[web] adding gid and uid information for freeipa ticket 1183
Ella Lackey
elladeon at fedoraproject.org
Tue Jun 28 22:12:37 UTC 2011
commit c27bccf27dd788ed24c21a32fcdef11942fd810d
Author: Deon Lackey <dlackey at redhat.com>
Date: Tue Jun 28 18:11:17 2011 -0400
adding gid and uid information for freeipa ticket 1183
fedoradocs.db | Bin 530432 -> 530432 bytes
public_html/as-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/as-IN/opds-Fedora_Core.xml | 2 +-
.../as-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/as-IN/opds.xml | 10 +-
public_html/bg-BG/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/bg-BG/opds-Fedora_Core.xml | 2 +-
.../bg-BG/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/bg-BG/opds.xml | 10 +-
public_html/bn-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/bn-IN/opds-Fedora_Core.xml | 2 +-
.../bn-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/bn-IN/opds.xml | 10 +-
public_html/bs-BA/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/bs-BA/opds-Fedora_Core.xml | 2 +-
.../bs-BA/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/bs-BA/opds.xml | 10 +-
public_html/ca-ES/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ca-ES/opds-Fedora_Core.xml | 2 +-
.../ca-ES/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ca-ES/opds.xml | 10 +-
public_html/cs-CZ/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/cs-CZ/opds-Fedora_Core.xml | 2 +-
.../cs-CZ/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/cs-CZ/opds.xml | 10 +-
public_html/da-DK/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/da-DK/opds-Fedora_Core.xml | 2 +-
.../da-DK/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/da-DK/opds.xml | 10 +-
public_html/de-DE/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/de-DE/opds-Fedora_Core.xml | 2 +-
.../de-DE/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/de-DE/opds.xml | 10 +-
public_html/el-GR/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/el-GR/opds-Fedora_Core.xml | 2 +-
.../el-GR/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/el-GR/opds.xml | 10 +-
.../Fedora-15-FreeIPA_Guide-en-US.epub | Bin 933586 -> 934731 bytes
.../Fedora/15/html-single/FreeIPA_Guide/index.html | 1342 ++++---------------
...g_Certificates_and_Certificate_Authorities.html | 12 +-
...-Activating_and_Deactivating_User_Accounts.html | 8 +-
.../Configuring_IPA_Users-Deleting_IPA_Users.html | 8 +-
...IPA_Users-Specifying_Default_User_Settings.html | 6 +-
.../Configuring_Microsoft_Windows.html | 6 +-
.../Configuring_an_IPA_Client_on_AIX.html | 8 +-
.../Configuring_an_IPA_Client_on_HP_UX.html | 26 +-
...onfiguring_an_IPA_Client_on_Macintosh_OS_X.html | 24 +-
.../Configuring_an_IPA_Client_on_Solaris.html | 10 +-
...neral_Troubleshooting_Tips-Client_Problems.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/Glossary.html | 4 +-
.../Installing_the_IPA_Server_Packages.html | 8 +-
.../Managing-Unique_UID_and_GID_Attributes.html | 10 +-
.../Migrating_from_a_Directory_Server_to_IPA.html | 28 +-
.../FreeIPA_Guide/Uninstalling_IPA_Servers.html | 6 +-
..._DNS-Creating_DNS_Entries_for_IPA_Replicas.html | 6 +-
.../15/html/FreeIPA_Guide/active-directory.html | 8 +-
.../Fedora/15/html/FreeIPA_Guide/adding-users.html | 10 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/authz.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/automount.html | 10 +-
.../Fedora/15/html/FreeIPA_Guide/basic-usage.html | 138 ++-
.../en-US/Fedora/15/html/FreeIPA_Guide/certs.html | 8 +-
...anagement_Guide-Frequently_Asked_Questions.html | 28 +-
...y_Management_Guide-Setting_up_IPA_Replicas.html | 16 +-
.../html/FreeIPA_Guide/config-virt-machines.html | 8 +-
.../configuring-active-directory.html | 8 +-
.../html/FreeIPA_Guide/configuring-automount.html | 24 +-
.../15/html/FreeIPA_Guide/configuring-sudo.html | 14 +-
.../15/html/FreeIPA_Guide/creating-server.html | 50 +-
.../html/FreeIPA_Guide/disabling-anon-binds.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/doc-history.html | 4 +-
.../15/html/FreeIPA_Guide/editing-users.html | 6 +-
.../15/html/FreeIPA_Guide/enrolling-machines.html | 14 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/index.html | 6 +-
.../15/html/FreeIPA_Guide/installing-ipa.html | 46 +-
.../Fedora/15/html/FreeIPA_Guide/ipa-apache.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/ipa-cluster.html | 14 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/ix01.html | 2 +-
.../15/html/FreeIPA_Guide/kerb-policies.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/kerberos.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/logging.html | 6 +-
.../15/html/FreeIPA_Guide/managing-clients.html | 22 +-
.../15/html/FreeIPA_Guide/migrintg-from-nis.html | 14 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/nis.html | 16 +-
.../15/html/FreeIPA_Guide/promoting-replica.html | 6 +-
.../15/html/FreeIPA_Guide/renaming-machines.html | 8 +-
.../15/html/FreeIPA_Guide/rotating-keys.html | 6 +-
.../15/html/FreeIPA_Guide/search-limits.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/searching.html | 10 +-
...Authentication-Refreshing_Kerberos_Tickets.html | 8 +-
...pals-Creating_and_Using_Service_Principals.html | 20 +-
...guring_the_Network_Information_Service_NIS.html | 10 +-
...neral_Troubleshooting_Tips-Kerberos_Errors.html | 6 +-
...ccess_Control_Policies-HBAC_Service_Groups.html | 6 +-
...ased_Access_Control_Policies-HBAC_Services.html | 6 +-
...to_IPA-Performing_a_Client_based_Migration.html | 16 +-
