder(threading.Thread):
logger.debug('%d %s: Stopped listening', port, proto)
def _is_closing(self):
with self._close_lock: # pylint: disable=not-context-manager
with self._close_lock:
return self._close
def _bind_to_port(self, port, socket_type):
@@ -369,7 +371,7 @@ class PortResponder(threading.Thread):
def stop(self):
logger.debug('Stopping listening thread.')
with self._close_lock: # pylint: disable=not-context-manager
with self._close_lock:
self._close = True

133
install/tools/ipa-replica-manage.in
View File

@@ -26,7 +26,6 @@ import os
import re
import socket
import traceback
from urllib.parse import urlparse
from xmlrpc.client import MAXINT
import ldap
@@ -38,7 +37,13 @@ from ipaserver.install import bindinstance, cainstance
from ipaserver.install import opendnssecinstance, dnskeysyncinstance
from ipapython import version, ipaldap
from ipalib import api, errors
from ipalib.util import has_managed_topology, verify_host_resolvable
from ipalib.constants import FQDN
from ipalib.util import (
has_managed_topology,
print_replication_status,
verify_host_resolvable,
)
from ipapython.admintool import admin_cleanup_global_argv
from ipapython.ipa_log_manager import standard_logging_setup
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
@@ -80,7 +85,8 @@ class NoRUVsFound(Exception):
def parse_options():
parser = IPAOptionParser(version=version.VERSION)
parser.add_option("-H", "--host", dest="host", help="starting host")
parser.add_option("-p", "--password", dest="dirman_passwd", help="Directory Manager password")
parser.add_option("-p", "--password", dest="dirman_passwd", sensitive=True,
help="Directory Manager password")
parser.add_option("-v", "--verbose", dest="verbose", action="store_true", default=False,
help="provide additional information")
parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False,
@@ -91,7 +97,7 @@ def parse_options():
help="DANGER: clean up references to a ghost master")
parser.add_option("--binddn", dest="binddn", default=None, type="dn",
help="Bind DN to use with remote server")
parser.add_option("--bindpw", dest="bindpw", default=None,
parser.add_option("--bindpw", dest="bindpw", default=None, sensitive=True,
help="Password for Bind DN to use with remote server")
parser.add_option("--winsync", dest="winsync", action="store_true", default=False,
help="This is a Windows Sync Agreement")
@@ -99,30 +105,35 @@ def parse_options():
help="Full path and filename of CA certificate to use with TLS/SSL to the remote server")
parser.add_option("--win-subtree", dest="win_subtree", default=None,
help="DN of Windows subtree containing the users you want to sync (default cn=Users,<domain suffix)")
parser.add_option("--passsync", dest="passsync", default=None,
parser.add_option("--passsync", dest="passsync",
default=None, sensitive=True,
help="Password for the IPA system user used by the Windows PassSync plugin to synchronize passwords")
parser.add_option("--from", dest="fromhost", help="Host to get data from")
parser.add_option("--no-lookup", dest="nolookup", action="store_true", default=False,
help="do not perform DNS lookup checks")
options, args = parser.parse_args()
admin_cleanup_global_argv(parser, options, sys.argv)
valid_syntax = False
if len(args):
n = len(args) - 1
for cmd in commands:
for cmd, args_info in commands.items():
if cmd == args[0]:
v = commands[cmd]
err = None
if n < v[0]:
err = v[3]
elif n > v[1]:
if n < args_info[0]:
err = args_info[3]
elif n > args_info[1]:
err = "too many arguments"
else:
valid_syntax = True
if err:
parser.error("Invalid syntax: %s\nUsage: %s [options] %s" % (err, cmd, v[2]))
parser.error(
"Invalid syntax: %s\nUsage: %s [options] %s" % (
err, cmd, args_info[2]
)
)
if not valid_syntax:
cmdstr = " | ".join(commands.keys())
@@ -234,19 +245,7 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
for entry in entries:
print('%s: %s' % (entry.single_value.get('nsds5replicahost'), ent_type))
if verbose:
initstatus = entry.single_value.get('nsds5replicalastinitstatus')
if initstatus is not None:
print(" last init status: %s" % initstatus)
print(" last init ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastinitend'])))
print(" last update status: %s" % entry.single_value.get(
'nsds5replicalastupdatestatus'))
print(" last update ended: %s" % str(
ipautil.parse_generalized_time(
entry.single_value['nsds5replicalastupdateend'])))
print_replication_status(entry, verbose)
def del_link(realm, replica1, replica2, dirman_passwd, force=False):
@@ -362,9 +361,14 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
return True
def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False,
strict=True):
"""
Return the RUV entries as a list of tuples: (hostname, rid)
If strict is True then the RUV must contain the ldap url, otherwise it is
ok to proceed with just the rid
"""
if not nolookup:
@@ -375,10 +379,9 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
thisrepl = replication.get_cs_replication_manager(realm, host, dirman_passwd)
else:
