Import Upstream version 4.12.4

install/tools/man/Makefile.am

@@ -29,7 +29,9 @@ dist_man1_MANS = 			\
 	ipa-pkinit-manage.1		\
 	ipa-crlgen-manage.1		\
 	ipa-cert-fix.1			\
-        $(NULL)
+	ipa-acme-manage.1		\
+	ipa-migrate.1			\
+	$(NULL)
 
 dist_man8_MANS =			\
 	ipactl.8			\

install/tools/man/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
   test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -148,10 +150,9 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
   }
 man1dir = $(mandir)/man1
 am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)"
@@ -181,6 +182,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -194,8 +197,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -203,6 +208,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -215,9 +221,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -226,6 +235,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -285,6 +296,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -293,9 +306,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -334,8 +350,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -381,6 +399,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -414,7 +433,9 @@ dist_man1_MANS = \
 	ipa-pkinit-manage.1		\
 	ipa-crlgen-manage.1		\
 	ipa-cert-fix.1			\
-        $(NULL)
+	ipa-acme-manage.1		\
+	ipa-migrate.1			\
+	$(NULL)
 
 dist_man8_MANS = \
 	ipactl.8			\
@@ -546,7 +567,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -611,8 +631,8 @@ mostlyclean-generic:
 clean-generic:
 
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -706,3 +726,10 @@ uninstall-man: uninstall-man1 uninstall-man8
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%

install/tools/man/ipa-acme-manage.1

@@ -0,0 +1,121 @@
+.\"
+.\" Copyright (C) 2020  FreeIPA Contributors see COPYING for license
+.\"
+.TH "ipa-acme-manage" "1" "Jun 2 2020" "IPA" "IPA Manual Pages"
+.SH "NAME"
+ipa\-acme\-manage \- Manage the IPA ACME service
+.SH "SYNOPSIS"
+ipa\-acme\-manage enable|disable|status
+.SH "DESCRIPTION"
+
+Use the \fIipa-acme-manage\fR command to enable, disable or retrieve
+the status of the ACME service on a IPA CA server.
+
+In a IPA topology all CA servers capable of ACME will
+have the ACME service deployed.  The service is not enabled
+by default.  It is expected that the ACME service will either be
+enabled on all CA servers, or disabled on all CA servers.  However
+it must be enabled or disabled on each individual server.
+
+.SH "COMMANDS"
+.TP
+\fBenable\fR
+Enable the ACME service on this host.
+.TP
+\fBdisable\fR
+Disable the ACME service on this host.
+.TP
+\fBstatus\fR
+Display the status of the ACME service.
+.TP
+\fBpruning\fR
+Configure certificate and request pruning.
+
+.SH "PRUNING"
+Pruning is a job that runs in the CA that can remove expired
+certificates and certificate requests which have not been issued.
+This is particularly important when using short-lived certificates
+like those issued with the ACME protocol. Pruning requires that
+the IPA server be installed with random serial numbers enabled.
+
+The CA needs to be restarted after modifying the pruning configuration.
+
+The job is a cron-like task within the CA that is controlled by a
+number of options which dictate how long after the certificate or
+request is considered no longer valid and removed from the LDAP
+database.
+
+The cron time and date fields are:
+.IP
+.ta 1.5i
+field	allowed values
+.br
+-----	--------------
+.br
+minute	0-59
+.br
+hour	0-23
+.br
+day of month	1-31
+.br
+month	1-12
+.br
+day of week	0-6 (0 is Sunday)
+.br
+.PP
+
+The cron syntax is limited to * or specific numbers. Ranges are not supported.
+
+.TP
+\fB\-\-enable\fR
+Enable certificate pruning.
+.TP
+\fB\-\-disable\fR
+Disable certificate pruning.
+.TP
+\fB\-\-cron=CRON\fR
+Configure the pruning cron job. The syntax is similar to crontab(5) syntax.
+For example, "0 0 1 * *" schedules the job to run at 12:00am on the first
+day of each month.
+.TP
+\fB\-\-certretention=CERTRETENTION\fR
+Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay.
+.TP
+\fB\-\-certretentionunit=CERTRETENTIONUNIT\fR
+Certificate retention units. Valid units are: minute, hour, day, year.
+The default is days.
+.TP
+\fB\-\-certsearchsizelimit=CERTSEARCHSIZELIMIT\fR
+LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations.
+.TP
+\fB\-\-certsearchtimelimit=CERTSEARCHTIMELIMIT\fR
+LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations.
+.TP
+\fB\-\-requestretention=REQUESTRETENTION\fR
+Request retention time. The default is 30. A value of 0 will remove expired requests with no delay.
+.TP
+\fB\-\-requestretentionunit=REQUESTRETENTIONUNIT\fR
+Request retention units. Valid units are: minute, hour, day, year.
+The default is days.
+.TP
+\fB\-\-requestsearchsizelimit=REQUESTSEARCHSIZELIMIT\fR
+LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations.
+.TP
+\fB\-\-requestsearchtimelimit=REQUESTSEARCHTIMELIMIT\fR
+LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations.
+.TP
+\fB\-\-config\-show\fR
+Show the current pruning configuration
+.TP
+\fB\-\-run\fR
+Run the pruning job now. The IPA RA certificate is used to authenticate to the PKI REST backend.
+
+
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
+
+2 if the host is not a IPA server
+
+3 if the host is not a CA server