...to_IPA-Performing_a_Server_based_Migration.html | 20 +-
...-Prerequisites-Setting_up_Active_Directory.html | 10 +-
...ectory-Creating_Synchronization_Agreements.html | 8 +-
...ectory-Deleting_Synchronization_Agreements.html | 6 +-
...ctory-Modifying_Synchronization_Agreements.html | 10 +-
...ing_IPA_Servers-Winsync_Agreement_Failures.html | 6 +-
...e-Working_with_certmonger-Using_certmonger.html | 6 +-
..._with_certmonger-Using_certmonger_with_IPA.html | 6 +-
..._with_certmonger-Using_certmonger_with_NSS.html | 6 +-
...y_Management_Guide-Working_with_certmonger.html | 6 +-
.../15/html/FreeIPA_Guide/server-config.html | 20 +-
.../15/html/FreeIPA_Guide/setting-up-clients.html | 8 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/sudo.html | 14 +-
.../15/html/FreeIPA_Guide/switching-users.html | 8 +-
.../html/FreeIPA_Guide/uninstalling-clients.html | 6 +-
.../Fedora/15/html/FreeIPA_Guide/user-groups.html | 18 +-
.../15/html/FreeIPA_Guide/user-pwdpolicy.html | 30 +-
.../en-US/Fedora/15/html/FreeIPA_Guide/users.html | 6 +-
.../Fedora-15-FreeIPA_Guide-en-US.pdf | Bin 1474094 -> 1209712 bytes
public_html/en-US/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/en-US/opds-Fedora_Core.xml | 2 +-
.../en-US/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/en-US/opds.xml | 10 +-
public_html/es-ES/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/es-ES/opds-Fedora_Core.xml | 2 +-
.../es-ES/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/es-ES/opds.xml | 10 +-
public_html/fa-IR/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/fa-IR/opds-Fedora_Core.xml | 2 +-
.../fa-IR/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/fa-IR/opds.xml | 10 +-
public_html/fi-FI/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/fi-FI/opds-Fedora_Core.xml | 2 +-
.../fi-FI/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/fi-FI/opds.xml | 10 +-
public_html/fr-FR/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/fr-FR/opds-Fedora_Core.xml | 2 +-
.../fr-FR/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/fr-FR/opds.xml | 10 +-
public_html/gu-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/gu-IN/opds-Fedora_Core.xml | 2 +-
.../gu-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/gu-IN/opds.xml | 10 +-
public_html/he-IL/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/he-IL/opds-Fedora_Core.xml | 2 +-
.../he-IL/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/he-IL/opds.xml | 10 +-
public_html/hi-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/hi-IN/opds-Fedora_Core.xml | 2 +-
.../hi-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/hi-IN/opds.xml | 10 +-
public_html/hu-HU/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/hu-HU/opds-Fedora_Core.xml | 2 +-
.../hu-HU/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/hu-HU/opds.xml | 10 +-
public_html/id-ID/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/id-ID/opds-Fedora_Core.xml | 2 +-
.../id-ID/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/id-ID/opds.xml | 10 +-
public_html/it-IT/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/it-IT/opds-Fedora_Core.xml | 2 +-
.../it-IT/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/it-IT/opds.xml | 10 +-
public_html/ja-JP/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ja-JP/opds-Fedora_Core.xml | 2 +-
.../ja-JP/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ja-JP/opds.xml | 10 +-
public_html/kn-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/kn-IN/opds-Fedora_Core.xml | 2 +-
.../kn-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/kn-IN/opds.xml | 10 +-
public_html/ko-KR/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ko-KR/opds-Fedora_Core.xml | 2 +-
.../ko-KR/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ko-KR/opds.xml | 10 +-
public_html/ml-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ml-IN/opds-Fedora_Core.xml | 2 +-
.../ml-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ml-IN/opds.xml | 10 +-
public_html/mr-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/mr-IN/opds-Fedora_Core.xml | 2 +-
.../mr-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/mr-IN/opds.xml | 10 +-
public_html/nb-NO/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/nb-NO/opds-Fedora_Core.xml | 2 +-
.../nb-NO/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/nb-NO/opds.xml | 10 +-
public_html/nl-NL/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/nl-NL/opds-Fedora_Core.xml | 2 +-
.../nl-NL/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/nl-NL/opds.xml | 10 +-
public_html/opds.xml | 86 +-
public_html/or-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/or-IN/opds-Fedora_Core.xml | 2 +-
.../or-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/or-IN/opds.xml | 10 +-
public_html/pa-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/pa-IN/opds-Fedora_Core.xml | 2 +-
.../pa-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/pa-IN/opds.xml | 10 +-
public_html/pl-PL/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/pl-PL/opds-Fedora_Core.xml | 2 +-
.../pl-PL/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/pl-PL/opds.xml | 10 +-
public_html/pt-BR/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/pt-BR/opds-Fedora_Core.xml | 2 +-
.../pt-BR/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/pt-BR/opds.xml | 10 +-
public_html/pt-PT/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/pt-PT/opds-Fedora_Core.xml | 2 +-
