diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 0d6226280..50c425624 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -23,6 +23,7 @@ import socket import os, pwd, traceback, logging, shutil import grp +from optparse import OptionGroup from ipapython import ipautil @@ -45,36 +46,45 @@ REPLICA_INFO_TOP_DIR=None def parse_options(): usage = "%prog [options] REPLICA_FILE" parser = IPAOptionParser(usage=usage, version=version.VERSION) - parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", - help="do not configure ntp", default=True) - parser.add_option("-d", "--debug", dest="debug", action="store_true", - default=False, help="gather extra debugging information") - parser.add_option("-p", "--password", dest="password", sensitive=True, + + basic_group = OptionGroup(parser, "basic options") + basic_group.add_option("--setup-ca", dest="setup_ca", action="store_true", + default=False, help="configure a dogtag CA") + basic_group.add_option("-p", "--password", dest="password", sensitive=True, help="Directory Manager (existing master) password") - parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True, + basic_group.add_option("-w", "--admin-password", dest="admin_password", sensitive=True, help="Admin user Kerberos password used for connection check") - parser.add_option("--setup-dns", dest="setup_dns", action="store_true", + basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", + help="do not configure ntp", default=True) + basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", + default=True, help="Do not automatically redirect to the Web UI") + basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true", + default=False, help="skip connection check to remote master") + basic_group.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="gather extra debugging information") + basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended installation never prompts the user") + parser.add_option_group(basic_group) + + cert_group = OptionGroup(parser, "certificate system options") + cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") + parser.add_option_group(cert_group) + + dns_group = OptionGroup(parser, "DNS options") + dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") - parser.add_option("--forwarder", dest="forwarders", action="append", + dns_group.add_option("--forwarder", dest="forwarders", action="append", type="ip", help="Add a DNS forwarder") - parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", + dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true", default=False, help="Do not add any DNS forwarders, use root servers instead") - parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") - parser.add_option("--no-reverse", dest="no_reverse", action="store_true", + dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") + dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") - parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", + dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") - parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") - parser.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", - default=True, help="Do not automatically redirect to the Web UI") - parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true", - default=False, help="skip connection check to remote master") - parser.add_option("--setup-ca", dest="setup_ca", action="store_true", - default=False, help="configure a dogtag CA") - parser.add_option("-U", "--unattended", dest="unattended", action="store_true", - default=False, help="unattended installation never prompts the user") + parser.add_option_group(dns_group) options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index e8a48fad2..cb51b1daf 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -40,6 +40,7 @@ from ConfigParser import RawConfigParser import random import tempfile import nss.error +from optparse import OptionGroup from ipaserver.install import dsinstance from ipaserver.install import krbinstance @@ -103,88 +104,101 @@ def parse_options(): # Guaranteed to give a random 200k range below the 2G mark (uint32_t limit) namespace = random.randint(1, 10000) * 200000 parser = IPAOptionParser(version=version.VERSION) - parser.add_option("-r", "--realm", dest="realm_name", + + basic_group = OptionGroup(parser, "basic options") + basic_group.add_option("-r", "--realm", dest="realm_name", help="realm name") - parser.add_option("-n", "--domain", dest="domain_name", + basic_group.add_option("-n", "--domain", dest="domain_name", help="domain name") - parser.add_option("-p", "--ds-password", dest="dm_password", + basic_group.add_option("-p", "--ds-password", dest="dm_password", sensitive=True, help="admin password") - parser.add_option("-P", "--master-password", + basic_group.add_option("-P", "--master-password", dest="master_password", sensitive=True, help="kerberos