install/tools/man/ipa-adtrust-install.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Sumit Bose <sbose@redhat.com>
 .\"
-.TH "ipa-adtrust-install" "1" "April 11 2017" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-adtrust-install" "1" "April 11 2017" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains
 .SH "SYNOPSIS"
@@ -87,7 +87,7 @@ ldapmodify command info the directory server.
 .TP
 \fB\-\-add\-agents\fR
 Add IPA masters to the list that allows to serve information about
-users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
+users from trusted forests. Starting with IPA 4.2, a regular IPA master
 can provide this information to SSSD clients. IPA masters aren't added
 to the list automatically as restart of the LDAP service on each of them
 is required. The host where ipa\-adtrust\-install is being run is added

install/tools/man/ipa-advise.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Tomas Babej <tbabej@redhat.com>
 .\"
-.TH "ipa-advise" "1" "Jun 10 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-advise" "1" "Jun 10 2013" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-advise \- Provide configurations advice for various use cases.
 .SH "SYNOPSIS"
@@ -27,7 +27,7 @@ Provides customized advice for various IPA configuration issues.
 For the list of possible ADVICEs available, run the ipa\-advise with no arguments.
 .SH "OPTIONS"
 .TP
-\fB\-\-v\fR, \fB\-\-verbose\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Print debugging information
 .TP
 \fB\-d\fR, \fB\-\-debug\fR
@@ -41,4 +41,4 @@ Log to the given file
 .SH "EXIT STATUS"
 0 if the command was successful
 
-1 if an error occurred
+1 if an error occurred

install/tools/man/ipa-backup.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-backup" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-backup" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-backup \- Back up an IPA master
 .SH "SYNOPSIS"
@@ -54,7 +54,7 @@ Perform the backup on\-line. Requires the \-\-data option.
 \fB\-\-disable\-role\-check\fR
 Perform the backup even if this host does not have all the roles in use in the cluster. This is not recommended.
 .TP
-\fB\-\-v\fR, \fB\-\-verbose\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Print debugging information
 .TP
 \fB\-d\fR, \fB\-\-debug\fR

install/tools/man/ipa-ca-install.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-ca-install" "1" "Mar 30 2017" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-ca-install" "1" "Mar 30 2017" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-ca\-install \- Install a CA on a server
 .SH "SYNOPSIS"
@@ -77,11 +77,26 @@ The subject base for certificates issued by IPA (default O=REALM.NAME).  RDNs ar
 File containing overrides for CA installation.
 .TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
-Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
 .TP
 \fB\-\-no\-host\-dns\fR
 Do not use DNS for hostname lookup during installation
 .TP
+\fB\-\-random\-serial\-numbers\fR
+Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+.TP
+\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
+The PKCS#11 token name if using an HSM to store and generate private keys.
+.TP
+\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
+The full path to the PKCS#11 shared library needed to access the HSM device.
+.TP
+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
+The PKCS#11 token password for the HSM.
+.TP
+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
+The full path to a file containing the PKCS#11 token password.
+.TP
 \fB\-\-skip\-conncheck\fR
 Skip connection check to remote master
 .TP