.../pt-PT/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/pt-PT/opds.xml | 10 +-
public_html/ru-RU/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ru-RU/opds-Fedora_Core.xml | 2 +-
.../ru-RU/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ru-RU/opds.xml | 10 +-
public_html/sk-SK/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/sk-SK/opds-Fedora_Core.xml | 2 +-
.../sk-SK/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/sk-SK/opds.xml | 10 +-
public_html/sr-Latn-RS/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/sr-Latn-RS/opds-Fedora_Core.xml | 2 +-
.../sr-Latn-RS/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/sr-Latn-RS/opds.xml | 10 +-
public_html/sr-RS/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/sr-RS/opds-Fedora_Core.xml | 2 +-
.../sr-RS/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/sr-RS/opds.xml | 10 +-
public_html/sv-SE/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/sv-SE/opds-Fedora_Core.xml | 2 +-
.../sv-SE/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/sv-SE/opds.xml | 10 +-
public_html/ta-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/ta-IN/opds-Fedora_Core.xml | 2 +-
.../ta-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/ta-IN/opds.xml | 10 +-
public_html/te-IN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/te-IN/opds-Fedora_Core.xml | 2 +-
.../te-IN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/te-IN/opds.xml | 10 +-
public_html/uk-UA/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/uk-UA/opds-Fedora_Core.xml | 2 +-
.../uk-UA/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/uk-UA/opds.xml | 10 +-
public_html/zh-CN/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/zh-CN/opds-Fedora_Core.xml | 2 +-
.../zh-CN/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/zh-CN/opds.xml | 10 +-
public_html/zh-TW/opds-Fedora.xml | 2 +-
.../opds-Fedora_Contributor_Documentation.xml | 2 +-
public_html/zh-TW/opds-Fedora_Core.xml | 2 +-
.../zh-TW/opds-Fedora_Draft_Documentation.xml | 2 +-
public_html/zh-TW/opds.xml | 10 +-
289 files changed, 1255 insertions(+), 1909 deletions(-)
---
diff --git a/fedoradocs.db b/fedoradocs.db
index f414530..7644718 100644
Binary files a/fedoradocs.db and b/fedoradocs.db differ
diff --git a/public_html/as-IN/opds-Fedora.xml b/public_html/as-IN/opds-Fedora.xml
index 5954945..cf8b507 100644
--- a/public_html/as-IN/opds-Fedora.xml
+++ b/public_html/as-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/as-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:42</updated>
+ <updated>2011-06-28T22:10:45</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/as-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/as-IN/opds-Fedora_Contributor_Documentation.xml
index 6201ab1..7af7f19 100644
--- a/public_html/as-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/as-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/as-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/as-IN/opds-Fedora_Core.xml b/public_html/as-IN/opds-Fedora_Core.xml
index f9a2db5..95068aa 100644
--- a/public_html/as-IN/opds-Fedora_Core.xml
+++ b/public_html/as-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/as-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/as-IN/opds-Fedora_Draft_Documentation.xml b/public_html/as-IN/opds-Fedora_Draft_Documentation.xml
index f862a6c..983771e 100644
--- a/public_html/as-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/as-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/as-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/as-IN/opds.xml b/public_html/as-IN/opds.xml
index acf2cea..bc332fe 100644
--- a/public_html/as-IN/opds.xml
+++ b/public_html/as-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/as-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/as-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<dc:language>as-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/as-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<dc:language>as-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/as-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<dc:language>as-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/as-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:45</updated>
<dc:language>as-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/bg-BG/opds-Fedora.xml b/public_html/bg-BG/opds-Fedora.xml
index 6a2bda3..65f7044 100644
--- a/public_html/bg-BG/opds-Fedora.xml
+++ b/public_html/bg-BG/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bg-BG/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bg-BG/opds-Fedora_Contributor_Documentation.xml b/public_html/bg-BG/opds-Fedora_Contributor_Documentation.xml
index 4ff03d6..06f6f72 100644
--- a/public_html/bg-BG/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/bg-BG/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bg-BG/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bg-BG/opds-Fedora_Core.xml b/public_html/bg-BG/opds-Fedora_Core.xml
index 053c204..a4a1e47 100644
--- a/public_html/bg-BG/opds-Fedora_Core.xml
+++ b/public_html/bg-BG/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bg-BG/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bg-BG/opds-Fedora_Draft_Documentation.xml b/public_html/bg-BG/opds-Fedora_Draft_Documentation.xml
index 3673981..e545b28 100644
--- a/public_html/bg-BG/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/bg-BG/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bg-BG/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bg-BG/opds.xml b/public_html/bg-BG/opds.xml