thisrepl = replication.ReplicationManager(realm, host, dirman_passwd)
except Exception as e:
except Exception as ex:
logger.debug("%s", traceback.format_exc())
raise RuntimeError("Failed to connect to server {host}: {err}"
.format(host=host, err=e))
raise RuntimeError(f"Failed to connect to server {host}: {ex}")
search_filter = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
try:
@@ -390,24 +393,42 @@ def get_ruv(realm, host, dirman_passwd, nolookup=False, ca=False):
raise NoRUVsFound("No RUV records found.")
servers = []
for e in entries:
for ruv in e['nsds50ruv']:
for entry in entries:
for ruv in entry['nsds50ruv']:
if ruv.startswith('{replicageneration'):
continue
data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
if data:
rid = data.group(1)
(
_scheme, netloc, _path, _params, _query, _fragment
) = urlparse(data.group(2))
servers.append((netloc, rid))
# Get the RID, this is required in all cases
rid_data = re.match(
r'\{replica (\d+)',
ruv
)
if rid_data:
rid = rid_data.group(1)
else:
print("unable to decode: %s" % ruv)
print(f"unable to decode: {ruv} --> missing replica ID")
continue
# Attempt to extract ldap url from ruv (it's not always present)
netloc = "unknown host"
host_data = re.match(
r'(\{\w+\s+\d+\s+)ldap://(.+:\d+)',
ruv
)
if host_data:
netloc = host_data.group(2)
elif strict:
print(f"unable to decode: {ruv} --> missing LDAP url")
continue
# Ok update server list
servers.append((netloc, rid))
return servers
def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False):
def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False,
strict=True):
"""
Get RUVs for both domain and ipaca suffixes
"""
@@ -415,19 +436,20 @@ def get_ruv_both_suffixes(realm, host, dirman_passwd, verbose, nolookup=False):
fail_gracefully = True
try:
ruvs['ca'] = get_ruv(realm, host, dirman_passwd, nolookup, True)
ruvs['ca'] = get_ruv(realm, host, dirman_passwd, nolookup, True,
strict)
except (NoRUVsFound, RuntimeError) as e:
err = "Failed to get CS-RUVs from {host}: {err}".format(host=host,
err=e)
err = f"Failed to get CS-RUVs from {host}: {e}"
if isinstance(e, RuntimeError):
fail_gracefully = False
if verbose:
print(err)
logger.debug('%s', err)
try:
ruvs['domain'] = get_ruv(realm, host, dirman_passwd, nolookup)
ruvs['domain'] = get_ruv(realm, host, dirman_passwd, nolookup, False,
strict)
except (NoRUVsFound, RuntimeError) as e:
err = "Failed to get RUVs from {host}: {err}".format(host=host, err=e)
err = f"Failed to get RUVs from {host}: {e}"
if isinstance(e, RuntimeError):
if not fail_gracefully:
raise
@@ -499,7 +521,8 @@ def clean_ruv(realm, ruv, options):
servers = get_ruv_both_suffixes(realm, options.host,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (NoRUVsFound, RuntimeError) as e:
print(e)
sys.exit(0 if isinstance(e, NoRUVsFound) else 1)
@@ -555,7 +578,8 @@ def abort_clean_ruv(realm, ruv, options):
servers = get_ruv_both_suffixes(realm, options.host,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (NoRUVsFound, RuntimeError) as e:
print(e)
sys.exit(0 if isinstance(e, NoRUVsFound) else 1)
@@ -714,7 +738,8 @@ def clean_dangling_ruvs(realm, host, options):
ruv_dict = get_ruv_both_suffixes(realm, master_cn,
options.dirman_passwd,
options.verbose,
options.nolookup)
options.nolookup,
strict=False)
except (RuntimeError, NoRUVsFound):
continue
@@ -722,12 +747,12 @@ def clean_dangling_ruvs(realm, host, options):
# This needs needs to be split off
if ruv_dict.get('domain'):
master_info['ruvs'] = {
(re.sub(':\d+', '', x), y)
(re.sub(r':\d+', '', x), y)
for (x, y) in ruv_dict['domain']
}
if ruv_dict.get('ca'):
master_info['csruvs'] = {
(re.sub(':\d+', '', x), y)
(re.sub(r':\d+', '', x), y)
for (x, y) in ruv_dict['ca']
}
except Exception as e:
@@ -876,12 +901,12 @@ def ensure_last_services(conn, hostname, masters, options):
if ca_hostname is None and 'CA' in services_cns:
ca_hostname = master_cn
if 'CA' in this_services and not any(['CA' in o for o in other_services]):
if 'CA' in this_services and not any('CA' in o for o in other_services):
print("Deleting this server is not allowed as it would leave your installation without a CA.")
sys.exit(1)
other_dns = True
if 'DNS' in this_services and not any(['DNS' in o for o in other_services]):
if 'DNS' in this_services and not any('DNS' in o for o in other_services):
other_dns = False
print("Deleting this server will leave your installation without a DNS.")
if not options.force and not ipautil.user_input("Continue to delete?", False):
@@ -1241,12 +1266,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
ds.replica_manage_time_skew(prevent=False)
ds.replica_ignore_initial_time_skew()
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_update(repl.conn, agreement.dn)
ds.replica_manage_time_skew(prevent=True)
ds.replica_revert_time_skew()
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
nolookup=False):
@@ -1525,7 +1550,7 @@ def main(options, args):
if options.host:
host = options.host
else:
host = installutils.get_fqdn()
host = FQDN
options.host = host