master password (normally autogenerated)") - parser.add_option("-a", "--admin-password", + basic_group.add_option("-a", "--admin-password", sensitive=True, dest="admin_password", help="admin user kerberos password") - parser.add_option("-d", "--debug", dest="debug", action="store_true", - default=False, help="print debugging information") - parser.add_option("", "--selfsign", dest="selfsign", action="store_true", - default=False, help="Configure a self-signed CA instance rather than a dogtag CA") - parser.add_option("", "--external-ca", dest="external_ca", action="store_true", - default=False, help="Generate a CSR to be signed by an external CA") - parser.add_option("", "--external_cert_file", dest="external_cert_file", - help="File containing PKCS#10 certificate") - parser.add_option("", "--external_ca_file", dest="external_ca_file", - help="File containing PKCS#10 of the external CA chain") - parser.add_option("--hostname", dest="host_name", help="fully qualified name of server") - parser.add_option("--ip-address", dest="ip_address", + basic_group.add_option("--hostname", dest="host_name", help="fully qualified name of server") + basic_group.add_option("--ip-address", dest="ip_address", type="ip", ip_local=True, help="Master Server IP Address") - parser.add_option("--setup-dns", dest="setup_dns", action="store_true", + basic_group.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", + help="do not configure ntp", default=True) + basic_group.add_option("--idstart", dest="idstart", default=namespace, type=int, + help="The starting value for the IDs range (default random)") + basic_group.add_option("--idmax", dest="idmax", default=0, type=int, + help="The max value value for the IDs range (default: idstart+199999)") + basic_group.add_option("--no_hbac_allow", dest="hbac_allow", default=False, + action="store_true", + help="Don't install allow_all HBAC rule") + basic_group.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", + default=True, help="Do not automatically redirect to the Web UI") + basic_group.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true", + default=False, help="unattended (un)installation never prompts the user") + parser.add_option_group(basic_group) + + cert_group = OptionGroup(parser, "certificate system options") + cert_group.add_option("", "--selfsign", dest="selfsign", action="store_true", + default=False, help="Configure a self-signed CA instance rather than a dogtag CA") + cert_group.add_option("", "--external-ca", dest="external_ca", action="store_true", + default=False, help="Generate a CSR to be signed by an external CA") + cert_group.add_option("", "--external_cert_file", dest="external_cert_file", + help="File containing PKCS#10 certificate") + cert_group.add_option("", "--external_ca_file", dest="external_ca_file", + help="File containing PKCS#10 of the external CA chain") + cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", + default=True, help="disables pkinit setup steps") + cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", + help="PKCS#12 file containing the Directory Server SSL certificate") + cert_group.add_option("--http_pkcs12", dest="http_pkcs12", + help="PKCS#12 file containing the Apache Server SSL certificate") + cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", + help="PKCS#12 file containing the Kerberos KDC SSL certificate") + cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, + help="The password of the Directory Server PKCS#12 file") + cert_group.add_option("--http_pin", dest="http_pin", sensitive=True, + help="The password of the Apache Server PKCS#12 file") + cert_group.add_option("--pkinit_pin", dest="pkinit_pin", + help="The password of the Kerberos KDC PKCS#12 file") + cert_group.add_option("--subject", action="callback", callback=subject_callback, + type="string", + help="The certificate subject base (default O=)") + parser.add_option_group(cert_group) + + dns_group = OptionGroup(parser, "DNS options") + dns_group.add_option("--setup-dns", dest="setup_dns", action="store_true", default=False, help="configure bind with our zone") - parser.add_option("--forwarder", dest="forwarders", action="append", + dns_group.add_option("--forwarder", dest="forwarders", action="append", type="ip", help="Add a DNS forwarder") - parser.add_option("--no-forwarders", dest="no_forwarders", action="store_true", + dns_group.add_option("--no-forwarders", dest="no_forwarders", action="store_true", default=False, help="Do not add any DNS forwarders, use root servers instead") - parser.