diff options
Diffstat (limited to 'smartproxy/man/ipa-smartproxy.1')
| -rw-r--r-- | smartproxy/man/ipa-smartproxy.1 | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/smartproxy/man/ipa-smartproxy.1 b/smartproxy/man/ipa-smartproxy.1 new file mode 100644 index 00000000..beebeb21 --- /dev/null +++ b/smartproxy/man/ipa-smartproxy.1 @@ -0,0 +1,78 @@ +.\" A man page for ipa-smartproxy +.\" Copyright (C) 2014 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see <http://www.gnu.org/licenses/>. +.\" +.\" Author: Rob Crittenden <rcritten@redhat.com> +.TH "ipa-smartproxy" "1" "Jan 8 2014" "FreeIPA" "FreeIPA Manual Pages" +.SH "NAME" +ipa\-smartproxy \- IPA Foreman Smartproxy server +.SH "SYNOPSIS" +ipa\-smartproxy [\fIOPTION\fR]... +.SH "DESCRIPTION" +A CherryPy\-based server that provides a RESTful API for a use as a Foreman smart proxy. + +The RESTful interface is not authenticated so it is expected that the server is not generally accessible. By default it listens only on the localhost interface. + +The server needs access to an principal that is granted permission to perform host and hostgroup operations on an IPA master. + +Smartproxy server\-specific privileges and roles can be created with this: + +.na + $ ipa privilege\-add 'Smartproxy host management' \-\-desc='Smartproxy host management' + $ ipa privilege\-add\-permission 'Smartproxy host management' \-\-permission='add hosts' \-\-permission='remove hosts' + $ ipa role\-add 'Smartproxy management' \-\-desc='Smartproxy management' + $ ipa role\-add\-privilege 'Smartproxy management' \-\-privilege='Smartproxy host management' \-\-privilege='Host Group Administrators' + +Create a host or user whose credentials will be used by the server to make requests and add it to the role: + + $ ipa user\-add \-\-first=Smartproxy \-\-last=Serversmartproxy + $ ipa role\-add\-member \-\-users=smartproxy 'Smartproxy management' + +On the smartproxy server create a keytab for this user: + + # kinit admin + # ipa\-getkeytab \-s ipa.example.com \-p smartproxy@EXAMPLE.COM \-k /etc/ipa/ipa\-smartproxy.keytab + # chown root:root /etc/ipa/ipa\-smartproxy.keytab + # chmod 600 /etc/ipa/ipa\-smartproxy.keytab + +Configure the GSS\-Proxy to manage the credentials. Add this to the top of the gssproxy configuration file (by default /etc/gssproxy/gssproxy.conf), before any other services: + + [service/smartproxy] + mechs = krb5 + cred_store = client_keytab:/etc/ipa/ipa\-smartproxy.keytab + cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U + cred_usage = initiate + euid = 48 (where 48 is the apache user uid) + +Some startup and operational errors may also be logged to the syslog. +.SH "OPTIONS" +.TP +\fB\-c\fR \fICONFIG\fR +The configuration file(s) to be loaded. This option may be passed multiple times to load more than one configuration file. +.TP +\fB\-d\fR +Run the server as a daemon. +.TP +\fB\-p\fR \fIPIDFILE\fR +The location to write the server PID file. +.TP +\fB\-h\fR +Show the help message. +.SH "EXIT STATUS" +0 if the server execution was successful + +1 if an error occurred +.SH "SEE ALSO" +.BR ipa\-smartproxy.conf(5) |