install/tools/man/ipa-cacert-manage.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Jan Cholasta <jcholast@redhat.com>
 .\"
-.TH "ipa-cacert-manage" "1" "Aug 12 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-cacert-manage" "1" "Aug 12 2013" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-cacert\-manage \- Manage CA certificates in IPA
 .SH "SYNOPSIS"
@@ -27,6 +27,8 @@ ipa\-cacert\-manage \- Manage CA certificates in IPA
 \fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] delete \fINICKNAME\fR
 .br
 \fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] list
+.br
+\fBipa\-cacert\-manage\fR [\fIOPTIONS\fR...] prune
 .SH "DESCRIPTION"
 \fBipa\-cacert\-manage\fR can be used to manage CA certificates in IPA.
 .SH "COMMANDS"
@@ -72,6 +74,13 @@ Please do not forget to run ipa-certupdate on the master, all the replicas and a
 .RS
 Display a list of the nicknames or subjects of the CA certificates that have been installed.
 .RE
+.TP
+\fBprune\fR
+\- Prune the stored CA certificates
+.sp
+.RS
+Removes installed CA certificates that are expired.
+.RE
 .SH "COMMON OPTIONS"
 .TP
 \fB\-\-version\fR

install/tools/man/ipa-cert-fix.1

@@ -1,7 +1,7 @@
 .\"
 .\" Copyright (C) 2019  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-cert-fix" "1" "Mar 25 2019" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-cert-fix" "1" "Mar 25 2019" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-cert\-fix \- Renew expired certificates
 .SH "SYNOPSIS"
@@ -9,7 +9,7 @@ ipa\-cert\-fix [options]
 .SH "DESCRIPTION"
 
 \fIipa-cert-fix\fR is a tool for recovery when expired certificates
-prevent the normal operation of FreeIPA.  It should ONLY be used in
+prevent the normal operation of IPA.  It should ONLY be used in
 such scenarios, and backup of the system, especially certificates
 and keys, is \fBSTRONGLY RECOMMENDED\fR.
 
@@ -22,7 +22,7 @@ This tool cannot renew certificates signed by external CAs.  To
 install new, externally-signed HTTP, LDAP or KDC certificates, use
 \fIipa-server-certinstall(1)\fR.
 
-\fIipa-cert-fix\fR will examine FreeIPA and Certificate System
+\fIipa-cert-fix\fR will examine IPA and Certificate System
 certificates and renew certificates that are expired, or close to
 expiry (less than two weeks).  If any "shared" certificates are
 renewed, \fIipa-cert-fix\fR will set the current server to be the CA
@@ -39,6 +39,13 @@ for shared certificates via \fIgetcert-resubmit(1)\fR (on the other
 CA server).  This is to avoid unnecessary renewal of shared
 certificates.
 
+Important note: the \fIcertmonger\fR daemon does not immediately notice
+the updated certificates and may trigger a renewal after \fIipa-cert-fix\fR
+completes. As a consequence, \fIgetcert list\fR output may display
+that a renewal is in progress even if \fIipa-cert-fix\fR just
+finished. It is recommended to monitor the certmonger-initiated
+renewal and wait for its completion before any other administrative task.
+
 .SH "OPTIONS"
 .TP
 \fB\-\-version\fR

install/tools/man/ipa-compat-manage.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Simo Sorce <ssorce@redhat.com>
 .\"
-.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-compat-manage" "1" "Dec 2 2008" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-compat\-manage \- Enables or disables the schema compatibility plugin
 .SH "SYNOPSIS"

install/tools/man/ipa-crlgen-manage.1

@@ -1,7 +1,7 @@
 .\"
 .\" Copyright (C) 2019  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-crlgen-manage" "1" "Feb 12 2019" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-crlgen\-manage \- Enables or disables CRL generation
 .SH "SYNOPSIS"

install/tools/man/ipa-csreplica-manage.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-csreplica\-manage \- Manage an IPA CS replica
 .SH "SYNOPSIS"

install/tools/man/ipa-dns-install.1

@@ -1,7 +1,7 @@
 .\" A man page for ipa-dns-install
 .\" Copyright (C) 2010-2016  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-dns-install" "1" "Jun 28, 2012" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-dns-install" "1" "Jun 28, 2012" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-dns\-install \- Add DNS as a service to an IPA server
 .SH "SYNOPSIS"
@@ -12,7 +12,7 @@ In cases where the IPA server name does not belong to the primary DNS domain and
 
 IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
 
-The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
+The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
 
 This command requires that an IPA server is already installed and configured.
 