index 5b61dd3..f60e812 100644
--- a/public_html/bg-BG/opds.xml
+++ b/public_html/bg-BG/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/bg-BG/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/bg-BG/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bg-BG</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/bg-BG/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bg-BG</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/bg-BG/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bg-BG</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/bg-BG/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bg-BG</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/bn-IN/opds-Fedora.xml b/public_html/bn-IN/opds-Fedora.xml
index 6f7f039..e466532 100644
--- a/public_html/bn-IN/opds-Fedora.xml
+++ b/public_html/bn-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bn-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bn-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/bn-IN/opds-Fedora_Contributor_Documentation.xml
index 742463b..912b273 100644
--- a/public_html/bn-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/bn-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bn-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bn-IN/opds-Fedora_Core.xml b/public_html/bn-IN/opds-Fedora_Core.xml
index 8b61fa0..7c8b354 100644
--- a/public_html/bn-IN/opds-Fedora_Core.xml
+++ b/public_html/bn-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bn-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bn-IN/opds-Fedora_Draft_Documentation.xml b/public_html/bn-IN/opds-Fedora_Draft_Documentation.xml
index c053050..bc6336c 100644
--- a/public_html/bn-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/bn-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bn-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bn-IN/opds.xml b/public_html/bn-IN/opds.xml
index 5dce3a1..28c00dc 100644
--- a/public_html/bn-IN/opds.xml
+++ b/public_html/bn-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/bn-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/bn-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/bn-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/bn-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/bn-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/bs-BA/opds-Fedora.xml b/public_html/bs-BA/opds-Fedora.xml
index d923cd5..d31766d 100644
--- a/public_html/bs-BA/opds-Fedora.xml
+++ b/public_html/bs-BA/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bs-BA/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bs-BA/opds-Fedora_Contributor_Documentation.xml b/public_html/bs-BA/opds-Fedora_Contributor_Documentation.xml
index 8a94a6e..9e0a321 100644
--- a/public_html/bs-BA/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/bs-BA/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bs-BA/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bs-BA/opds-Fedora_Core.xml b/public_html/bs-BA/opds-Fedora_Core.xml
index d5a5a64..8f23820 100644
--- a/public_html/bs-BA/opds-Fedora_Core.xml
+++ b/public_html/bs-BA/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bs-BA/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bs-BA/opds-Fedora_Draft_Documentation.xml b/public_html/bs-BA/opds-Fedora_Draft_Documentation.xml
index 2a1980e..0ef01a9 100644
--- a/public_html/bs-BA/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/bs-BA/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/bs-BA/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/bs-BA/opds.xml b/public_html/bs-BA/opds.xml
index de2a375..6c302f7 100644
--- a/public_html/bs-BA/opds.xml
+++ b/public_html/bs-BA/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/bs-BA/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/bs-BA/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bs-BA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/bs-BA/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bs-BA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/bs-BA/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bs-BA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/bs-BA/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bs-BA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ca-ES/opds-Fedora.xml b/public_html/ca-ES/opds-Fedora.xml
index ef7fd4d..ef30408 100644
--- a/public_html/ca-ES/opds-Fedora.xml
+++ b/public_html/ca-ES/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ca-ES/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ca-ES/opds-Fedora_Contributor_Documentation.xml b/public_html/ca-ES/opds-Fedora_Contributor_Documentation.xml
index 4339d6c..15bf5f5 100644
--- a/public_html/ca-ES/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ca-ES/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ca-ES/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ca-ES/opds-Fedora_Core.xml b/public_html/ca-ES/opds-Fedora_Core.xml
index 08d4580..8c906ca 100644
--- a/public_html/ca-ES/opds-Fedora_Core.xml
+++ b/public_html/ca-ES/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ca-ES/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ca-ES/opds-Fedora_Draft_Documentation.xml b/public_html/ca-ES/opds-Fedora_Draft_Documentation.xml
index 8df95f9..3766609 100644
