ipa-server-install(1) FreeIPA Manual Pages ipa-server-install(1)NAMEipa-server-install - Configure an IPA server
SYNOPSISipa-server-install [OPTION]...
DESCRIPTION
Configures the services needed by an IPA server. This includes setting
up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an
LDAP back-end, configuring Apache, configuring NTP and optionally con‐
figuring and starting an LDAP-backed DNS server. By default a dog‐
tag-based CA will be configured to issue server certificates.
OPTIONS
BASIC OPTIONS
-r REALM_NAME, --realm=REALM_NAME
The Kerberos realm name for the IPA server
-n DOMAIN_NAME, --domain=DOMAIN_NAME
Your DNS domain name
-p DM_PASSWORD, --ds-password=DM_PASSWORD
The password to be used by the Directory Server for the Direc‐
tory Manager user
-P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
The kerberos master password (normally autogenerated)
-a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
The password for the IPA admin user
--hostname=HOST_NAME
The fully-qualified DNS name of this server. If the hostname
does not match system hostname, the system hostname will be
updated accordingly to prevent service failures.
--ip-address=IP_ADDRESS
The IP address of this server. If this address does not match
the address the host resolves to and --setup-dns is not selected
the installation will fail. If the server hostname is not
resolvable, a record for the hostname and IP_ADDRESS is added to
/etc/hosts.
-N, --no-ntp
Do not configure NTP
--idstart=IDSTART
The starting user and group id number (default random)
--idmax=IDMAX
The maximum user and group id number (default: idstart+199999).
If set to zero, the default value will be used.
--no_hbac_allow
Don't install allow_all HBAC rule. This rule lets any user from
any host access any service on any other host. It is expected
that users will remove this rule before moving to production.
--no-ui-redirect
Do not automatically redirect to the Web UI.
--ssh-trust-dns
Configure OpenSSH client to trust DNS SSHFP records.
--no-ssh
Do not configure OpenSSH client.
--no-sshd
Do not configure OpenSSH server.
-d, --debug
Enable debug logging when more verbose output is needed
-U, --unattended
An unattended installation that will never prompt for user input
CERTIFICATE SYSTEM OPTIONS
--external-ca
Generate a CSR to be signed by an external CA
--external_cert_file=FILE
File containing PKCS#10 certificate
--external_ca_file=FILE
File containing PKCS#10 of the external CA chain
--dirsrv_pkcs12=FILE
PKCS#12 file containing the Directory Server SSL Certificate
--http_pkcs12=FILE
PKCS#12 file containing the Apache Server SSL Certificate
--dirsrv_pin=DIRSRV_PIN
The password of the Directory Server PKCS#12 file
--http_pin=HTTP_PIN
The password of the Apache Server PKCS#12 file
--subject=SUBJECT
The certificate subject base (default O=REALM.NAME)
--selfsign
Configure a self-signed CA instance for issuing server certifi‐
cates instead of using dogtag for certificates.
WARNING: Using this option will restrain the server certificate
management capabilities. Please, keep in mind that there is no
way to change this setting later.
DNS OPTIONS
--setup-dns
Generate a DNS zone if it does not exist already and configure
the DNS server. This option requires that you either specify at
least one DNS forwarder through the --forwarder option or use
the --no-forwarders option.
Note that you can set up a DNS at any time after the initial IPA
server install by running ipa-dns-install (see ipa-dns-
install(1)).
--forwarder=IP_ADDRESS
Add a DNS forwarder to the DNS configuration. You can use this
option multiple times to specify more forwarders, but at least
one must be provided, unless the --no-forwarders option is spec‐
ified.
--no-forwarders
Do not add any DNS forwarders. Root DNS servers will be used
instead.
--reverse-zone=REVERSE_ZONE
The reverse DNS zone to use
--no-reverse
Do not create reverse DNS zone
--zonemgr
The e-mail address of the DNS zone manager. Defaults to hostmas‐
ter@DOMAIN
--no-persistent-search
Do not enable persistent search mechanism for updating the list
of DNS zones in the name server. When persistent search is dis‐
abled and --zone-refresh option is not set to non-zero value,
new zones won't be resolvable until the name server is reloaded.
--zone-refresh=ZONE_REFRESH
When set to non-zero value, persistent search zone update mecha‐
nism will be disabled and the name server will use a polling
mechanism to load new DNS zones every ZONE_REFRESH seconds.
--no-host-dns
Do not use DNS for hostname lookup during installation
--no-dns-sshfp
Do not automatically create DNS SSHFP records.
--no-serial-autoincrement
Do not enable SOA serial autoincrement feature. SOA serial will
have to be updated automatically or other DNS features like zone
transfer od DNSSEC will not function properly. This feature
requires persistent search zone update mechanism.
UNINSTALL OPTIONS
--uninstall
Uninstall an existing IPA installation
-U, --unattended
An unattended uninstallation that will never prompt for user
input
EXIT STATUS
0 if the (un)installation was successful
1 if an error occurred
SEE ALSOipa-dns-install(1)FreeIPA Jun 28 2012 ipa-server-install(1)