install/tools/man/ipa-kra-install.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Ade Lee <alee@redhat.com>
 .\"
-.TH "ipa-kra-install" "1" "May 10 2017" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-kra-install" "1" "May 10 2017" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-kra\-install \- Install a KRA on a server
 .SH "SYNOPSIS"
@@ -54,6 +54,15 @@ Log to the given file
 .TP
 \fB\-\-pki\-config\-override\fR=\fIFILE\fR
 File containing overrides for KRA installation.
+.SS "HSM OPTIONS"
+The token name and library path are retrieved from the existing
+installation.
+.TP 
+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
+The PKCS#11 token password for the HSM.
+.TP 
+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
+The full path to a file containing the PKCS#11 token password.
 .SH "EXIT STATUS"
 0 if the command was successful
 

install/tools/man/ipa-ldap-updater.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-ldap-updater" "1" "Sep 12 2008" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-ldap\-updater \- Update the IPA LDAP configuration
 .SH "SYNOPSIS"
@@ -87,10 +87,10 @@ Schema files should be in LDIF format, and may only specify attributeTypes and o
 Enable debug logging when more verbose output is needed
 .TP
 \fB\-u\fR, \fB\-\-upgrade\fR
-Upgrade an installed server in offline mode (implies \-\-schema)
+Upgrade an installed server in offline mode
 .TP
-\fB\-S\fR, \fB\-\-schema\-file\fR
-Specify a schema file. May be used multiple times. Implies \-\-schema.
+\fB\-S\fR \fIFILE.ldif\fR, \fB\-\-schema\-file\fR=\fIFILE.ldif\fR
+Specify a schema file. May be used multiple times.
 .SH "EXIT STATUS"
 0 if the command was successful
 

install/tools/man/ipa-managed-entries.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Jr Aquino <jr.aquino@citrix.com>
 .\"
-.TH "ipa-managed-entries" "1" "Feb 06 2012" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-managed-entries" "1" "Feb 06 2012" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-managed\-entries \- Enables or disables the schema Managed Entry plugins
 .SH "SYNOPSIS"
@@ -40,7 +40,7 @@ Show a help message and exit
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed
 .TP
-\fB\-e\fR, \fB\-\-entry\fR
+\fB\-e\fR \fIMANAGED_ENTRY\fR, \fB\-\-entry\fR=\fIMANAGED_ENTRY\fR
 DN for the Managed Entry Definition
 .TP
 \fB\-l\fR, \fB-\-list\fR

