summaryrefslogtreecommitdiffstats
path: root/ipa-client/man
Commit message (Collapse)AuthorAgeFilesLines
* Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)Petr Viktorin2016-01-278-1064/+0
| | | | | | | | | | | | | | | | Make ipaclient a Python library like ipapython, ipalib, etc. Use setup.py instead of autotools for installing it. Move C client tools, Python scripts, and man pages, to client/. Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS). Remove /setup-client.py (ipalib/setup.py should be used instead). Update Makefiles and the spec file accordingly. https://fedorahosted.org/freeipa/ticket/5638 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Support sourcing the IPA server name from configSimo Sorce2015-11-271-5/+7
| | | | | | | | | | Use ding-libs to parse /etc/ipa/default.conf to find the IPA server to contact by default. Signed-off-by: Simo Sorce <simo@redhat.com> Ticket: https://fedorahosted.org/freeipa/ticket/2203 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* install: drop support for Dogtag 9Jan Cholasta2015-11-251-3/+3
| | | | | | | | | | | Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
* Add Firefox options to ipa-client-install man pageGabe2015-10-291-0/+6
| | | | | | | | - Update --configure-firefox description in ipa-client-install https://fedorahosted.org/freeipa/ticket/5375 Reviewed-By: Martin Basti <mbasti@redhat.com>
* default.conf.5: Fix a typoBenjamin Drung2015-10-221-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix manpage-has-errors-from-man warning (found by Lintian)Benjamin Drung2015-10-222-20/+33
| | | | | | | | | See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for an explanation. Issues found were ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line default.conf.5.gz 50: warning: macro `np' not defined Reviewed-By: Martin Basti <mbasti@redhat.com>
* client: Add description of --ip-address and --all-ip-addresses to man pageDavid Kupka2015-08-191-0/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4249 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipalib: Fix skip_version_check optionJan Cholasta2015-07-081-0/+3
| | | | | | | | | | | This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: Move vaults to cn=vaults,cn=kraJan Cholasta2015-06-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
* Added vault plugin.Endi S. Dewata2015-05-251-0/+1
| | | | | | | | | A new plugin has been added to manage vaults. Test scripts have also been added to verify the functionality. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa client: make --ntp-server option multivaluedMartin Basti2015-04-241-1/+1
| | | | | | | | There can be more ntp servers in ntp.conf Required for ticket: https://fedorahosted.org/freeipa/ticket/4981 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-client-install: try to get host TGT several times before giving upMartin Babinsky2015-04-201-0/+8
| | | | | | | | | | | | | | New option '--kinit-attempts' enables the host to make multiple attempts to obtain host TGT from master before giving up and aborting client installation. In addition, all kinit attempts were replaced by calls to 'ipautil.kinit_keytab' and 'ipautil.kinit_password'. https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Typos in ipa-rmkeytab options help and man pageGabe2015-02-101-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4890 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Add ipa-client-install switch --request-cert to request cert for the hostJan Cholasta2014-10-161-0/+4
| | | | | | | | | The certificate is stored in /etc/ipa/nssdb under the nickname "Local IPA host". https://fedorahosted.org/freeipa/ticket/4550 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Add 'host' setting into default.conf configuration file on client. Fix ↵David Kupka2014-09-261-2/+2
| | | | | | | | | | description in man page. 'host' setting specifies local hostname not the hostname of IPA server. https://fedorahosted.org/freeipa/ticket/4481 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add client certificate update tool ipa-certupdate.Jan Cholasta2014-07-302-0/+40
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* man: Add -r option to ipa-getkeytab.1Simo Sorce2014-06-261-1/+7
| | | | | | Update the man page with the new ipa-getkeytab option. Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
* ipa-client-install: Configure sudo to use SSSD as data sourceTomas Babej2014-05-091-0/+3
| | | | | | | | | | | Makes ipa-client-install configure SSSD as the data provider for the sudo service by default. This behaviour can be disabled by using --no-sudo flag. https://fedorahosted.org/freeipa/ticket/3358 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* ipa-client: Set NIS domain name in the installerTomas Babej2014-05-091-0/+6
| | | | | | | | | | | | | | | | Provides two new options for the ipa-client-install: --nisdomain: specifies the NIS domain name --no_nisdomain: flag to aviod setting the NIS domain name In case no --nisdomain is specified and --no_nisdomain flag was not set, the IPA domain is used. Manual pages updated. http://fedorahosted.org/freeipa/ticket/3202 Reviewed-By: Jakub Hrozek <jhrozek@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fixed various typos in ipa-client-install man pageThorsten Scherf2014-05-061-3/+3
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add wait_for_dns option to default.conf.Petr Spacek2014-04-041-0/+9
| | | | | | | | | | | This option makes record changes in DNS tree synchronous. IPA calls will wait until new data are visible over DNS protocol or until timeout. It is intended only for testing. It should prevent tests from failing if there is bigger delay between changes in LDAP and DNS. Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* man: sshd should be run at least once before client enrollmentTomas Babej2014-03-051-0/+3
| | | | | | | | | | If SSH keys have not been generated prior to enrolling the client to the IPA server, they will not be uploaded to the server, since they're not present. Clarify this issue in the man pages. https://fedorahosted.org/freeipa/ticket/4055 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
* ipa-join usage instructions are incorrectGabe2014-02-181-1/+1
