summaryrefslogtreecommitdiffstats
path: root/install/tools/man
Commit message (Collapse)AuthorAgeFilesLines
* Fix typos in ipa-replica-manage man pageMartin Kosek2012-03-021-3/+3
| | | | | | Based on contribution by Brian Harrington. https://fedorahosted.org/freeipa/ticket/2428
* Warn that deleting replica is irreversible, try to detect reconnection.Rob Crittenden2012-02-291-1/+1
| | | | | | | | | | | | | Using ipa-replica-manage del <replica> is irreversible. You can't turn around and do a connect to it, all heck will break loose. This is because we clean up all references to the replica when we delete so if we connect to it again we'll end up deleting all of its principals. When a connection is deleted then the agreement is removed on both sides. What isn't removed is the nsDS5ReplicaBindDN so we can use that to determine if we previously had a connection. https://fedorahosted.org/freeipa/ticket/2126
* Ease zonemgr restrictionsMartin Kosek2012-02-202-2/+2
| | | | | | | | | | | | Admin e-mail validator currently requires an email to be in a second-level domain (hostmaster@example.com). This is too restrictive. Top level domain e-mails (hostmaster@testrelm) should also be allowed. This patch also fixes default zonemgr value in help texts and man pages. https://fedorahosted.org/freeipa/ticket/2272
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-132-0/+12
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-132-0/+6
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Fix/add options in ipa-managed-entries man pagePetr Viktorin2012-02-071-2/+5
| | | | | | | * The --entry option was wrongly listed as --entries; fix that. https://fedorahosted.org/freeipa/ticket/2277 * Add the --help option
* Fix 'no-reverse' option descriptionOndrej Hamada2012-02-022-2/+2
| | | | | | | The description of 'no-reverse' option was fixed in both code and manpages of ipa-replica-install and ipa-dns-install. https://fedorahosted.org/freeipa/ticket/2161
* Update and package ipa-upgradeconfig man page.Rob Crittenden2012-01-232-1/+4
| | | | | | | Require that the tool be run as root to avoid a permission-related backtrace. https://fedorahosted.org/freeipa/ticket/1758
* Let replicas install without DNSMartin Kosek2012-01-132-1/+4
| | | | | | | | | | | | | | | | | Let ipa-replica-prepare and ipa-replica-install work without proper DNS records as records in /etc/hosts are sufficient for DS replication. 1) ipa-replica-prepare now just checks if the replica hostname is resolvable (DNS records are not required). It is now able to prepare a replica file even when the replica IP address is present in /etc/hosts only. 2) ipa-replica-install is now able to proceed when the hostname is not resolvable. It uses an IP address passed in a new option --ip-address to create a record in /etc/hosts in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2139
* Add DNS service records for WindowsSumit Bose2011-11-301-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/1939
* Add plugin framework to LDAP updates.Rob Crittenden2011-11-221-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | There are two reasons for the plugin framework: 1. To provide a way of doing manual/complex LDAP changes without having to keep extending ldapupdate.py (like we did with managed entries). 2. Allows for better control of restarts. There are two types of plugins, preop and postop. A preop plugin runs before any file-based updates are loaded. A postop plugin runs after all file-based updates are applied. A preop plugin may update LDAP directly or craft update entries to be applied with the file-based updates. Either a preop or postop plugin may attempt to restart the dirsrv instance. The instance is only restartable if ipa-ldap-updater is being executed as root. A warning is printed if a restart is requested for a non-root user. Plugins are not executed by default. This is so we can use ldapupdate to apply simple updates in commands like ipa-nis-manage. https://fedorahosted.org/freeipa/ticket/1789 https://fedorahosted.org/freeipa/ticket/1790 https://fedorahosted.org/freeipa/ticket/2032
* Add explicit instructions to ipa-replica-manage for winsync replicationRob Crittenden2011-10-141-2/+29
| | | | https://fedorahosted.org/freeipa/ticket/1946
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-1/+1
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Fix DNS permissions and membership in privilegesRob Crittenden2011-10-091-0/+1
| | | | | | | | | | | | | This resolves two issues: 1. The DNS acis lacked a prefix so weren't tied to permissions 2. The permissions were added before the privileges so the member values weren't calculated properly For updates we need to add in the members and recalculate memberof via a DS task. https://fedorahosted.org/freeipa/ticket/1898
* - note that PKCS#12 files also contain private keys, and that the "pkinit" ↵Nalin Dahyabhai2011-10-041-3/+6