install/tools/man/ipa-migrate.1

@@ -0,0 +1,127 @@
+.\"
+.\" Copyright (C) 2024  FreeIPA Contributors see COPYING for license
+.\"
+.TH "ipa-migrate" "1" "Apr 2 2024" "IPA" "IPA Manual Pages"
+.SH "NAME"
+ipa\-migrate \- Migrate an IPA server from one machine to another
+.SH "SYNOPSIS"
+ipa\-migrate
+.SH "DESCRIPTION"
+
+Use the \fIipa-migrate\fR command to migrate one
+IPA server to an existing local IPA server installation.
+
+Migrate IPA schema, configuration, and database to a local IPA server.  This
+migration can be done online, where the tool will query the remote server. Or,
+offline where LDIF files can be provided.  You can mix and match online and
+offline. So for example you could migrate the schema and configuration online,
+and then use an exported LDIF file for the database migration portion (this
+might be more useful for very large databases as you don't need to worry about
+network interruptions)
+
+.SH POSITIONAL ARGUMENTS
+.TP
+\fBprod\-mode\fR
+In this mode everything will be migrated including the current user SIDs and
+DNA ranges
+.TP
+\fBstage\-mode\fR
+In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset
+
+.SH "COMMANDS"
+.TP
+\fB\-v\fR, \fB\-\-verbose\fR
+Use verbose output while running the migration tool.
+.TP
+\fB\-e\fR, \fB\-\-hostname=HOSTNAME\fR
+The host name of the remote IPA server that is being migrated from.
+.TP
+\fB\-D\fR, \fB\-\-bind\-dn=BIND_DN\fR
+The Bind DN (Distinguished Name) or an LDAP entry to bind to the remote IPA server with.
+Typically this is "cn=directory manager", but it could be any entry that has
+access to read the userPassword attribute.  If ommitted the default is "cn=directory manager"
+.TP
+\fB\-w\fR, \fB\-\-bind\-pw=PASSWORD\fR
+The password for the Bind DN that is authenticating against the remote IPA server.  If
+a password is not provided then the tool with prompt for the password if needed.
+.TP
+\fB\-Just\fR, \fB\-\-bind\-pw\-file=FILE_PATH\fR
+Path to a file containing the password for the Bind DN.
+.TP
+\fB\-Z\fR, \fB\-\-cacertfile=FILE_PATH\fR
+Path to a file containing a CA Certificate that the remote server trusts
+.TP
+\fB\-l\fR, \fB\-\-log\-file=FILE_PATH\fR
+Path to a file containing the migration log.  By default the tool will use \fI/var/log/ipa-migrate.log\fR
+.TP
+\fB\-x\fR, \fB\-\-dryrun\fR
+Go through the migration process but do not write and data to the new IPA server.
+.TP
+\fB\-o\fR, \fB\-\-dryrun\-record=FILE_PATH\fR
+Go through the migration process but do not write any data to the new IPA server. However, write the
+migration operations to an LDIF file which can be applied later or reused for multiple migrations.
+.TP
+\fB\-r\fR, \fB\-\-reset\-range\fR
+Reset the ID range for migrated users/groups. In "stage-mode" this is done automatically
+.TP
+\fB\-F\fR, \fB\-\-force\fR
+Ignore any errors and continue to proceed with migration effort.
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+Only log errors during the migration process.
+.TP
+\fB\-B\fR, \fB\-\-migrate\-dns\fR
+Migrate thr DNS records
+.TP
+\fB\-S\fR, \fB\-\-skip\-schema\fR
+Do not migrate the database schema
+.TP
+\fB\-C\fR, \fB\-\-skip\-config\fR
+Do not migrate the database configuration (dse.ldif/cn=config)
+.TP
+\fB\-O\fR, \fB\-\-schema\-overwrite\fR
+Overwrite existing schema definitions.  By default duplicate schema is skipped.
+.TP
+\fB\-s\fR, \fB\-\-subtree=DN\fR
+Specifies a custom database subtree that should be included in the migration.
+This is only needed if non-default subtrees/branches were added to the database
+outside of IPA.
+.TP
+\fB\-f\fR, \fB\-\-db\-ldif=FILE_PATH\fR
+LDIF file containing the entire backend. If omitted the tool will query the remote IPA server.
+.TP
+\fB\-m\fR, \fB\-\-schema\-ldif=FILE_PATH\fR
+LDIF file containing the schema. If omitted the tool will query the remote IPA server.
+.TP
+\fB\-g\fR, \fB\-\-config\-ldif=FILE_PATH\fR
+LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server.
+.TP
+\fB\-n\fR, \fB\-\-no\-prompt\fR
+Do not prompt for confirmation before starting migration.  Use at your own risk!
+
+.SH "POST MIGRATION"
+\- The server is left in migration-mode so that the migrated users can more
+easily reset their passwords either by authenticating via SSSD or using the
+web-based password migration page. This authentication will generate new
+Kerberos keys. After passwords are reset the server should be taken out of
+migration mode.
+
+\- All hosts are preserved, but they will need to be re-enrolled using
+ipa-client-install (e.g. ipa-client-install --uninstall && ipa-client-install).
+
+\- All certificates should be re-issued against the new CA.
+
+\- Any manually created keytabs will need to be re-created using
+\fIipa-getkeytab\fR
+
+\- Vaults are not migrated and will have to be re-created.
+
+\- Sub CA's are not migrated and will have to be re-created.
+
+.SH "EXIT STATUS"
+0 If the command was successful
+
+1 If an error occurred
+
+2 If the local host or remote host is not an IPA server, the IPA server
+  installation is faulty, or the realm can not be determined

install/tools/man/ipa-nis-manage.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-nis-manage" "1" "April 25 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-nis\-manage \- Enables or disables the NIS listener plugin
 .SH "SYNOPSIS"

install/tools/man/ipa-otptoken-import.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Nathaniel McCallum <npmccallum@redhat.com>
 .\"
-.TH "ipa-otptoken-import" "1" "Jun 12 2014" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-otptoken-import" "1" "Jun 12 2014" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-otptoken\-import \- Imports OTP tokens from RFC 6030 XML file
 .SH "SYNOPSIS"
@@ -28,7 +28,7 @@ If the \fBinfile\fR contains encrypted token data, then the \fIkeyfile\fR (\fB-k
 