--- a/public_html/ca-ES/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ca-ES/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ca-ES/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ca-ES/opds.xml b/public_html/ca-ES/opds.xml
index f128180..09a48c0 100644
--- a/public_html/ca-ES/opds.xml
+++ b/public_html/ca-ES/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ca-ES/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ca-ES/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>ca-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/ca-ES/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>ca-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ca-ES/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>ca-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ca-ES/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>ca-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/cs-CZ/opds-Fedora.xml b/public_html/cs-CZ/opds-Fedora.xml
index 165a279..d04c4e7 100644
--- a/public_html/cs-CZ/opds-Fedora.xml
+++ b/public_html/cs-CZ/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/cs-CZ/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/cs-CZ/opds-Fedora_Contributor_Documentation.xml b/public_html/cs-CZ/opds-Fedora_Contributor_Documentation.xml
index 2ac71e0..aabcbc2 100644
--- a/public_html/cs-CZ/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/cs-CZ/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/cs-CZ/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/cs-CZ/opds-Fedora_Core.xml b/public_html/cs-CZ/opds-Fedora_Core.xml
index 6a4ec8d..2f8abb4 100644
--- a/public_html/cs-CZ/opds-Fedora_Core.xml
+++ b/public_html/cs-CZ/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/cs-CZ/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/cs-CZ/opds-Fedora_Draft_Documentation.xml b/public_html/cs-CZ/opds-Fedora_Draft_Documentation.xml
index 84886a4..3f09a80 100644
--- a/public_html/cs-CZ/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/cs-CZ/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/cs-CZ/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/cs-CZ/opds.xml b/public_html/cs-CZ/opds.xml
index 58a20bc..a04dcbb 100644
--- a/public_html/cs-CZ/opds.xml
+++ b/public_html/cs-CZ/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/cs-CZ/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/cs-CZ/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>cs-CZ</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/cs-CZ/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>cs-CZ</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/cs-CZ/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>cs-CZ</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/cs-CZ/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>cs-CZ</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/da-DK/opds-Fedora.xml b/public_html/da-DK/opds-Fedora.xml
index febaca6..baa9df4 100644
--- a/public_html/da-DK/opds-Fedora.xml
+++ b/public_html/da-DK/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/da-DK/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/da-DK/opds-Fedora_Contributor_Documentation.xml b/public_html/da-DK/opds-Fedora_Contributor_Documentation.xml
index a246514..f4aba79 100644
--- a/public_html/da-DK/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/da-DK/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/da-DK/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/da-DK/opds-Fedora_Core.xml b/public_html/da-DK/opds-Fedora_Core.xml
index 13e666e..76369d6 100644
--- a/public_html/da-DK/opds-Fedora_Core.xml
+++ b/public_html/da-DK/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/da-DK/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/da-DK/opds-Fedora_Draft_Documentation.xml b/public_html/da-DK/opds-Fedora_Draft_Documentation.xml
index b09e6e3..b4eb3a8 100644
--- a/public_html/da-DK/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/da-DK/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/da-DK/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/da-DK/opds.xml b/public_html/da-DK/opds.xml
index 580993e..de83f38 100644
--- a/public_html/da-DK/opds.xml
+++ b/public_html/da-DK/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/da-DK/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/da-DK/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>da-DK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/da-DK/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>da-DK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/da-DK/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>da-DK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/da-DK/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>da-DK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/de-DE/opds-Fedora.xml b/public_html/de-DE/opds-Fedora.xml
index 4c56c13..48f386c 100644
--- a/public_html/de-DE/opds-Fedora.xml
+++ b/public_html/de-DE/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/de-DE/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/de-DE/opds-Fedora_Contributor_Documentation.xml b/public_html/de-DE/opds-Fedora_Contributor_Documentation.xml
index 2451a1e..0064e56 100644
--- a/public_html/de-DE/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/de-DE/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/de-DE/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/de-DE/opds-Fedora_Core.xml b/public_html/de-DE/opds-Fedora_Core.xml
index 6192393..c64be51 100644
--- a/public_html/de-DE/opds-Fedora_Core.xml