8
install/tools/ipa-subids.in Normal file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/python3
#
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
from ipaserver.install.ipa_subids import IPASubids
IPASubids.run_cli()

4
install/tools/man/Makefile.am
View File

@@ -29,7 +29,9 @@ dist_man1_MANS = \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
ipa-acme-manage.1 \
ipa-migrate.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \

47
install/tools/man/Makefile.in
View File

@@ -1,7 +1,7 @@
# Makefile.in generated by automake 1.16.2 from Makefile.am.
# Makefile.in generated by automake 1.17 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2020 Free Software Foundation, Inc.
# Copyright (C) 1994-2024 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
test $$has_opt = yes
am__make_dryrun = (target_option=n; $(am__make_running_with_option))
am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
am__rm_f = rm -f $(am__rm_f_notfound)
am__rm_rf = rm -rf $(am__rm_f_notfound)
pkgdatadir = $(datadir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
pkglibdir = $(libdir)/@PACKAGE@
@@ -148,10 +150,9 @@ am__base_list = \
sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__uninstall_files_from_dir = { \
test -z "$$files" \
|| { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && rm -f $$files; }; \
{ test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
|| { echo " ( cd '$$dir' && rm -f" $$files ")"; \
$(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
}
man1dir = $(mandir)/man1
am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
@@ -181,6 +182,8 @@ CPP = @CPP@
CPPFLAGS = @CPPFLAGS@
CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
CRYPTO_LIBS = @CRYPTO_LIBS@
CSCOPE = @CSCOPE@
CTAGS = @CTAGS@
CYGPATH_W = @CYGPATH_W@
DATA_VERSION = @DATA_VERSION@
DEFS = @DEFS@
@@ -194,8 +197,10 @@ ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
EGREP = @EGREP@
ETAGS = @ETAGS@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FILECMD = @FILECMD@
GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GIT_BRANCH = @GIT_BRANCH@
@@ -203,6 +208,7 @@ GIT_VERSION = @GIT_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
HTTPD_GROUP = @HTTPD_GROUP@
INI_CFLAGS = @INI_CFLAGS@
INI_LIBS = @INI_LIBS@
INSTALL = @INSTALL@
@@ -215,9 +221,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
IPAPLATFORM = @IPAPLATFORM@
IPA_DATA_DIR = @IPA_DATA_DIR@
IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
JANSSON_CFLAGS = @JANSSON_CFLAGS@
JANSSON_LIBS = @JANSSON_LIBS@
JSLINT = @JSLINT@
KRAD_LIBS = @KRAD_LIBS@
KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
KRB5_CFLAGS = @KRB5_CFLAGS@
KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -226,6 +235,8 @@ LD = @LD@
LDAP_CFLAGS = @LDAP_CFLAGS@
LDAP_LIBS = @LDAP_LIBS@
LDFLAGS = @LDFLAGS@
LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
LIBCURL_LIBS = @LIBCURL_LIBS@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -285,6 +296,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
POPT_CFLAGS = @POPT_CFLAGS@
POPT_LIBS = @POPT_LIBS@
POSUB = @POSUB@
PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
PWQUALITY_LIBS = @PWQUALITY_LIBS@
PYLINT = @PYLINT@
PYTHON = @PYTHON@
PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -293,9 +306,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
PYTHON_PREFIX = @PYTHON_PREFIX@
PYTHON_VERSION = @PYTHON_VERSION@
RANLIB = @RANLIB@
RESOLV_LIBS = @RESOLV_LIBS@
RPMLINT = @RPMLINT@
SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
SASL_CFLAGS = @SASL_CFLAGS@
SASL_LIBS = @SASL_LIBS@
SED = @SED@
@@ -334,8 +350,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
am__include = @am__include@
am__leading_dot = @am__leading_dot@
am__quote = @am__quote@
am__rm_f_notfound = @am__rm_f_notfound@
am__tar = @am__tar@
am__untar = @am__untar@
am__xargs_n = @am__xargs_n@
bindir = @bindir@
build = @build@
build_alias = @build_alias@
@@ -381,6 +399,7 @@ sharedstatedir = @sharedstatedir@
srcdir = @srcdir@
sysconfdir = @sysconfdir@
sysconfenvdir = @sysconfenvdir@
systemdcatalogdir = @systemdcatalogdir@
systemdsystemunitdir = @systemdsystemunitdir@
systemdtmpfilesdir = @systemdtmpfilesdir@
target_alias = @target_alias@
@@ -414,7 +433,9 @@ dist_man1_MANS = \
ipa-pkinit-manage.1 \
ipa-crlgen-manage.1 \
ipa-cert-fix.1 \
$(NULL)
ipa-acme-manage.1 \
ipa-migrate.1 \
$(NULL)
dist_man8_MANS = \
ipactl.8 \
@@ -546,7 +567,6 @@ ctags CTAGS:
cscope cscopelist:
distdir: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) distdir-am
@@ -611,8 +631,8 @@ mostlyclean-generic:
clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-$(am__rm_f) $(CONFIG_CLEAN_FILES)
-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -706,3 +726,10 @@ uninstall-man: uninstall-man1 uninstall-man8
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
# Tell GNU make to disable its built-in pattern rules.
%:: %,v
%:: RCS/%,v
%:: RCS/%
%:: s.%
%:: SCCS/s.%