 .SH "OPTIONS"
 .TP
-\fB\-k\fR \fIkeyfile\fR
+\fB\-k\fR \fIkeyfile\fR, \fB\-\-keyfile\fR=\fIkeyfile\fR
 File containing the key used to decrypt the token data.
 .SH "EXIT STATUS"
 0 if the command was successful

install/tools/man/ipa-pkinit-manage.1

@@ -1,7 +1,7 @@
 .\"
 .\" Copyright (C) 2017  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-pkinit-manage" "1" "Jun 05 2017" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-pkinit\-manage \- Enables or disables PKINIT
 .SH "SYNOPSIS"

install/tools/man/ipa-replica-conncheck.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Martin Kosek <mkosek@redhat.com>
 .\"
-.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-replica\-conncheck \- Check a replica\-master network connection before installation
 .SH "SYNOPSIS"

install/tools/man/ipa-replica-install.1

@@ -1,7 +1,7 @@
 .\" A man page for ipa-replica-install
 .\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-replica-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-replica-install" "1" "Dec 19 2016" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-replica\-install \- Create an IPA replica
 .SH "SYNOPSIS"
@@ -12,7 +12,7 @@ Configures a new IPA server that is a replica of the server. Once it has been cr
 
 Domain level 0 is not supported anymore.
 
-To create a replica, the machine only needs to be enrolled in the FreeIPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
+To create a replica, the machine only needs to be enrolled in the IPA domain first. This process of turning the IPA client into a replica is also referred to as replica promotion.
 
 If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. The NTP configuration cannot be updated during client promotion. 
 
@@ -92,9 +92,15 @@ Do not configure OpenSSH client.
 \fB\-\-no\-sshd\fR
 Do not configure OpenSSH server.
 .TP
+\fB\-\-subid\fR
+Configure SSSD as data source for subid.
+.TP
 \fB\-\-skip\-conncheck\fR
 Skip connection check to remote master
 .TP
+\fB\-\-skip\-mem\-check\fR
+Skip checking for minimum required memory
+.TP
 \fB\-d\fR, \fB\-\-debug
 Enable debug logging when more verbose output is needed
 .TP
@@ -146,6 +152,19 @@ File containing overrides for CA and KRA installation.
 \fB\-\-skip\-schema\-check\fR
 Skip check for updated CA DS schema on the remote master
 
+.SS "HSM OPTIONS"
+The token name will be used from the existing topology.
+.TP
+\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
+The full path to the PKCS#11 shared library needed to access the HSM device. If the path is identical to the original install then this does not need to be provided.
+.TP
+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
+The PKCS#11 token password for the HSM.
+.TP
+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
+The full path to a file containing the PKCS#11 token password.
+
+
 .SS "SECRET MANAGEMENT OPTIONS"
 .TP
 \fB\-\-setup\-kra\fR
@@ -205,10 +224,7 @@ Do not automatically create DNS SSHFP records.
 \fB\-\-no\-dnssec\-validation\fR
 Disable DNSSEC validation on this server.
 
-.SS "AD TRUST OPTIONS"
-.TP
-\fB\-\-setup\-adtrust\fR
-Configure AD Trust capability on a replica.
+.SS "SID GENERATION OPTIONS"
 .TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided then this is determined
@@ -227,19 +243,6 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task
 you have to load an edited version of ipa-sidgen-task-run.ldif with the
 ldapmodify command info the directory server.
 .TP
-\fB\-\-add\-agents\fR
-Add IPA masters to the list that allows to serve information about
-users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master
-can provide this information to SSSD clients. IPA masters aren't added
-to the list automatically as restart of the LDAP service on each of them
-is required. The host where ipa\-adtrust\-install is being run is added
-automatically.
-.IP
-Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
-information about users from trusted forests only if they are enabled
-via \ipa-adtrust\-install run on any other IPA master. At least SSSD
-version 1.13 on IPA master is required to be able to perform as a trust agent.
-.TP
 \fB\-\-rid-base\fR=\fIRID_BASE\fR
 First RID value of the local domain. The first Posix ID of the local domain will
 be assigned to this RID, the second to RID+1 etc. See the online help of the
@@ -249,6 +252,24 @@ idrange CLI for details.
 Start value of the secondary RID range, which is only used in the case a user
 and a group share numerically the same Posix ID. See the online help of the
 idrange CLI for details.
+
+.SS "AD TRUST OPTIONS"
+.TP
+\fB\-\-setup\-adtrust\fR
+Configure AD Trust capability on a replica.
+.TP
+\fB\-\-add\-agents\fR
+Add IPA masters to the list that allows to serve information about
+users from trusted forests. Starting with IPA 4.2, a regular IPA master
+can provide this information to SSSD clients. IPA masters aren't added
+to the list automatically as restart of the LDAP service on each of them
+is required. The host where ipa\-adtrust\-install is being run is added
+automatically.
+.IP
+Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve
+information about users from trusted forests only if they are enabled
+via \ipa-adtrust\-install run on any other IPA master. At least SSSD
+version 1.13 on IPA master is required to be able to perform as a trust agent.
 .TP
 \fB\-\-enable\-compat\fR
 Enables support for trusted domains users for old clients through Schema Compatibility plugin.