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") - parser.add_option("--no-reverse", dest="no_reverse", action="store_true", + dns_group.add_option("--reverse-zone", dest="reverse_zone", help="The reverse DNS zone to use") + dns_group.add_option("--no-reverse", dest="no_reverse", action="store_true", default=False, help="Do not create reverse DNS zone") - parser.add_option("--zonemgr", action="callback", callback=zonemgr_callback, + dns_group.add_option("--zonemgr", action="callback", callback=zonemgr_callback, type="string", help="DNS zone manager e-mail address. Defaults to root") - parser.add_option("--zone-notif", dest="zone_notif", + dns_group.add_option("--zone-notif", dest="zone_notif", action="store_true", default=False, help="Let name server receive notification when a new zone is added." \ "Zone refresh is turned off when zone notification is enabled") - parser.add_option("--zone-refresh", dest="zone_refresh", + dns_group.add_option("--zone-refresh", dest="zone_refresh", default=DNS_ZONE_REFRESH, type="int", help="A delay between checks for new DNS zones. Defaults to %d" \ % DNS_ZONE_REFRESH) - parser.add_option("-U", "--unattended", dest="unattended", action="store_true", - default=False, help="unattended installation never prompts the user") - parser.add_option("", "--uninstall", dest="uninstall", action="store_true", - default=False, help="uninstall an existing installation") - parser.add_option("-N", "--no-ntp", dest="conf_ntp", action="store_false", - help="do not configure ntp", default=True) - parser.add_option("--no-pkinit", dest="setup_pkinit", action="store_false", - default=True, help="disables pkinit setup steps") - parser.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12", - help="PKCS#12 file containing the Directory Server SSL certificate") - parser.add_option("--http_pkcs12", dest="http_pkcs12", - help="PKCS#12 file containing the Apache Server SSL certificate") - parser.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12", - help="PKCS#12 file containing the Kerberos KDC SSL certificate") - parser.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True, - help="The password of the Directory Server PKCS#12 file") - parser.add_option("--http_pin", dest="http_pin", sensitive=True, - help="The password of the Apache Server PKCS#12 file") - parser.add_option("--pkinit_pin", dest="pkinit_pin", - help="The password of the Kerberos KDC PKCS#12 file") - parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true", + dns_group.add_option("--no-host-dns", dest="no_host_dns", action="store_true", default=False, help="Do not use DNS for hostname lookup during installation") + parser.add_option_group(dns_group) + + uninstall_group = OptionGroup(parser, "uninstall options") + uninstall_group.add_option("", "--uninstall", dest="uninstall", action="store_true", + default=False, help="uninstall an existing installation. The uninstall can " \ + "be run with --unattended option") + parser.add_option_group(uninstall_group) - parser.add_option("--idstart", dest="idstart", default=namespace, type=int, - help="The starting value for the IDs range (default random)") - parser.add_option("--idmax", dest="idmax", default=0, type=int, - help="The max value value for the IDs range (default: idstart+199999)") - parser.add_option("--subject", action="callback", callback=subject_callback, - type="string", - help="The certificate subject base (default O=)") - parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False, - action="store_true", - help="Don't install allow_all HBAC rule") - parser.add_option("--no-ui-redirect", dest="ui_redirect", action="store_false", - default=True, help="Do not automatically redirect to the Web UI") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1 index 90ea84622..b70dfbd7f 100644 --- a/install/tools/man/ipa-ca-install.1 +++ b/install/tools/man/ipa-ca-install.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-ca-install" "1" "Jun 17 2011" "freeipa" "" +.TH "ipa-ca-install" "1" "Jun 17 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-ca\-install \- Install a CA on a replica .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-compat-manage.1 b/install/tools/man/ipa-compat-manage.1 index a45b2885d..f22b1743e 100644 --- a/install/tools/man/ipa-compat-manage.1 +++ b/install/tools/man/ipa-compat-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Simo Sorce .\" -.TH "ipa-compat-manage" "1" "Dec 2 2008" "freeipa" "" +.TH "ipa-compat-manage" "1" "Dec 2 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-compat\-manage \- Enables or disables the schema compatibility plugin .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-compliance.1 b/install/tools/man/ipa-compliance.1 index 09ce02df8..4f8a6191d 100644 --- a/install/tools/man/ipa-compliance.1 +++ b/install/tools/man/ipa-compliance.