| | | | options refer to the KDC's credentials
* Be more clear about selfsign optionMartin Kosek2011-10-041-3/+5
| | | | | | | | | | | | | | Installing IPA server --selfsign option is currently a one-way ticket to server with limited certificate capabilities. Make sure that user really want to install it by implementing the following steps: - moving the option to the bottom of certificate options section - adding a warning to ipa-server-install man page - adding a warning to ipa-server-install help - adding a warning to ipa-server-install configuration summary when one runs ipa-server-install https://fedorahosted.org/freeipa/ticket/1908
* 25 Create Tool for Enabling/Disabling Managed Entry PluginsJR Aquino2011-09-212-12/+19
| | | | | | | | Remove legacy ipa-host-net-manage Add ipa-managed-entries tool Add man page for ipa-managed-entries tool https://fedorahosted.org/freeipa/ticket/1181
* Add ipa-adtrust-install utilitySumit Bose2011-09-142-0/+48
| | | | https://fedorahosted.org/freeipa/ticket/1619
* Update ipa-ldap-updater man page saying it is not an end-user utilityRob Crittenden2011-09-141-4/+8
| | | | https://fedorahosted.org/freeipa/ticket/1792
* Improve man pages structureMartin Kosek2011-09-0715-86/+106
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Let Bind track data changesMartin Kosek2011-08-312-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* daemons: Remove ipa_kpasswdSimo Sorce2011-08-263-38/+1
| | | | | | Now that we have our own database we can properly enforce stricter constraints on how the db can be changed. Stop shipping our own kpasswd daemon and instead use the regular kadmin daemon.
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-182-0/+6
| | | | ticket 1570
* Add information on setting api.env.host in the ipactl.8 man pageRob Crittenden2011-08-191-0/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1390
* Fix man page ipa-csreplica-manageMartin Kosek2011-07-251-3/+3
| | | | | | Fix references to ipa-replica-manage in ipa-csreplica-manage. https://fedorahosted.org/freeipa/ticket/1519
* Create tool to manage dogtag replication agreementsRob Crittenden2011-07-172-0/+94
| | | | | | | | | | | | | | | | | | | | For the most part the existing replication code worked with the following exceptions: - Added more port options - It assumed that initial connections were done to an SSL port. Added ability to use startTLS - It assumed that the name of the agreement was the same on both sides. In dogtag one is marked as master and one as clone. A new option is added, master, the determines which side we're working on or None if it isn't a dogtag agreement. - Don't set the attribute exclude list on dogtag agreements - dogtag doesn't set a schedule by default (which is actually recommended by 389-ds). This causes problems when doing a force-sync though so if one is done we set a schedule to run all the time. Otherwise the temporary schedule can't be removed (LDAP operations error). https://fedorahosted.org/freeipa/ticket/1250
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-154-0/+15
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Make dogtag an optional (and default un-) installed component in a replica.Rob Crittenden2011-06-233-1/+55
| | | | | | | | | | | | | | A dogtag replica file is created as usual. When the replica is installed dogtag is optional and not installed by default. Adding the --setup-ca option will configure it when the replica is installed. A new tool ipa-ca-install will configure dogtag if it wasn't configured when the replica was initially installed. This moves a fair bit of code out of ipa-replica-install into installutils and cainstance to avoid duplication. https://fedorahosted.org/freeipa/ticket/1251
* Connection check program for replica installationMartin Kosek2011-06-083-0/+94
| | | | | | | | | | | | | | | | | | | | | | | | | | When connection between a master machine and future replica is not sane, the replica installation may fail unexpectedly with inconvenient error messages. One common problem is misconfigured firewall. This patch adds a program ipa-replica-conncheck which tests the connection using the following procedure: 1) Execute the on-replica check testing the connection to master 2) Open required ports on local machine 3) Ask user to run the on-master part of the check OR run it automatically: a) kinit to master as default admin user with given password b) run the on-master part using ssh 4) When master part is executed, it checks connection back to the replica and prints the check result This program is run by ipa-replica-install as mandatory part. It can, however, be skipped using --skip-conncheck option. ipa-replica-install now requires password for admin user to run the command on remote master. https://fedorahosted.org/freeipa/ticket/1107