install/tools/man/ipa-replica-manage.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-replica-manage" "1" "Jul 12 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-replica-manage" "1" "Jul 12 2016" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-replica\-manage \- Manage an IPA replica
 .SH "SYNOPSIS"

install/tools/man/ipa-restore.1

@@ -16,7 +16,7 @@
 .\"
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\"
-.TH "ipa-restore" "1" "Mar 22 2013" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-restore" "1" "Mar 22 2013" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-restore \- Restore an IPA master
 .SH "SYNOPSIS"
@@ -73,7 +73,7 @@ Restore only the databases in this 389\-ds instance. The default is to restore a
 \fB\-\-backend\fR=\fIBACKEND\fR
 The backend to restore within an instance or instances. Requires data\-only backup or the \-\-data option.
 .TP
-\fB\-\-v\fR, \fB\-\-verbose\fR
+\fB\-v\fR, \fB\-\-verbose\fR
 Print debugging information
 .TP
 \fB\-d\fR, \fB\-\-debug\fR

install/tools/man/ipa-server-certinstall.1

@@ -16,7 +16,7 @@
 .\" 
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\" 
-.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-server-certinstall" "1" "Mar 14 2008" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-server\-certinstall \- Install new SSL server certificates
 .SH "SYNOPSIS"
@@ -30,6 +30,8 @@ They may be generated and managed using the NSS pk12util command or the OpenSSL
 
 The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers.
 
+If the ACME service is enabled then the web certificate must have a Subject Alternative Name (SAN) for ipa-ca.$DOMAIN.
+
 .SH "OPTIONS"
 .TP 
 \fB\-d\fR, \fB\-\-dirsrv\fR

install/tools/man/ipa-server-install.1

@@ -1,7 +1,7 @@
 .\" A man page for ipa-server-install
 .\" Copyright (C) 2008-2017  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-server-install" "1" "Feb 17 2017" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-server\-install \- Configure an IPA server
 .SH "SYNOPSIS"
@@ -80,6 +80,12 @@ Do not configure OpenSSH client.
 \fB\-\-no\-sshd\fR
 Do not configure OpenSSH server.
 .TP
+\fB\-\-subid\fR
+Configure SSSD as data source for subid.
+.TP
+\fB\-\-skip\-mem\-check\fR
+Skip checking for minimum required memory
+.TP
 \fB\-d\fR, \fB\-\-debug\fR
 Enable debug logging when more verbose output is needed.
 .TP
@@ -119,6 +125,9 @@ If no template is specified, the template name "SubCA" is used.
 \fB\-\-external\-cert\-file\fR=\fIFILE\fR
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
+\fB\-\-random\-serial\-numbers\fR
+Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+.TP
 \fB\-\-no\-pkinit\fR
 Disables pkinit setup steps.
 .TP
@@ -162,7 +171,21 @@ The CA certificate subject DN (default CN=Certificate Authority,O=REALM.NAME). R
 The subject base for certificates issued by IPA (default O=REALM.NAME). RDNs are in LDAP order (most specific RDN first).
 .TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
-Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.
+
+.SS "HSM OPTIONS"
+.TP
+\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
+The PKCS#11 token name if using an HSM to store and generate private keys.
+.TP
+\fB\-\-token\-library\-path\fR=\fITOKEN_LIBRARY_PATH\fR
+The full path to the PKCS#11 shared library needed to access the HSM device.
+.TP
+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
+The PKCS#11 token password for the HSM.
+.TP
+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
+The full path to a file containing the PKCS#11 token password.
 