121
install/tools/man/ipa-acme-manage.1 Normal file
View File

@@ -0,0 +1,121 @@
.\"
.\" Copyright (C) 2020 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-acme-manage" "1" "Jun 2 2020" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-acme\-manage \- Manage the IPA ACME service
.SH "SYNOPSIS"
ipa\-acme\-manage enable|disable|status
.SH "DESCRIPTION"
Use the \fIipa-acme-manage\fR command to enable, disable or retrieve
the status of the ACME service on a IPA CA server.
In a IPA topology all CA servers capable of ACME will
have the ACME service deployed. The service is not enabled
by default. It is expected that the ACME service will either be
enabled on all CA servers, or disabled on all CA servers. However
it must be enabled or disabled on each individual server.
.SH "COMMANDS"
.TP
\fBenable\fR
Enable the ACME service on this host.
.TP
\fBdisable\fR
Disable the ACME service on this host.
.TP
\fBstatus\fR
Display the status of the ACME service.
.TP
\fBpruning\fR
Configure certificate and request pruning.
.SH "PRUNING"
Pruning is a job that runs in the CA that can remove expired
certificates and certificate requests which have not been issued.
This is particularly important when using short-lived certificates
like those issued with the ACME protocol. Pruning requires that
the IPA server be installed with random serial numbers enabled.
The CA needs to be restarted after modifying the pruning configuration.
The job is a cron-like task within the CA that is controlled by a
number of options which dictate how long after the certificate or
request is considered no longer valid and removed from the LDAP
database.
The cron time and date fields are:
.IP
.ta 1.5i
field allowed values
.br
----- --------------
.br
minute 0-59
.br
hour 0-23
.br
day of month 1-31
.br
month 1-12
.br
day of week 0-6 (0 is Sunday)
.br
.PP
The cron syntax is limited to * or specific numbers. Ranges are not supported.
.TP
\fB\-\-enable\fR
Enable certificate pruning.
.TP
\fB\-\-disable\fR
Disable certificate pruning.
.TP
\fB\-\-cron=CRON\fR
Configure the pruning cron job. The syntax is similar to crontab(5) syntax.
For example, "0 0 1 * *" schedules the job to run at 12:00am on the first
day of each month.
.TP
\fB\-\-certretention=CERTRETENTION\fR
Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.
.TP
\fB\-\-certretentionunit=CERTRETENTIONUNIT\fR
Certificate retention units. Valid units are: minute, hour, day, year.
The default is days.
.TP
\fB\-\-certsearchsizelimit=CERTSEARCHSIZELIMIT\fR
LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.
.TP
\fB\-\-certsearchtimelimit=CERTSEARCHTIMELIMIT\fR
LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.
.TP
\fB\-\-requestretention=REQUESTRETENTION\fR
Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.
.TP
\fB\-\-requestretentionunit=REQUESTRETENTIONUNIT\fR
Request retention units. Valid units are: minute, hour, day, year.
The default is days.
.TP
\fB\-\-requestsearchsizelimit=REQUESTSEARCHSIZELIMIT\fR
LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.
.TP
\fB\-\-requestsearchtimelimit=REQUESTSEARCHTIMELIMIT\fR
LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.
.TP
\fB\-\-config\-show\fR
Show the current pruning configuration
.TP
\fB\-\-run\fR
Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
2 if the host is not a IPA server
3 if the host is not a CA server

4
install/tools/man/ipa-adtrust-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Sumit Bose <sbose@redhat.com>
.\"
.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-adtrust-install" "1" "April 11 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
.SH "SYNOPSIS"
@@ -87,7 +87,7 @@ ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
users from trusted forests. Starting with IPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added

6
install/tools/man/ipa-advise.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-advise \- Provide configurations advice for various use cases.
.SH "SYNOPSIS"
@@ -27,7 +27,7 @@ Provides customized advice for various IPA configuration issues.
For the list of possible ADVICEs available, run the ipa\-advise with no arguments.
.SH "OPTIONS"
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR
@@ -41,4 +41,4 @@ Log to the given file
.SH "EXIT STATUS"
0 if the command was successful
1 if an error occurred
1 if an error occurred

4
install/tools/man/ipa-backup.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-backup \- Back up an IPA master
.SH "SYNOPSIS"
@@ -54,7 +54,7 @@ Perform the backup on\-line. Requires the \-\-data option.
\fB\-\-disable\-role\-check\fR
Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR

19
install/tools/man/ipa-ca-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-ca-install" "1" "Mar 30 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-ca\-install \- Install a CA on a server
.SH "SYNOPSIS"
@@ -77,11 +77,26 @@ The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs ar
File containing overrides for CA installation.
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.TP
\fB\-\-no\-host\-dns\fR
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-random\-serial\-numbers\fR
Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
.TP
\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
The PKCS#11 token name if using an HSM to store and generate private keys.
.TP
\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
The full path to the PKCS#11 shared library needed to access the HSM device.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.
.TP
\fB\-\-skip\-conncheck\fR
Skip connection check to remote master
.TP