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-compliance" "1" "Dec 14 2010" "freeipa" "" +.TH "ipa-compliance" "1" "Dec 14 2010" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-compliance \- Check entitlement compliance .SH "SYNOPSIS" @@ -35,7 +35,7 @@ The command logs to syslog and if run from a tty will log to the terminal as wel The IPA server provides 25 entitlements of its own. .SH "OPTIONS" .TP -\fB\-\-\-debug\fR +\fB\-\-debug\fR Enable debugging output in the command .SH "EXIT STATUS" 0 if the command was successful diff --git a/install/tools/man/ipa-csreplica-manage.1 b/install/tools/man/ipa-csreplica-manage.1 index 37256f954..ddb28da41 100644 --- a/install/tools/man/ipa-csreplica-manage.1 +++ b/install/tools/man/ipa-csreplica-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "freeipa" "" +.TH "ipa-csreplica-manage" "1" "Jul 14 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-csreplica\-manage \- Manage an IPA CS replica .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1 index 3e98dbe79..adcab95e0 100644 --- a/install/tools/man/ipa-dns-install.1 +++ b/install/tools/man/ipa-dns-install.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-dns-install" "1" "Sep 9, 2010" "freeipa" "" +.TH "ipa-dns-install" "1" "Sep 9, 2010" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-dns\-install \- Add DNS as a service to an IPA server .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-host-net-manage.1 b/install/tools/man/ipa-host-net-manage.1 index f94493cb6..8b8f0237d 100644 --- a/install/tools/man/ipa-host-net-manage.1 +++ b/install/tools/man/ipa-host-net-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Jr Aquino .\" -.TH "ipa-host-net-manage" "1" "Dec 2 2010" "freeipa" "" +.TH "ipa-host-net-manage" "1" "Dec 2 2010" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-host\-net\-manage \- Enables or disables the schema Managed Entry Hostgroup -to- Netgroup plugin .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-ldap-updater.1 b/install/tools/man/ipa-ldap-updater.1 index 487e80c36..f906528a6 100644 --- a/install/tools/man/ipa-ldap-updater.1 +++ b/install/tools/man/ipa-ldap-updater.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-ldap-updater" "1" "Sep 12 2008" "freeipa" "" +.TH "ipa-ldap-updater" "1" "Sep 12 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-ldap\-updater \- Update the IPA LDAP configuration .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 index 3e32aae28..fa02cfc76 100644 --- a/install/tools/man/ipa-nis-manage.1 +++ b/install/tools/man/ipa-nis-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-nis-manage" "1" "May 6 2009" "freeipa" "" +.TH "ipa-nis-manage" "1" "May 6 2009" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-nis\-manage \- Enables or disables the NIS listener plugin .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1 index 21fa24ccc..2983eb621 100644 --- a/install/tools/man/ipa-replica-conncheck.1 +++ b/install/tools/man/ipa-replica-conncheck.1 @@ -16,7 +16,7 @@ .\" .\" Author: Martin Kosek .\" -.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "freeipa" "" +.TH "ipa-replica-conncheck" "1" "Jun 2 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-replica\-conncheck \- Check a replica\-master network connection before installation .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 350160ada..c82b4a6b0 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-replica-install" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-replica-install" "1" "Sep 5 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-replica\-install \- Create an IPA replica .SH "SYNOPSIS" @@ -26,12 +26,11 @@ Configures a new IPA server that is a replica of the server that generated it. O The replica_file is created using the ipa\-replica\-prepare utility. .SH "OPTIONS" +.SS "BASIC OPTIONS" .TP -\fB\-N\fR, \fB\-\-no\-ntp\fR -Do not configure NTP -.TP -\fB\-d\fR, \fB\-\-debug -Enable debug logging when more verbose output is needed +\fB\-\-setup\-ca\fR +Install and configure a CA on this replica. If a CA is not configured then +certificate operations will be forwarded to a master with a CA installed. .TP \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR Directory Manager (existing master) password @@ -39,9 +38,27 @@ Directory Manager (existing master) password \fB\-w\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR Admin user Kerberos password used for connection check .TP -\fB\-\-setup\-ca\fR -Install and configure a CA on this replica. If a CA is not configured then -certificate operations will be forwarded to a master with a CA installed. +\fB\-N\fR, \fB\-\-no\-ntp\fR +Do not configure NTP +.TP +\fB\-\-no\-ui\-redirect\fR +Do not automatically redirect to the Web UI. +.TP +\fB\-\-skip\-conncheck\fR +Skip connection check to remote master +.TP +\fB\-d\fR, \fB\-\-debug +Enable debug logging when more verbose output is needed +.