+++ b/public_html/de-DE/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/de-DE/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/de-DE/opds-Fedora_Draft_Documentation.xml b/public_html/de-DE/opds-Fedora_Draft_Documentation.xml
index 77cc6a1..2047b49 100644
--- a/public_html/de-DE/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/de-DE/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/de-DE/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/de-DE/opds.xml b/public_html/de-DE/opds.xml
index 3d95740..f9f7446 100644
--- a/public_html/de-DE/opds.xml
+++ b/public_html/de-DE/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/de-DE/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/de-DE/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>de-DE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/de-DE/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>de-DE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/de-DE/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>de-DE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/de-DE/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>de-DE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/el-GR/opds-Fedora.xml b/public_html/el-GR/opds-Fedora.xml
index a0327bd..7dbdf2a 100644
--- a/public_html/el-GR/opds-Fedora.xml
+++ b/public_html/el-GR/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/el-GR/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/el-GR/opds-Fedora_Contributor_Documentation.xml b/public_html/el-GR/opds-Fedora_Contributor_Documentation.xml
index 33bee34..b62d88a 100644
--- a/public_html/el-GR/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/el-GR/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/el-GR/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/el-GR/opds-Fedora_Core.xml b/public_html/el-GR/opds-Fedora_Core.xml
index bd82120..1b84e13 100644
--- a/public_html/el-GR/opds-Fedora_Core.xml
+++ b/public_html/el-GR/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/el-GR/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/el-GR/opds-Fedora_Draft_Documentation.xml b/public_html/el-GR/opds-Fedora_Draft_Documentation.xml
index 9832864..5dcb2df 100644
--- a/public_html/el-GR/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/el-GR/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/el-GR/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/el-GR/opds.xml b/public_html/el-GR/opds.xml
index 7dffdbe..172fa6f 100644
--- a/public_html/el-GR/opds.xml
+++ b/public_html/el-GR/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/el-GR/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/el-GR/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>el-GR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/el-GR/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>el-GR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/el-GR/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>el-GR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/el-GR/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>el-GR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/en-US/Fedora/15/epub/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.epub b/public_html/en-US/Fedora/15/epub/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.epub
index c745639..3a63a10 100644
Binary files a/public_html/en-US/Fedora/15/epub/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.epub and b/public_html/en-US/Fedora/15/epub/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.epub differ
diff --git a/public_html/en-US/Fedora/15/html-single/FreeIPA_Guide/index.html b/public_html/en-US/Fedora/15/html-single/FreeIPA_Guide/index.html
index 594c0e5..bf0d7cf 100644
--- a/public_html/en-US/Fedora/15/html-single/FreeIPA_Guide/index.html
+++ b/public_html/en-US/Fedora/15/html-single/FreeIPA_Guide/index.html
@@ -7,10 +7,10 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><div xml:lang="en-US" class="book" id="id4831632" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">15</span></div><div><h1 id="id4831632" class="title">FreeIPA: Identity/Policy Management</h1></div><div><h2 class="subtitle">Managing Identity and Authorization Policies for Linux-Based Enterprise Networks</h2></div><p class="edition">Edition 0.1</p><div><h3 class="corpauthor">
+ </script></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><div xml:lang="en-US" class="book" id="id4700703" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">15</span></div><div><h1 id="id4700703" class="title">FreeIPA: Identity/Policy Management</h1></div><div><h2 class="subtitle">Managing Identity and Authorization Policies for Linux-Based Enterprise Networks</h2></div><p class="edition">Edition 0.1</p><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> </object></span>
- </h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Ella Deon</span> <span class="surname">Lackey</span></h3><code class="email"><a class="email" href="mailto:dlackey at redhat.com">dlackey at redhat.com</a></code></div></div></div><hr /><div><div id="id3202736" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+ </h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Ella Deon</span> <span class="surname">Lackey</span></h3><code class="email"><a class="email" href="mailto:dlackey at redhat.com">dlackey at redhat.com</a></code></div></div></div><hr /><div><div id="id3242808" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
Copyright <span class="trademark"></span>© 2011 Red Hat.