| | | | | | | | Parameter -s for ipa-join has hostame instead of hostname https://fedorahosted.org/freeipa/ticket/3250 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Switch client to JSON-RPCPetr Viktorin2013-11-261-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC. This is done by subclassing and extending xmlrpclib, because our existing code relies on xmlrpclib internals. The URI to use is given in the new jsonrpc_uri env variable. When it is not given, it is generated from xmlrpc_uri by replacing /xml with /json. The rpc_json_uri env variable existed before, but was unused, undocumented and not set the install scripts. This patch removes it in favor of jsonrpc_uri (for consistency with xmlrpc_uri). Add the rpc_protocol env variable to control the protocol IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed to 'xmlrpc'. Make backend.Executioner and tests use the backend specified by rpc_protocol. For compatibility with unwrap_xml, decoding JSON now gives tuples instead of lists. Design: http://freeipa.org/page/V3/JSON-RPC Ticket: https://fedorahosted.org/freeipa/ticket/3299
* Add nsswitch.conf to FILES section of ipa-client-install man pageMartin Kosek2013-10-291-0/+1
| | | | | | This file is always updated when client is installed or uninstalled. https://fedorahosted.org/freeipa/ticket/3995
* Add option to ipa-client-install to configure automountAna Krivokapic2013-09-051-1/+5
| | | | | | | Add the --automount-location option to ipa-client-install. If the option is used, ipa-client-automount is called at the end of ipa-client-install. https://fedorahosted.org/freeipa/ticket/3740
* Improve help entry for ipa hostTomas Babej2013-08-061-0/+25
| | | | | | | | Updates old information produced by the ipa help host command. Also adds a section to ipa-client-install manpage about client re-enrollment. https://fedorahosted.org/freeipa/ticket/3820
* Remove entitlement supportMartin Kosek2013-06-261-1/+0
| | | | | | | Entitlements code was not tested nor supported upstream since version 3.0. Remove the associated code. https://fedorahosted.org/freeipa/ticket/3739
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-1/+1
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Allow host re-enrollment using delegationTomas Babej2013-03-251-1/+4
| | | | | | | | | | A new option --force-join has been added to ipa-client-install. It forces the host enrollment even if the host entry exists. Old certificate is revoked, new certificate and ssh key pair generated. See the relevant design for the re-enrollment part: http://freeipa.org/page/V3/Forced_client_re-enrollment https://fedorahosted.org/freeipa/ticket/3482
* Add support for re-enrolling hosts using keytabTomas Babej2013-03-122-0/+6
| | | | | | | | | | | | | | | | | | A host that has been recreated and does not have its host entry disabled or removed, can be re-enrolled using a previously backed up keytab file. A new option --keytab has been added to ipa-client-install. This can be used to specify path to the keytab and can be used instead of -p or -w options. A new option -f has been added to ipa-join. It forces client to join even if the host entry already exits. A new certificate, ssh keys are generated, ipaUniqueID stays the same. Design page: http://freeipa.org/page/V3/Client_install_using_keytab https://fedorahosted.org/freeipa/ticket/3374
* Add autodiscovery section in ipa-client-install man pagesMartin Kosek2013-02-191-6/+28
| | | | | | | Explain how autodiscovery and failover works and which options are important for these elements. https://fedorahosted.org/freeipa/ticket/3383
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-071-0/+3
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Enable transactions by default, make password and modrdn TXN-awareRob Crittenden2012-11-211-3/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046
* Refactoring of default.conf man pageTomas Babej2012-10-221-37/+49
| | | | | | | | | Description for the 'dogtag_version', 'startup_timeout', 'server', 'wait_for_attr' option has been added. Option 'server' has been marked as deprecated, as it is not used anywhere in IPA code. All the options have been sorted lexicographically. https://fedorahosted.org/freeipa/ticket/3071
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-171-3/+3
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-171-3/+3
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-184-4/+4
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Add --no-ssh option to ipa-client-install to disable OpenSSH client ↵Jan Cholasta2012-09-131-0/+3
| | | | | | | | | configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070
* Adding exit status 3 & 4 to ipa-client-install man pageGowrishankar Rajaiyan2012-07-121-0/+4
|
* Make client server option multi-valued, allow disabling DNS discoveryRob Crittenden2012-07-101-2/+2
| | | | | | | | | | | | | Let the --server option be specified multiple times on the command line. The first one passed in is the one we enroll against. Do additional verification before setting dnsok so we can be sure that the record(s) were actually discovered in DNS. If servers are provided on the CLI and --fixed-primary is set then _srv_ is not added to ipa_server in sssd.conf. https://fedorahosted.org/freeipa/ticket/2841
* Typo fixesPetr Viktorin2012-06-251-1/+1
|
* Configure automount using autofs or sssd.Rob Crittenden2012-06-252-0/+90
| | | | | | | | | | | This script edits nsswitch.conf to use either ldap (autofs) or sss (sssd) to find automount maps. NFSv4 services are started so Kerberos encryption and/or integrity can be used on the maps. https://fedorahosted.org/freeipa/ticket/1233 https://fedorahosted.org/freeipa/ticket/2193
* Add flag to ipa-client-install to managed order of ipa_server in sssdRob Crittenden2012-06-131-1/+4
| | | | | | | | The --fixed-primary flag determine the order of the ipa_server directive. When set the IPA server discovered (or passed in via --server or via user-input) will be listed first. Otherwise _srv_ is listed first. https://fedorahosted.org/freeipa/ticket/2282
* Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.confRob Crittenden2012-03-141-1/+33
| | | | | | | | | Set URI, BASE and TLS_CACERT Also update the man page to include a list of files that the client changes. https://fedorahosted.org/freeipa/ticket/1810
* Add --noac option to ipa-client-install man pageRob Crittenden2012-03-041-0/+3
| | | | https://fedorahosted.org/freeipa/ticket/2369
* Implement session activity timeoutJohn Dennis2012-02-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-131-0/+6
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
generated by cgit (git 2.34.1) at 2026-01-11 23:18:47 +0000