11
install/tools/man/ipa-cacert-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Jan Cholasta <jcholast@redhat.com>
.\"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-cacert-manage" "1" "Aug 12 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-cacert\-manage \- Manage CA certificates in IPA
.SH "SYNOPSIS"
@@ -27,6 +27,8 @@ ipa\-cacert\-manage \- Manage CA certificates in IPA
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
.br
\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] prune
.SH "DESCRIPTION"
\fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
.SH "COMMANDS"
@@ -72,6 +74,13 @@ Please do not forget to run ipa-certupdate on the master, all the replicas and a
.RS
Display a list of the nicknames or subjects of the CA certificates that have been installed.
.RE
.TP
\fBprune\fR
\- Prune the stored CA certificates
.sp
.RS
Removes installed CA certificates that are expired.
.RE
.SH "COMMON OPTIONS"
.TP
\fB\-\-version\fR

13
install/tools/man/ipa-cert-fix.1
View File

@@ -1,7 +1,7 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-cert-fix" "1" "Mar 25 2019" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-cert\-fix \- Renew expired certificates
.SH "SYNOPSIS"
@@ -9,7 +9,7 @@ ipa\-cert\-fix [options]
.SH "DESCRIPTION"
\fIipa-cert-fix\fR is a tool for recovery when expired certificates
prevent the normal operation of FreeIPA. It should ONLY be used in
prevent the normal operation of IPA. It should ONLY be used in
such scenarios, and backup of the system, especially certificates
and keys, is \fBSTRONGLY RECOMMENDED\fR.
@@ -22,7 +22,7 @@ This tool cannot renew certificates signed by external CAs. To
install new, externally-signed HTTP, LDAP or KDC certificates, use
\fIipa-server-certinstall(1)\fR.
\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
\fIipa-cert-fix\fR will examine IPA and Certificate System
certificates and renew certificates that are expired, or close to
expiry (less than two weeks). If any "shared" certificates are
renewed, \fIipa-cert-fix\fR will set the current server to be the CA
@@ -39,6 +39,13 @@ for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
CA server). This is to avoid unnecessary renewal of shared
certificates.
Important note: the \fIcertmonger\fR daemon does not immediately notice
the updated certificates and may trigger a renewal after \fIipa-cert-fix\fR
completes. As a consequence, \fIgetcert list\fR output may display
that a renewal is in progress even if \fIipa-cert-fix\fR just
finished. It is recommended to monitor the certmonger-initiated
renewal and wait for its completion before any other administrative task.
.SH "OPTIONS"
.TP
\fB\-\-version\fR

2
install/tools/man/ipa-compat-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Simo Sorce <ssorce@redhat.com>
.\"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
.SH "SYNOPSIS"

2
install/tools/man/ipa-crlgen-manage.1
View File

@@ -1,7 +1,7 @@
.\"
.\" Copyright (C) 2019 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-crlgen\-manage \- Enables or disables CRL generation
.SH "SYNOPSIS"

2
install/tools/man/ipa-csreplica-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-csreplica\-manage \- Manage an IPA CS replica
.SH "SYNOPSIS"

4
install/tools/man/ipa-dns-install.1
View File

@@ -1,7 +1,7 @@
.\" A man page for ipa-dns-install
.\" Copyright (C) 2010-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-dns\-install \- Add DNS as a service to an IPA server
.SH "SYNOPSIS"
@@ -12,7 +12,7 @@ In cases where the IPA server name does not belong to the primary DNS domain and
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
This command requires that an IPA server is already installed and configured.

11
install/tools/man/ipa-kra-install.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Ade Lee <alee@redhat.com>
.\"
.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-kra-install" "1" "May 10 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-kra\-install \- Install a KRA on a server
.SH "SYNOPSIS"
@@ -54,6 +54,15 @@ Log to the given file
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for KRA installation.
.SS "HSM OPTIONS"
The token name and library path are retrieved from the existing
installation.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.
.SH "EXIT STATUS"
0 if the command was successful

8
install/tools/man/ipa-ldap-updater.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-ldap-updater" "1" "Sep 12 2008" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-ldap\-updater \- Update the IPA LDAP configuration
.SH "SYNOPSIS"
@@ -87,10 +87,10 @@ Schema files should be in LDIF format, and may only specify attributeTypes and o
Enable debug logging when more verbose output is needed
.TP
\fB\-u\fR, \fB\-\-upgrade\fR
Upgrade an installed server in offline mode (implies \-\-schema)
Upgrade an installed server in offline mode
.TP
\fB\-S\fR, \fB\-\-schema\-file\fR
Specify a schema file. May be used multiple times. Implies \-\-schema.
\fB\-S\fR \fIFILE.ldif\fR, \fB\-\-schema\-file\fR=\fIFILE.ldif\fR
Specify a schema file. May be used multiple times.
.SH "EXIT STATUS"
0 if the command was successful

4
install/tools/man/ipa-managed-entries.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Jr Aquino <jr.aquino@citrix.com>
.\"
.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-managed-entries" "1" "Feb 06 2012" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
.SH "SYNOPSIS"
@@ -40,7 +40,7 @@ Show a help message and exit
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
\fB\-e\fR, \fB\-\-entry\fR
\fB\-e\fR \fIMANAGED_ENTRY\fR, \fB\-\-entry\fR=\fIMANAGED_ENTRY\fR
DN for the Managed Entry Definition
.TP
\fB\-l\fR, \fB-\-list\fR