</div><div class="para">
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
@@ -26,7 +26,7 @@
All other trademarks are the property of their respective owners.
</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information reuqired for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
- </div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#audience">1. Audience and Purpose</a></span></dt><dt><span class="section"><a href="#Document_Conventions">2. Examples and Formatting</a></span></dt><dd><dl><dt><span class="section"><a href="#bracketsexamples">2.1. Brackets</a></span></dt><dt><span class="section"><a href="#tool-locations">2.2. Client Tool Information</a></span></dt><dt><span class="section"><a href="#guide-formatting">2.3. Text Formatting and Styles</a></span></dt></dl></dd><dt><span class="section"><a href="#feedback">3. Giving Feedback</a></span></dt><dt><span class="section"><a href="#doc-history">4. Document Change History</a></span></dt></dl></dd><dt><span class="chapter"><a href="#introduction">1. Introduction to FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-v-ldap">1.1. FreeIPA v. LDAP: A More Focused Type
of Service</a></span></dt><dt><span class="section"><a href="#ipa-domains">1.2. About FreeIPA Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#The_IPA_Core">1.2.1. The FreeIPA Server</a></span></dt><dt><span class="section"><a href="#IPA_Managed_Hosts">1.2.2. FreeIPA Managed Hosts</a></span></dt><dt><span class="section"><a href="#external-work">1.2.3. Integration with Non-Fedora Services</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-components">1.3. Identity Management: Authentication</a></span></dt><dt><span class="section"><a href="#policy">1.4. Defining Policies: Authorization</a></span></dt></dl></dd><dt><span class="chapter"><a href="#installing-ipa">2. Installing a FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an
_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="#prerequisites">2.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#Installing_the_IPA_Server_Packages">2.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="#creating-server">2.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="#install-command">2.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="#install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="#install-examples">2.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="se
ction"><a href="#troubleshooting-install">2.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="#chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">2.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="#installing-replica">2.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="#creating-the-replica">2.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="#troubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="#Uninstalling_IPA_Servers">2.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></dd><dt><span class="chapter"><a href="#setting-up-clients">3. Setting up Systems as FreeIPA Clients</a></span></dt><dd><dl><dt><span class="section"><a href="#what-happens-clients">3.1. What Happens in Client Setup</a></span></
dt><dt><span class="section"><a href="#Configuring_Microsoft_Windows">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris">3.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX">3.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authe
ntication</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_PAM">3.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="#hp-test">3.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX">3.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Conf
iguring_Client_Authentication">3.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="#testing-config-on-mac">3.6.5. Test
ing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#uninstalling-clients">3.7. Uninstalling a FreeIPA Client</a></span></dt></dl></dd><dt><span class="chapter"><a href="#basic-usage">4. Basic UI Usage</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-ui">4.1. Looking at the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#using-the-ui">4.2. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="#config-browser">4.2.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="#logging-in">4.2.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">4.2.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="#Enabling_UsernamePassword_Authentication_in_Your_Browser">4.2.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd
><dt><span class="section"><a href="#switching-users">4.3. Switching Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#managing-clients">5. Managing Clients in the FreeIPA Domain</a></span></dt><dd><dl><dt><span class="section"><a href="#IPA_Command_Line_Tools-Working_with_DNS">5.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="#enrolling-machines">5.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Host Enrollment with P
rivileged Administrator</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="#renaming-machines">5.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="#config-virt-machines">5.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="#certs">5.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="#General_Troubleshooting_Tips-Client_Problems">5.6. Client Problems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#users">6. Identity: Managing Users and User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#home-directories">6.1. Managing User Home Direct
