Bug 713889

Summary: ipa-server-install Man Page missing external ca install options and instructions
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 6.1CC: benl, dpal, mkosek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-19 17:25:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2011-06-16 17:38:38 UTC 
Description of problem:
Freeipa docs state there are external ca install options:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html

ipa-server-install man page does not include these ...

ipa-server-install(1)                                    ipa-server-install(1)

NAME
       ipa-server-install - Configure an IPA server

SYNOPSIS
       ipa-server-install [OPTION]...

DESCRIPTION
       Configures  the  services  needed by an IPA server. This includes setting up a Kerberos Key Distribution Center (KDC) with an LDAP back-end, configuring
       Apache, configuring NTP and starting the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured to issue  server  certifi-
       cates.

OPTIONS
       -u, --user=DS_USER
              The user that the Directory Server will run as

       -r, --realm=REALM_NAME
              The Kerberos realm name for the IPA server

       -n, --domain=DOMAIN_NAME
              Your DNS domain name

       -p, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -P, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated)

       -a, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       -d, --debug
              Enable debug logging when more verbose output is needed

       --selfsign
              Configure a self-signed CA instance for issuing server certificates instead of using dogtag for certificates

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server

       --ip-address=IP_ADDRESS
              The  IP  address of this server. If this address does not match the address the host resolves to and --setup-dns is not selected the installation
              will fail.

      -U, --unattended
              An unattended installation that will never prompt for user input

       --setup-dns
              Generate a DNS zone if it does not exist already and configure the DNS server.  This option requires that you either specify  at  least  one  DNS
              forwarder through the --forwarder option or use the --no-forwarders option.

       --forwarder=IP_ADDRESS
              Add  a  DNS  forwarder to the DNS configuration. You can use this option multiple times to specify more forwarders, but at least one must be pro-
              vided, unless the --no-forwarders option is specified.

       --no-forwarders
              Do not add any DNS forwarders. Root DNS servers will be used instead.

       --zonemgr
              The e-mail address of the DNS zone manager. Defaults to root

       --no-host-dns
              Do not use DNS for hostname lookup during installation

       -N, --no-ntp
              Do not configure NTP

       --uninstall
              Uninstall an existing IPA installation

       --dirsrv_pkcs12=FILE
              PKCS#12 file containing the Directory Server SSL Certificate

       --http_pkcs12=FILE
              PKCS#12 file containing the Apache Server SSL Certificate

       --dirsrv_pin=DIRSRV_PIN
              The password of the Directory Server PKCS#12 file

       --http_pin=HTTP_PIN
              The password of the Apache Server PKCS#12 file

       --idstart=IDSTART
              The starting user and group id number (default random)

       --idmax=IDMAX
              The maximum user and group id number (default: idstart+199999). If set to zero, the default value will be used.

       --subject=SUBJECT

       --no_hbac_allow
              Don’t install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is  expected  that  users  will
              remove this rule before moving to production.

       EXIT STATUS
              0 if the installation was successful

              1 if an error occurred

freeipa                           Mar 14 2008            ipa-server-install(1)


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dmitri Pal 2011-06-17 17:39:45 UTC 
https://fedorahosted.org/freeipa/ticket/1345
Comment 2 Martin Kosek 2011-06-22 13:00:17 UTC 
This was already fixed upstream in ticket 1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e


Updated man pages including --external-ca options:

NAME
       ipa-server-install - Configure an IPA server

SYNOPSIS
       ipa-server-install [OPTION]...

DESCRIPTION
       Configures the services needed by an IPA server. This includes setting up a Kerberos Key Dis‐
       tribution Center (KDC) with an LDAP back-end, configuring Apache, configuring NTP and  start‐
       ing  the ipa_kpasswd service provided by IPA. By default a dogtag-based CA will be configured
       to issue server certificates.

OPTIONS
       -r REALM_NAME, --realm=REALM_NAME
              The Kerberos realm name for the IPA server

       -n DOMAIN_NAME, --domain=DOMAIN_NAME
              Your DNS domain name

       -p DM_PASSWORD, --ds-password=DM_PASSWORD
              The password to be used by the Directory Server for the Directory Manager user

       -P MASTER_PASSWORD, --master-password=MASTER_PASSWORD
              The kerberos master password (normally autogenerated)

       -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
              The password for the IPA admin user

       -d, --debug
              Enable debug logging when more verbose output is needed

       --selfsign
              Configure a self-signed CA instance for issuing server certificates instead  of  using
              dogtag for certificates

       --external-ca
              Generate a CSR to be signed by an external CA

       --external_cert_file=FILE
              File containing PKCS#10 certificate

       --external_ca_file=FILE
              File containing PKCS#10 of the external CA chain

       --hostname=HOST_NAME
              The fully-qualified DNS name of this server
...
Comment 3 Rob Crittenden 2011-07-19 17:25:06 UTC 
This was already fixed upstream in ticket #1163 (BZ 693766):

master: 9de10f3674078ef8c423522e30fe704a2d09a7c2
ipa-2-0: 9a3bf577f831d3595cef6013cd319e3a4db03d1e

*** This bug has been marked as a duplicate of bug 693766 ***