* Document that deleting and re-adding a replica requires a dirsrv restart.Rob Crittenden2011-05-261-10/+16
| | | | | | | | If you install a replica, delete the replica, then re-add it and then try to re-initialize the agreement it will fail because the remote master has the old service principals cached. It needs to be restarted to work. ticket 1077
* Consolidate man pages and IPA tools helpMartin Kosek2011-05-125-29/+74
| | | | | | | | IPA tools options are not consistent with information in man pages. https://fedorahosted.org/freeipa/ticket/1163 https://fedorahosted.org/freeipa/ticket/1178
* The default groups we create should have ipaUniqueId setRob Crittenden2011-04-151-1/+2
| | | | | | | | This adds a new directive to ipa-ldap-updater: addifnew. This will add a new attribute only if it doesn't exist in the current entry. We can't compare values because the value we are adding is automatically generated. ticket 1177
* Fix traceback in ipa-nis-manage.Rob Crittenden2011-04-111-0/+3
| | | | | | | | | | | | | | | | | The root user cannot use ldapi because of the autobind configuration. Fall back to a standard GSSAPI sasl bind if the external bind fails. With --ldapi a regular user may be trying this as well, catch that and report a reasonable error message. This also gives priority to the DM password if it is passed in. Also require the user be root to run the ipa-nis-manage command. We enable/disable and start/stop services which need to be done as root. Add a new option to ipa-ldap-updater to prompt for the DM password. Remove restriction to be run as root except when doing an upgrade. Ticket 1157
* Add note about ipa-dns-install to ipa-server-install man page.Jan Cholasta2011-03-311-0/+7
| | | | ticket 1082
* Automatically update IPA LDAP on rpm upgradesRob Crittenden2011-03-211-11/+20
| | | | | | | | | | | | | | | Re-enable ldapi code in ipa-ldap-updater and remove the searchbase restriction when run in --upgrade mode. This allows us to autobind giving root Directory Manager powers. This also: * corrects the ipa-ldap-updater man page * remove automatic --realm, --server, --domain options * handle upgrade errors properly * saves a copy of dse.ldif before we change it so it can be recovered * fixes an error discovered by pylint ticket 1087
* Fixed in ipa-server-install help and man pageJan Zeleny2011-02-181-1/+4
| | | | https://fedorahosted.org/freeipa/ticket/831
* Note --ip-address parameter of ipa-replica-prepare in man pageJakub Hrozek2011-02-151-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/615
* Add support for tracking and counting entitlementsRob Crittenden2011-02-022-1/+47
| | | | | | | | | | | | | | Adds a plugin, entitle, to register to the entitlement server, consume entitlements and to count and track them. It is also possible to import an entitlement certificate (if for example the remote entitlement server is unaviailable). This uses the candlepin server from https://fedorahosted.org/candlepin/wiki for entitlements. Add a cron job to validate the entitlement status and syslog the results. tickets 28, 79, 278
* Remove port argument for ipa-replica-manageSimo Sorce2011-01-141-3/+0
| | | | | We can't use arbitrary ports anyway. And neither AD has any way to use non stadard ports. So remove this unnecessary option.
* Ship the ipa-dns-install man pageRob Crittenden2011-01-101-0/+1
| | | | ticket 734
* Fix ipa-replica-manage man page to reflect current statusSimo Sorce2010-12-221-27/+47
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/627
* Fix to man page for ipa-compat-manage There was a typo for the manpage, this ↵Jr Aquino2010-12-211-1/+1
| | | | is a one liner to fix.
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-2013-78/+78
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* managed entry hostgroup netgroup support ↵Jr Aquino2010-12-132-1/+49
| | | | https://fedorahosted.org/freeipa/ticket/543
* Verify the --ip-address option when setting up DNS.Rob Crittenden2010-11-241-1/+1
| | | | | | | | | There was a corner case where the value of --ip-address was never verified if you were also setting up DNS. Added this bit of information to the man page too. ticket 399
* id ranges: change DNA configurationSimo Sorce2010-11-221-5/+2
| | | | | | | | | | | | | Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
* Use Realm as certs subject base nameSimo Sorce2010-11-181-1/+1
| | | | Also use the realm name as nickname for the CA certificate
* Add some examples to ipa-replica-install.1Rob Crittenden2010-11-091-18/+39
| | | | ticket 290
* Remove reference to ipa_webguiJan Zeleny2010-11-031-1/+1
| | | | | Reference was removed from ipa-server-install(1) man page. Ticket: #330
* Add new DNS install argument for setting the zone mgr e-mail addr.Rob Crittenden2010-09-232-2/+8
| | | | ticket 125
generated by cgit (git 2.34.1) at 2024-11-20 17:37:16 +0000