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input + +.SS "CERTIFICATE SYSTEM OPTIONS" +.TP +\fB\-\-no\-pkinit\fR +Disables pkinit setup steps + +.SS "DNS OPTIONS" .TP \fB\-\-setup\-dns\fR Generate a DNS zone if it does not exist already and configure the DNS server. @@ -64,18 +81,7 @@ Do not create reverse DNS zone .TP \fB\-\-no\-host\-dns\fR Do not use DNS for hostname lookup during installation -.TP -\fB\-\-no\-pkinit\fR -Disables pkinit setup steps -.TP -\fB\-\-no\-ui\-redirect\fR -Do not automatically redirect to the Web UI. -.TP -\fB\-\-skip\-conncheck\fR -Skip connection check to remote master -.TP -\fB\-U\fR, \fB\-\-unattended\fR -An unattended installation that will never prompt for user input + .SH "EXIT STATUS" 0 if the command was successful diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 4073dff29..5eae6f2c2 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-replica-manage" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-replica-manage" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-replica\-manage \- Manage an IPA replica .SH "SYNOPSIS" @@ -114,4 +114,5 @@ Completely remove a replica: Using connect/disconnect you can manage the replication topology. .SH "EXIT STATUS" 0 if the command was successful - 1 if an error occurred + +1 if an error occurred diff --git a/install/tools/man/ipa-replica-prepare.1 b/install/tools/man/ipa-replica-prepare.1 index a8ebcc9cf..c9cd544ad 100644 --- a/install/tools/man/ipa-replica-prepare.1 +++ b/install/tools/man/ipa-replica-prepare.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-replica-prepare" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-replica-prepare" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-replica\-prepare \- Create an IPA replica file .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 index feb647fdb..ab293cf0f 100644 --- a/install/tools/man/ipa-server-certinstall.1 +++ b/install/tools/man/ipa-server-certinstall.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-server-certinstall" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-server-certinstall" "1" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-server\-certinstall \- Install new SSL server certificates .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 0ea8b01be..074c8d3dc 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -16,14 +16,16 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-server-install" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-server-install" "1" "Sep 5 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-server\-install \- Configure an IPA server .SH "SYNOPSIS" ipa\-server\-install [\fIOPTION\fR]... .SH "DESCRIPTION" Configures the services needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) and a Kadmin daemon with an LDAP back\-end, configuring Apache, configuring NTP and optionally configuring and starting an LDAP-backed DNS server. By default a dogtag\-based CA will be configured to issue server certificates. + .SH "OPTIONS" +.SS "BASIC OPTIONS" .TP \fB\-r\fR \fIREALM_NAME\fR, \fB\-\-realm\fR=\fIREALM_NAME\fR The Kerberos realm name for the IPA server @@ -40,9 +42,36 @@ The kerberos master password (normally autogenerated) \fB\-a\fR \fIADMIN_PASSWORD\fR, \fB\-\-admin\-password\fR=\fIADMIN_PASSWORD\fR The password for the IPA admin user .TP +\fB\-\-hostname\fR=\fIHOST_NAME\fR +The fully\-qualified DNS name of this server +.TP +\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR +The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. +.TP +\fB\-N\fR, \fB\-\-no\-ntp\fR +Do not configure NTP +.TP +\fB\-\-idstart\fR=\fIIDSTART\fR +The starting user and group id number (default random) +.TP +\fB\-\-idmax\fR=\fIIDMAX\fR +The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used. +.TP +\fB\-\-no_hbac_allow\fR +Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. +.TP +\fB\-\-no\-ui\-redirect\fR +Do not automatically redirect to the Web UI. +.TP \fB\-d\fR, \fB\-\-debug\fR Enable debug logging when more verbose output is needed .TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended installation that will never prompt for user input + + +.SS "CERTIFICATE SYSTEM OPTIONS" +.TP \fB\-\-selfsign\fR Configure a self\-signed CA instance for issuing server certificates instead of using dogtag for certificates .TP @@ -55,11 +84,31 @@ File containing PKCS#10 certificate \fB\-\-external_ca_file\fR=\fIFILE\fR File containing PKCS#10 of the external CA chain .TP -\fB\-\-hostname\fR=\fIHOST_NAME\fR -The fully\-qualified DNS name of this server +\fB\-\-no\-pkinit\fR +Disables pkinit setup steps .TP -\fB\-\-ip\-address\fR=\fIIP_ADDRESS\fR -The IP address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation will fail. +\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR +PKCS#12 file containing the Directory Server SSL Certificate +.TP +\fB\-\-http_pkcs12\fR=\fIFILE\fR +PKCS#12 file containing the Apache Server SSL Certificate +.TP +\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR +PKCS#12 file containing the Kerberos KDC SSL certificate +.TP +\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR +The password of the Directory Server PKCS#12 file +.TP +\fB\-\-http_pin\fR=\fIHTTP_PIN\fR +The password of the Apache Server PKCS#12 file +.TP +\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR +The password of the Kerberos KDC PKCS#12 file +.TP +\fB\-\-subject\fR=\fISUBJECT\fR +The certificate subject base (default O=REALM.NAME) + +.SS "DNS OPTIONS" .TP \fB\-\-setup\-dns\fR Generate a DNS zone if it does not exist already and configure the DNS server. @@ -94,57 +143,21 @@ Let name server receive notifications when a new zone is added. New zone is then \fB\-\-zone\-refresh=\fIZONE_REFRESH\fR Number of seconds between regular checks for new DNS zones. When set to 0 the name server does not check for new zones and it needs to be reloaded when a new DNS zone is added. .TP -\fB\-U\fR, \fB\-\-unattended\fR -An unattended installation that will never prompt for user input +\fB\-\-no\-host\-dns\fR +Do not use DNS for hostname lookup during installation + +.SS "UNINSTALL OPTIONS" .TP \fB\-\-uninstall\fR Uninstall an existing IPA installation .TP -\fB\-N\fR, \fB\-\-no\-ntp\fR -Do not configure NTP -.TP -\fB\-\-no\-pkinit\fR -Disables pkinit setup steps -.TP -\fB\-\-dirsrv_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Directory Server SSL Certificate -.TP -\fB\-\-http_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Apache Server SSL Certificate -.TP -\fB\-\-pkinit_pkcs12\fR=\fIFILE\fR -PKCS#12 file containing the Kerberos KDC SSL certificate -.TP -\fB\-\-dirsrv_pin\fR=\fIDIRSRV_PIN\fR -The password of the Directory Server PKCS#12 file -.TP -\fB\-\-http_pin\fR=\fIHTTP_PIN\fR -The password of the Apache Server PKCS#12 file -.TP -\fB\-\-pkinit_pin\fR=\fIPKINIT_PIN\fR -The password of the Kerberos KDC PKCS#12 file -.TP -\fB\-\-no\-host\-dns\fR -Do not use DNS for hostname lookup during installation -.TP -\fB\-\-idstart\fR=\fIIDSTART\fR -The starting user and group id number (default random) -.TP -\fB\-\-idmax\fR=\fIIDMAX\fR -The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used. -.TP -\fB\-\-subject\fR=\fISUBJECT\fR - The certificate subject base (default O=REALM.NAME) -.TP -\fB\-\-no_hbac_allow\fR -Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. -.TP -\fB\-\-no\-ui\-redirect\fR -Do not automatically redirect to the Web UI. -.TP +\fB\-U\fR, \fB\-\-unattended\fR +An unattended uninstallation that will never prompt for user input + .SH "EXIT STATUS" -0 if the installation was successful +0 if the (un)installation was successful 1 if an error occurred + .SH "SEE ALSO" .BR ipa-dns-install (1) diff --git a/install/tools/man/ipactl.8 b/install/tools/man/ipactl.8 index 18c682d75..05be8e0e2 100644 --- a/install/tools/man/ipactl.8 +++ b/install/tools/man/ipactl.8 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipactl" "8" "Mar 14 2008" "freeipa" "" +.TH "ipactl" "8" "Mar 14 2008" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipactl \- IPA Server Control Interface .SH "SYNOPSIS" diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index fe520be9e..5f0c3c92a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -42,7 +42,7 @@ try: from ipapython.config import IPAOptionParser import SSSDConfig from ConfigParser import RawConfigParser - from optparse import SUPPRESS_HELP + from optparse import SUPPRESS_HELP, OptionGroup except ImportError: print >> sys.stderr, """\ There was a problem importing one of the required Python modules. The @@ -61,46 +61,61 @@ client_nss_nickname_format = 'IPA Machine Certificate - %s' def parse_options(): parser = IPAOptionParser(version=version.VERSION) - parser.add_option("--domain", dest="domain", help="domain name") - parser.add_option("--server", dest="server", help="IPA server") - parser.add_option("--realm", dest="realm_name", help="realm name") - parser.add_option("-f", "--force", dest="force", action="store_true", - default=False, help="force setting of LDAP/Kerberos conf") - parser.add_option("-d", "--debug", dest="debug", action="store_true", - default=False, help="print debugging information") - parser.add_option("-U", "--unattended", dest="unattended", - action="store_true", - help="unattended installation never prompts the user") - parser.