freeipa/install/tools
Rob Crittenden e4470f8165 User-defined certificate subjects
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.

The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.

The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
2010-01-20 17:24:01 -05:00
..
man Add forgotten chunks from commit 4e5a68397a 2009-09-08 22:48:34 +02:00
ipa-compat-manage Rename errors2.py to errors.py. Modify all affected files. 2009-04-23 10:29:14 -04:00
ipa-fix-CVE-2008-3274 Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
ipa-ldap-updater Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
ipa-nis-manage Enable the portmap or rpcbind service if the NIS service is enabled 2009-05-21 14:51:04 -06:00
ipa-replica-install User-defined certificate subjects 2010-01-20 17:24:01 -05:00
ipa-replica-manage Add force option to ipa-replica-manage to allow forcing deletion of a replica 2009-12-11 22:34:58 -07:00
ipa-replica-prepare User-defined certificate subjects 2010-01-20 17:24:01 -05:00
ipa-server-certinstall Fix incorrect imports in ipa-server-certinstall. 2009-09-11 09:19:41 -04:00
ipa-server-install User-defined certificate subjects 2010-01-20 17:24:01 -05:00
ipa-upgradeconfig Better upgrade detection so we don't print spurious errors 2009-09-15 17:42:36 -04:00
ipactl Add start/stop for the CA 2010-01-11 13:38:45 -05:00
Makefile.am New tool to enable/disable DS plugin to act as NIS server 2009-05-13 14:09:56 -04:00
README Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

Required packages:

krb5-server
fedora-ds-base
fedora-ds-base-devel
openldap-clients
openldap-devel
krb5-server-ldap
cyrus-sasl-gssapi
httpd
mod_auth_kerb
ntp
openssl-devel
nspr-devel
nss-devel
mozldap-devel
mod_python
gcc
python-ldap
TurboGears
python-kerberos
python-krbV
python-tgexpandingformwidget
python-pyasn1

Installation example:

TEMPORARY: until bug https://bugzilla.redhat.com/show_bug.cgi?id=248169 is
           fixed.

Please apply the fedora-ds.init.patch in freeipa/ipa-server/ipa-install/share/
to patch your init scripts before running ipa-server-install. This tells
FDS where to find its kerberos keytab.

Things done as root are denoted by #. Things done as a unix user are denoted
by %.

# cd freeipa
# patch -p0 < ipa-server/ipa-install/share/fedora-ds.init.patch

Now to do the installation.

# cd freeipa
# make install

To start an interactive installation use:
# /usr/sbin/ipa-server-install 

For more verbose output add the -d flag run the command with -h to see all options

You have a basic working system with one super administrator (named admin).

To create another administrative user:

% kinit admin@FREEIPA.ORG
% /usr/sbin/ipa-adduser -f Test -l User test
% ldappasswd -Y GSSAPI -h localhost -s password uid=test,cn=users,cn=accounts,dc=freeipa,dc=org
% /usr/sbin/ipa-groupmod -a test admins

An admin user is just a regular user in the group admin.

Now you can destroy the old ticket and log in as test:

% kdestroy
% kinit test@FREEIPA.ORG
% /usr/sbin/ipa-finduser test