 .SS "SECRET MANAGEMENT OPTIONS"
 .TP
@@ -172,7 +195,7 @@ Install and configure a KRA on this server.
 .SS "DNS OPTIONS"
 IPA provides an integrated DNS server which can be used to simplify IPA deployment. If you decide to use it, IPA will automatically maintain SRV and other service records when you change your topology.
 
-The DNS component in FreeIPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
+The DNS component in IPA is optional and you may choose to manage all your DNS records manually on another third party DNS server. IPA DNS is not a general-purpose DNS server. If you need advanced features like DNS views, do not deploy IPA DNS.
 
 .TP
 \fB\-\-setup\-dns\fR
@@ -230,11 +253,7 @@ Disable DNSSEC validation on this server.
 \fB\-\-allow\-zone\-overlap\fR
 Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
 
-.SS "AD TRUST OPTIONS"
-
-.TP
-\fB\-\-setup\-adtrust\fR
-Configure AD Trust capability.
+.SS "SID GENERATION OPTIONS"
 .TP
 \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
 The NetBIOS name for the IPA domain. If not provided, this is determined
@@ -252,6 +271,11 @@ idrange CLI for details.
 Start value of the secondary RID range, which is only used in the case a user
 and a group share numerically the same POSIX ID. See the online help of the
 idrange CLI for details.
+
+.SS "AD TRUST OPTIONS"
+.TP
+\fB\-\-setup\-adtrust\fR
+Configure AD Trust capability.
 .TP
 \fB\-\-enable\-compat\fR
 Enables support for trusted domains users for old clients through Schema Compatibility plugin.

install/tools/man/ipa-server-upgrade.1

@@ -2,13 +2,18 @@
 .\" Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 .\"
 
-.TH "ipa-server-upgrade" "1" "April 02 2015" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-server-upgrade" "1" "April 02 2015" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-server\-upgrade \- upgrade IPA server
 .SH "SYNOPSIS"
 ipa\-server\-upgrade [options]
 .SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
 
 ipa\-server\-upgrade will:
 

install/tools/man/ipa-winsync-migrate.1

@@ -16,11 +16,11 @@
 .\"
 .\" Author: Tomas Babej <tbabej@redhat.com>
 .\"
-.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-winsync-migrate" "1" "Mar 10 2015" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
 .SH "SYNOPSIS"
-ipa\-winsync\-migrate
+ipa\-winsync\-migrate [options]
 .SH "DESCRIPTION"
 Migrates AD users created by winsync agreement to ID overrides in
 the Default Trust View, thus preserving the actual POSIX attributes
@@ -42,11 +42,11 @@ on the IPA server.
 
 .SH "OPTIONS"
 .TP
-\fB\-\-realm\fR
+\fB\-\-realm\fR=\fIREALM_NAME\fR
 The Active Directory realm the winsynced users belong to.
 .TP
-\fB\-\-server\fR
+\fB\-\-server\fR=\fIHOST_NAME\fR
 The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
 .TP
-\fB\-\-unattended\fR
+\fB\-U\fR, \fB\-\-unattended\fR
 Never prompts for user input.

install/tools/man/ipactl.8

@@ -16,7 +16,7 @@
 .\" 
 .\" Author: Rob Crittenden <rcritten@redhat.com>
 .\" 
-.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipactl" "8" "Mar 14 2008" "IPA" "IPA Manual Pages"
 .SH "NAME"
 ipactl \- IPA Server Control Interface
 .SH "SYNOPSIS"
@@ -52,3 +52,30 @@ If any service start fails, do not rollback the services, continue with the oper
 .TP
 \fB\-f\fR, \fB\-\-force\fR
 Force IPA to start. Combine options --skip-version-check and --ignore-service-failures
+.SH "EXIT STATUS"
+
+All actions except status:
+
+0 success
+
+1 a generic error occurred
+
+2 unknown or invalid argument(s)
+
+4 user has insufficient privilege
+
+6 IPA server is not configured
+
+For the status action:
+
+0 service is running
+
+3 service is not running
+
+4 service status is unknown (or unconfigured)
+
+If not executed as root then the status action will return 4 for
+insufficient privileges.
+
+Some services are socket activated and may show as STOPPED by the status
+action. These services include ipa-ods-exporter and ipa-otpd.