127
install/tools/man/ipa-migrate.1 Normal file
View File

@@ -0,0 +1,127 @@
.\"
.\" Copyright (C) 2024 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-migrate" "1" "Apr 2 2024" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-migrate \- Migrate an IPA server from one machine to another
.SH "SYNOPSIS"
ipa\-migrate
.SH "DESCRIPTION"
Use the \fIipa-migrate\fR command to migrate one
IPA server to an existing local IPA server installation.
Migrate IPA schema, configuration, and database to a local IPA server. This
migration can be done online, where the tool will query the remote server. Or,
offline where LDIF files can be provided. You can mix and match online and
offline. So for example you could migrate the schema and configuration online,
and then use an exported LDIF file for the database migration portion (this
might be more useful for very large databases as you don't need to worry about
network interruptions)
.SH POSITIONAL ARGUMENTS
.TP
\fBprod\-mode\fR
In this mode everything will be migrated including the current user SIDs and
DNA ranges
.TP
\fBstage\-mode\fR
In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset
.SH "COMMANDS"
.TP
\fB\-v\fR, \fB\-\-verbose\fR
Use verbose output while running the migration tool.
.TP
\fB\-e\fR, \fB\-\-hostname=HOSTNAME\fR
The host name of the remote IPA server that is being migrated from.
.TP
\fB\-D\fR, \fB\-\-bind\-dn=BIND_DN\fR
The Bind DN (Distinguished Name) or an LDAP entry to bind to the remote IPA server with.
Typically this is "cn=directory manager", but it could be any entry that has
access to read the userPassword attribute. If ommitted the default is "cn=directory manager"
.TP
\fB\-w\fR, \fB\-\-bind\-pw=PASSWORD\fR
The password for the Bind DN that is authenticating against the remote IPA server. If
a password is not provided then the tool with prompt for the password if needed.
.TP
\fB\-Just\fR, \fB\-\-bind\-pw\-file=FILE_PATH\fR
Path to a file containing the password for the Bind DN.
.TP
\fB\-Z\fR, \fB\-\-cacertfile=FILE_PATH\fR
Path to a file containing a CA Certificate that the remote server trusts
.TP
\fB\-l\fR, \fB\-\-log\-file=FILE_PATH\fR
Path to a file containing the migration log. By default the tool will use \fI/var/log/ipa-migrate.log\fR
.TP
\fB\-x\fR, \fB\-\-dryrun\fR
Go through the migration process but do not write and data to the new IPA server.
.TP
\fB\-o\fR, \fB\-\-dryrun\-record=FILE_PATH\fR
Go through the migration process but do not write any data to the new IPA server. However, write the
migration operations to an LDIF file which can be applied later or reused for multiple migrations.
.TP
\fB\-r\fR, \fB\-\-reset\-range\fR
Reset the ID range for migrated users/groups. In "stage-mode" this is done automatically
.TP
\fB\-F\fR, \fB\-\-force\fR
Ignore any errors and continue to proceed with migration effort.
.TP
\fB\-q\fR, \fB\-\-quiet\fR
Only log errors during the migration process.
.TP
\fB\-B\fR, \fB\-\-migrate\-dns\fR
Migrate thr DNS records
.TP
\fB\-S\fR, \fB\-\-skip\-schema\fR
Do not migrate the database schema
.TP
\fB\-C\fR, \fB\-\-skip\-config\fR
Do not migrate the database configuration (dse.ldif/cn=config)
.TP
\fB\-O\fR, \fB\-\-schema\-overwrite\fR
Overwrite existing schema definitions. By default duplicate schema is skipped.
.TP
\fB\-s\fR, \fB\-\-subtree=DN\fR
Specifies a custom database subtree that should be included in the migration.
This is only needed if non-default subtrees/branches were added to the database
outside of IPA.
.TP
\fB\-f\fR, \fB\-\-db\-ldif=FILE_PATH\fR
LDIF file containing the entire backend. If omitted the tool will query the remote IPA server.
.TP
\fB\-m\fR, \fB\-\-schema\-ldif=FILE_PATH\fR
LDIF file containing the schema. If omitted the tool will query the remote IPA server.
.TP
\fB\-g\fR, \fB\-\-config\-ldif=FILE_PATH\fR
LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server.
.TP
\fB\-n\fR, \fB\-\-no\-prompt\fR
Do not prompt for confirmation before starting migration. Use at your own risk!
.SH "POST MIGRATION"
\- The server is left in migration-mode so that the migrated users can more
easily reset their passwords either by authenticating via SSSD or using the
web-based password migration page. This authentication will generate new
Kerberos keys. After passwords are reset the server should be taken out of
migration mode.
\- All hosts are preserved, but they will need to be re-enrolled using
ipa-client-install (e.g. ipa-client-install --uninstall && ipa-client-install).
\- All certificates should be re-issued against the new CA.
\- Any manually created keytabs will need to be re-created using
\fIipa-getkeytab\fR
\- Vaults are not migrated and will have to be re-created.
\- Sub CA's are not migrated and will have to be re-created.
.SH "EXIT STATUS"
0 If the command was successful
1 If an error occurred
2 If the local host or remote host is not an IPA server, the IPA server
installation is faulty, or the realm can not be determined