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") - parser.add_option("-S", "--no-sssd", action="store_false", - help="Do not configure the client to use SSSD for authentication", default=True, dest="sssd") - parser.add_option("-N", "--no-ntp", action="store_false", - help="do not configure ntp", default=True, dest="conf_ntp") - parser.add_option("-w", "--password", dest="password", sensitive=True, + + basic_group = OptionGroup(parser, "basic options") + basic_group.add_option("--domain", dest="domain", help="domain name") + basic_group.add_option("--server", dest="server", help="IPA server") + basic_group.add_option("--realm", dest="realm_name", help="realm name") + basic_group.add_option("-p", "--principal", dest="principal", + help="principal to use to join the IPA realm"), + basic_group.add_option("-w", "--password", dest="password", sensitive=True, help="password to join the IPA realm (assumes bulk password unless principal is also set)"), - parser.add_option("-W", dest="prompt_password", action="store_true", + basic_group.add_option("-W", dest="prompt_password", action="store_true", default=False, help="Prompt for a password to join the IPA realm"), - parser.add_option("-p", "--principal", dest="principal", - help="principal to use to join the IPA realm"), - # --on-master is used in ipa-server-install and ipa-replica-install - # only, it isn't meant to be used on clients. - parser.add_option("--on-master", dest="on_master", action="store_true", - help=SUPPRESS_HELP, default=False) - parser.add_option("--permit", dest="permit", action="store_true", - help="disable access rules by default, permit all access.", default=False) - parser.add_option("--mkhomedir", dest="mkhomedir", action="store_true", - help="create home directories for users on their first login", default=False) - parser.add_option("", "--uninstall", dest="uninstall", action="store_true", - default=False, help="uninstall an existing installation") - parser.add_option("", "--hostname", dest="hostname", + basic_group.add_option("--mkhomedir", dest="mkhomedir", + action="store_true", default=False, + help="create home directories for users on their first login") + basic_group.add_option("", "--hostname", dest="hostname", help="The hostname of this server (FQDN). If specified, the hostname will be set and " "the system configuration will be updated to persist over reboot. " "By default a nodename result from uname(2) is used.") - parser.add_option("", "--enable-dns-updates", dest="dns_updates", action="store_true", default=False, + basic_group.add_option("--ntp-server", dest="ntp_server", help="ntp server to use") + basic_group.add_option("-N", "--no-ntp", action="store_false", + help="do not configure ntp", default=True, dest="conf_ntp") + basic_group.add_option("-f", "--force", dest="force", action="store_true", + default=False, help="force setting of LDAP/Kerberos conf") + basic_group.add_option("-d", "--debug", dest="debug", action="store_true", + default=False, help="print debugging information") + basic_group.add_option("-U", "--unattended", dest="unattended", + action="store_true", + help="unattended (un)installation never prompts the user") + # --on-master is used in ipa-server-install and ipa-replica-install + # only, it isn't meant to be used on clients. + basic_group.add_option("--on-master", dest="on_master", action="store_true", + help=SUPPRESS_HELP, default=False) + parser.add_option_group(basic_group) + + sssd_group = OptionGroup(parser, "SSSD options") + sssd_group.add_option("--permit", dest="permit", + action="store_true", default=False, + help="disable access rules by default, permit all access.") + sssd_group.add_option("", "--enable-dns-updates", dest="dns_updates", + action="store_true", default=False, help="Configures the machine to attempt dns updates when the ip address changes.") - parser.add_option("--no-krb5-offline-passwords", dest="krb5_offline_passwords", action="store_false", - help="Configure SSSD not to store user password when the server is offline", default=True) + sssd_group.add_option("--no-krb5-offline-passwords", dest="krb5_offline_passwords", + action="store_false", default=True, + help="Configure SSSD not to store user password when the server is offline") + sssd_group.add_option("-S", "--no-sssd", dest="sssd", + action="store_false", default=True, + help="Do not configure the client to use SSSD for authentication") + parser.add_option_group(sssd_group) + + uninstall_group = OptionGroup(parser, "uninstall options") + uninstall_group.add_option("", "--uninstall", dest="uninstall", action="store_true", + default=False, help="uninstall an existing installation. The uninstall can " \ + "be run with --unattended option") + parser.add_option_group(uninstall_group) options, args = parser.parse_args() safe_opts = parser.get_safe_opts(options) diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5 index 88982cb6c..938eb2c91 100644 --- a/ipa-client/man/default.conf.5 +++ b/ipa-client/man/default.conf.5 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "default.conf" "5" "02/21/2011" "freeipa" "" +.TH "default.conf" "5" "Feb 21 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" default.conf \- IPA configuration file .SH "SYNOPSIS" diff --git a/ipa-client/man/ipa-client-install.1 b/ipa-client/man/ipa-client-install.1 index 8b57c85c2..0bfbe5451 100644 --- a/ipa-client/man/ipa-client-install.1 +++ b/ipa-client/man/ipa-client-install.