mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
e4470f8165
Let the user, upon installation, set the certificate subject base for the dogtag CA. Certificate requests will automatically be given this subject base, regardless of what is in the CSR. The selfsign plugin does not currently support this dynamic name re-assignment and will reject any incoming requests that don't conform to the subject base. The certificate subject base is stored in cn=ipaconfig but it does NOT dynamically update the configuration, for dogtag at least. The file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to be updated and pki-cad restarted. |
||
---|---|---|
.. | ||
man | ||
ipa-compat-manage | ||
ipa-fix-CVE-2008-3274 | ||
ipa-ldap-updater | ||
ipa-nis-manage | ||
ipa-replica-install | ||
ipa-replica-manage | ||
ipa-replica-prepare | ||
ipa-server-certinstall | ||
ipa-server-install | ||
ipa-upgradeconfig | ||
ipactl | ||
Makefile.am | ||
README |
Required packages: krb5-server fedora-ds-base fedora-ds-base-devel openldap-clients openldap-devel krb5-server-ldap cyrus-sasl-gssapi httpd mod_auth_kerb ntp openssl-devel nspr-devel nss-devel mozldap-devel mod_python gcc python-ldap TurboGears python-kerberos python-krbV python-tgexpandingformwidget python-pyasn1 Installation example: TEMPORARY: until bug https://bugzilla.redhat.com/show_bug.cgi?id=248169 is fixed. Please apply the fedora-ds.init.patch in freeipa/ipa-server/ipa-install/share/ to patch your init scripts before running ipa-server-install. This tells FDS where to find its kerberos keytab. Things done as root are denoted by #. Things done as a unix user are denoted by %. # cd freeipa # patch -p0 < ipa-server/ipa-install/share/fedora-ds.init.patch Now to do the installation. # cd freeipa # make install To start an interactive installation use: # /usr/sbin/ipa-server-install For more verbose output add the -d flag run the command with -h to see all options You have a basic working system with one super administrator (named admin). To create another administrative user: % kinit admin@FREEIPA.ORG % /usr/sbin/ipa-adduser -f Test -l User test % ldappasswd -Y GSSAPI -h localhost -s password uid=test,cn=users,cn=accounts,dc=freeipa,dc=org % /usr/sbin/ipa-groupmod -a test admins An admin user is just a regular user in the group admin. Now you can destroy the old ticket and log in as test: % kdestroy % kinit test@FREEIPA.ORG % /usr/sbin/ipa-finduser test