2
install/tools/man/ipa-nis-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-nis-manage" "1" "April 25 2016" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-nis\-manage \- Enables or disables the NIS listener plugin
.SH "SYNOPSIS"

4
install/tools/man/ipa-otptoken-import.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Nathaniel McCallum <npmccallum@redhat.com>
.\"
.TH "ipa-otptoken-import" "1" "Jun 12 2014" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-otptoken-import" "1" "Jun 12 2014" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
.SH "SYNOPSIS"
@@ -28,7 +28,7 @@ If the \fBinfile\fR contains encrypted token data, then the \fIkeyfile\fR (\fB-k
.SH "OPTIONS"
.TP
\fB\-k\fR \fIkeyfile\fR
\fB\-k\fR \fIkeyfile\fR, \fB\-\-keyfile\fR=\fIkeyfile\fR
File containing the key used to decrypt the token data.
.SH "EXIT STATUS"
0 if the command was successful

2
install/tools/man/ipa-pkinit-manage.1
View File

@@ -1,7 +1,7 @@
.\"
.\" Copyright (C) 2017 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-pkinit\-manage \- Enables or disables PKINIT
.SH "SYNOPSIS"

2
install/tools/man/ipa-replica-conncheck.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Martin Kosek <mkosek@redhat.com>
.\"
.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
.SH "SYNOPSIS"

59
install/tools/man/ipa-replica-install.1
View File

@@ -1,7 +1,7 @@
.\" A man page for ipa-replica-install
.\" Copyright (C) 2008-2016 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-replica-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-replica\-install \- Create an IPA replica
.SH "SYNOPSIS"
@@ -12,7 +12,7 @@ Configures a new IPA server that is a replica of the server. Once it has been cr
Domain level 0 is not supported anymore.
To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
To create a replica, the machine only needs to be enrolled in the IPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion.
@@ -92,9 +92,15 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-\-subid\fR
Configure SSSD as data source for subid.
.TP
\fB\-\-skip\-conncheck\fR
Skip connection check to remote master
.TP
\fB\-\-skip\-mem\-check\fR
Skip checking for minimum required memory
.TP
\fB\-d\fR, \fB\-\-debug
Enable debug logging when more verbose output is needed
.TP
@@ -146,6 +152,19 @@ File containing overrides for CA and KRA installation.
\fB\-\-skip\-schema\-check\fR
Skip check for updated CA DS schema on the remote master
.SS "HSM OPTIONS"
The token name will be used from the existing topology.
.TP
\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
The full path to the PKCS#11 shared library needed to access the HSM device. If the path is identical to the original install then this does not need to be provided.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.
.SS "SECRET MANAGEMENT OPTIONS"
.TP
\fB\-\-setup\-kra\fR
@@ -205,10 +224,7 @@ Do not automatically create DNS SSHFP records.
\fB\-\-no\-dnssec\-validation\fR
Disable DNSSEC validation on this server.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability on a replica.
.SS "SID GENERATION OPTIONS"
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided then this is determined
@@ -227,19 +243,6 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task
you have to load an edited version of ipa-sidgen-task-run.ldif with the
ldapmodify command info the directory server.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-\-rid-base\fR=\fIRID_BASE\fR
First RID value of the local domain. The first Posix ID of the local domain will
be assigned to this RID, the second to RID+1 etc. See the online help of the
@@ -249,6 +252,24 @@ idrange CLI for details.
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same Posix ID. See the online help of the
idrange CLI for details.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability on a replica.
.TP
\fB\-\-add\-agents\fR
Add IPA masters to the list that allows to serve information about
users from trusted forests. Starting with IPA 4.2, a regular IPA master
can provide this information to SSSD clients. IPA masters aren't added
to the list automatically as restart of the LDAP service on each of them
is required. The host where ipa\-adtrust\-install is being run is added
automatically.
.IP
Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
information about users from trusted forests only if they are enabled
via \ipa-adtrust\-install run on any other IPA master. At least SSSD
version 1.13 on IPA master is required to be able to perform as a trust agent.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.

2
install/tools/man/ipa-replica-manage.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-replica-manage" "1" "Jul 12 2016" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-replica\-manage \- Manage an IPA replica
.SH "SYNOPSIS"

4
install/tools/man/ipa-restore.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-restore" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-restore \- Restore an IPA master
.SH "SYNOPSIS"
@@ -73,7 +73,7 @@ Restore only the databases in this 389\-ds instance. The default is to restore a
\fB\-\-backend\fR=\fIBACKEND\fR
The backend to restore within an instance or instances. Requires data\-only backup or the \-\-data option.
.TP
\fB\-\-v\fR, \fB\-\-verbose\fR
\fB\-v\fR, \fB\-\-verbose\fR
Print debugging information
.TP
\fB\-d\fR, \fB\-\-debug\fR