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-client-install" "1" "Mar 14 2008" "freeipa" "" +.TH "ipa-client-install" "1" "Sep 5 2011" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-client\-install \- Configure an IPA client .SH "SYNOPSIS" @@ -29,7 +29,9 @@ By default this configures SSSD to connect to an IPA server for authentication a An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine. This same tool is used to unconfigure IPA and attemps to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the prinicipal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable ). + .SH "OPTIONS" +.SS "BASIC OPTIONS" .TP \fB\-\-domain\fR=\fIDOMAIN\fR Set the domain name to DOMAIN @@ -40,6 +42,27 @@ Set the IPA server to connect to \fB\-\-realm\fR=\fIREALM_NAME\fR Set the IPA realm name to REALM_NAME .TP +\fB\-p\fR, \fB\-\-principal\fR +Authorized kerberos principal to use to join the IPA realm. +.TP +\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR +Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set. +.TP +\fB\-W\fR +Prompt for the password for joining a machine to the IPA realm. +.TP +\fB\-\-mkhomedir\fR +Configure PAM to create a users home directory if it does not exist. +.TP +\fB\-\-hostname\fR +The hostname of this server (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used. +.TP +\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR +Configure ntpd to use this NTP server. +.TP +\fB\-N\fR, \fB\-\-no\-ntp\fR +Do not configure or enable NTP. +.TP \fB\-f\fR, \fB\-\-force\fR Force the settings even if errors occur .TP @@ -48,42 +71,28 @@ Print debugging information to stdout .TP \fB\-U\fR, \fB\-\-unattended\fR Unattended installation. The user will not be prompted. -.TP -\fB\-\-ntp\-server\fR=\fINTP_SERVER\fR -Configure ntpd to use this NTP server. -.TP -\fB\-S\fR, \fB\-\-no\-sssd\fR -Do not configure the client to use SSSD for authentication, use nss_ldap instead. -.TP -\fB\-N\fR, \fB\-\-no\-ntp\fR -Do not configure or enable NTP. -.TP -\fB\-w\fR \fIPASSWORD\fR, \fB\-\-password\fR=\fIPASSWORD\fR -Password for joining a machine to the IPA realm. Assumes bulk password unless principal is also set. -.TP -\fB\-W\fR -Prompt for the password for joining a machine to the IPA realm. -.TP -\fB\-p\fR, \fB\-\-principal\fR -Authorized kerberos principal to use to join the IPA realm. + +.SS "SSSD OPTIONS" .TP \fB\-\-permit\fR Configure SSSD to permit all access. Otherwise the machine will be controlled by the Host\-based Access Controls (HBAC) on the IPA server. .TP -\fB\-\-mkhomedir\fR -Configure PAM to create a users home directory if it does not exist. -.TP -\fB\-\-uninstall\fR -Remove the IPA client software and restore the configuration to the pre\-IPA state. -.TP -\fB\-\-hostname\fR -The hostname of this server (FQDN). If specified, the hostname will be set and the system configuration will be updated to persist over reboot. By default a nodename result from uname(2) is used. -.TP \fB\-\-enable\-dns\-updates\fR This option tells SSSD to automatically update DNS with the IP address of this client. .TP \fB\-\-no\-krb5\-offline\-passwords\fR Configure SSSD not to store user password when the server is offline. +.TP +\fB\-S\fR, \fB\-\-no\-sssd\fR +Do not configure the client to use SSSD for authentication, use nss_ldap instead. + +.SS "UNINSTALL OPTIONS" +.TP +\fB\-\-uninstall\fR +Remove the IPA client software and restore the configuration to the pre\-IPA state. +\fB\-U\fR, \fB\-\-unattended\fR +Unattended uninstallation. The user will not be prompted. + .SH "EXIT STATUS" 0 if the installation was successful diff --git a/ipa-client/man/ipa-getkeytab.1 b/ipa-client/man/ipa-getkeytab.1 index 81d0a4a0b..b967497e4 100644 --- a/ipa-client/man/ipa-getkeytab.1 +++ b/ipa-client/man/ipa-getkeytab.1 @@ -17,7 +17,7 @@ .\" Author: Karl MacMillan .\" Author: Simo Sorce .\" -.TH "ipa-getkeytab" "1" "Oct 10 2007" "freeipa" "" +.TH "ipa-getkeytab" "1" "Oct 10 2007" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index b46b25850..d1532ec62 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -16,7 +16,7 @@ .\" .\" Author: Rob Crittenden .\" -.TH "ipa-join" "1" "Oct 8 2009" "freeipa" "" +.TH "ipa-join" "1" "Oct 8 2009" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH "SYNOPSIS" diff --git a/ipa-client/man/ipa-rmkeytab.1 b/ipa-client/man/ipa-rmkeytab.1 index 6926c7b06..11618d1b5 100644 --- a/ipa-client/man/ipa-rmkeytab.1 +++ b/ipa-client/man/ipa-rmkeytab.1 @@ -17,7 +17,7 @@ .\" Author: Rob Crittenden .\" .\" -.TH "ipa-rmkeytab" "1" "Oct 30 2009" "freeipa" "" +.TH "ipa-rmkeytab" "1" "Oct 30 2009" "FreeIPA" "FreeIPA Manual Pages" .SH "NAME" ipa\-rmkeytab \- Remove a kerberos principal from a keytab .SH "SYNOPSIS"