4
install/tools/man/ipa-server-certinstall.1
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-server-certinstall" "1" "Mar 14 2008" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-server\-certinstall \- Install new SSL server certificates
.SH "SYNOPSIS"
@@ -30,6 +30,8 @@ They may be generated and managed using the NSS pk12util command or the OpenSSL
The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
If the ACME service is enabled then the web certificate must have a Subject Alternative Name (SAN) for ipa-ca.$DOMAIN.
.SH "OPTIONS"
.TP
\fB\-d\fR, \fB\-\-dirsrv\fR

40
install/tools/man/ipa-server-install.1
View File

@@ -1,7 +1,7 @@
.\" A man page for ipa-server-install
.\" Copyright (C) 2008-2017 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-server-install" "1" "Feb 17 2017" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-server\-install \- Configure an IPA server
.SH "SYNOPSIS"
@@ -80,6 +80,12 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
\fB\-\-subid\fR
Configure SSSD as data source for subid.
.TP
\fB\-\-skip\-mem\-check\fR
Skip checking for minimum required memory
.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed.
.TP
@@ -119,6 +125,9 @@ If no template is specified, the template name "SubCA" is used.
\fB\-\-external\-cert\-file\fR=\fIFILE\fR
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-random\-serial\-numbers\fR
Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps.
.TP
@@ -162,7 +171,21 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). R
The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
.TP
\fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
.SS "HSM OPTIONS"
.TP
\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
The PKCS#11 token name if using an HSM to store and generate private keys.
.TP
\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
The full path to the PKCS#11 shared library needed to access the HSM device.
.TP
\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
The PKCS#11 token password for the HSM.
.TP
\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
The full path to a file containing the PKCS#11 token password.
.SS "SECRET MANAGEMENT OPTIONS"
.TP
@@ -172,7 +195,7 @@ Install and configure a KRA on this server.
.SS "DNS OPTIONS"
IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
.TP
\fB\-\-setup\-dns\fR
@@ -230,11 +253,7 @@ Disable DNSSEC validation on this server.
\fB\-\-allow\-zone\-overlap\fR
Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability.
.SS "SID GENERATION OPTIONS"
.TP
\fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
The NetBIOS name for the IPA domain. If not provided, this is determined
@@ -252,6 +271,11 @@ idrange CLI for details.
Start value of the secondary RID range, which is only used in the case a user
and a group share numerically the same POSIX ID. See the online help of the
idrange CLI for details.
.SS "AD TRUST OPTIONS"
.TP
\fB\-\-setup\-adtrust\fR
Configure AD Trust capability.
.TP
\fB\-\-enable\-compat\fR
Enables support for trusted domains users for old clients through Schema Compatibility plugin.

9
install/tools/man/ipa-server-upgrade.1
View File

@@ -2,13 +2,18 @@
.\" Copyright (C) 2015 FreeIPA Contributors see COPYING for license
.\"
.TH "ipa-server-upgrade" "1" "April 02 2015" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-server-upgrade" "1" "April 02 2015" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
ipa\-server\-upgrade is executed automatically to upgrade IPA server when
the IPA packages are being updated. It is not intended to be executed by
end\-users, unless the automatic execution reports an error. In this case,
the administrator needs to identify and fix the issue that is causing the
upgrade failure (with the help of /var/log/ipaupgrade.log)
and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:

10
install/tools/man/ipa-winsync-migrate.1
View File

@@ -16,11 +16,11 @@
.\"
.\" Author: Tomas Babej <tbabej@redhat.com>
.\"
.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "IPA" "IPA Manual Pages"
.SH "NAME"
ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
.SH "SYNOPSIS"
ipa\-winsync\-migrate
ipa\-winsync\-migrate [options]
.SH "DESCRIPTION"
Migrates AD users created by winsync agreement to ID overrides in
the Default Trust View, thus preserving the actual POSIX attributes
@@ -42,11 +42,11 @@ on the IPA server.
.SH "OPTIONS"
.TP
\fB\-\-realm\fR
\fB\-\-realm\fR=\fIREALM_NAME\fR
The Active Directory realm the winsynced users belong to.
.TP
\fB\-\-server\fR
\fB\-\-server\fR=\fIHOST_NAME\fR
The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
.TP
\fB\-\-unattended\fR
\fB\-U\fR, \fB\-\-unattended\fR
Never prompts for user input.

29
install/tools/man/ipactl.8
View File

@@ -16,7 +16,7 @@
.\"
.\" Author: Rob Crittenden <rcritten@redhat.com>
.\"
.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
.TH "ipactl" "8" "Mar 14 2008" "IPA" "IPA Manual Pages"
.SH "NAME"
ipactl \- IPA Server Control Interface
.SH "SYNOPSIS"
@@ -52,3 +52,30 @@ If any service start fails, do not rollback the services, continue with the oper
.TP
\fB\-f\fR, \fB\-\-force\fR
Force IPA to start. Combine options --skip-version-check and --ignore-service-failures
.SH "EXIT STATUS"
All actions except status:
0 success
1 a generic error occurred
2 unknown or invalid argument(s)
4 user has insufficient privilege
6 IPA server is not configured
For the status action:
0 service is running
3 service is not running
4 service status is unknown (or unconfigured)
If not executed as root then the status action will return 4 for
insufficient privileges.
Some services are socket activated and may show as STOPPED by the status
action. These services include ipa-ods-exporter and ipa-otpd.