ories</a></span></dt><dt><span class="section"><a href="#adding-users">6.2. Adding Users</a></span></dt><dt><span class="section"><a href="#editing-users">6.3. Editing Users</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">6.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_IPA_Users-Specifying_Default_User_Settings">6.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="#search-limits">6.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Deleting_IPA_Users">6.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="#Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the C
ommand Line</a></span></dt></dl></dd><dt><span class="section"><a href="#user-groups">6.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="#user-pwdpolicy">6.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt>
<span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href
="#The_IPA_Password_Policy-Using_Local_Logins">6.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="#searching">6.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#kerberos">7. Identity: Using FreeIPA for a Kerberos Domain</a></span></dt><dd><dl><dt><span class="section"><a href="#about-kerberos">7.1. About Kerberos</a></span></dt><dt><span class="section"><a href="#kerb-policies">7.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">7.3. Creating and Using Service Principals<
/a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">7.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">7.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="#rotating-keys">7.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">7.6. Kerberos Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="#automount">8. Identity:
Using Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#about-automount">8.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-automount">8.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_
Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#active-directory">9. Identity: Integrating with Microsoft Active Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#about-active-directory">9.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">9.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="#configuring-active-directory">9.3. Configuring Active Directo
ry Synchronization</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">9.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">9.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">9.6. Deleting Synchronization Agreements</a></span></dt><dt><span clas
s="section"><a href="#sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">9.7. Winsync Agreement Failures</a></span></dt></dl></dd><dt><span class="chapter"><a href="#nis">10. Identity: Integrating with NIS Domains and Netgroups</a></span></dt><dd><dl><dt><span class="section"><a href="#about-nis">10.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="#adding-netgroups">10.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</
a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">10.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="#migrintg-from-nis">10.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#aut
hz">11. Policy: Configuring Authorization</a></span></dt><dd><dl><dt><span class="section"><a href="#configuring-host-access">11.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">11.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">11.3. HBAC Services</a></span></dt></dl></dd><dt><span class="chapter"><a href="#sudo">12. Policy: Using sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#about-sudo">12.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDA
P_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">12.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">12.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-sudo">12.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</a></spa
n></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#server-config">13. Configuring the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Server_side_Access_Control">13.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="#creating-roles">13.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="#self-service">13.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#disabling-anon-binds">13.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="#Managing-Unique_UID_and_GID_Attributes">13.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="#id-ranges-at-install">13.3.1. About ID Range Assignments During Installation</a></span></dt><dt><span class="sect
ion"><a href="#Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities">13.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="#Using_OCSP">13.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-apache">13.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="#ipa-cluster">13.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="sect
ion"><a href="#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="#Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">13.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="#promoting-replica">13.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="#logging">13.9. FreeIPA Server Logging</a></span></dt></dl></dd><dt><span class="appendix"><a href="#chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions">A. Frequently Asked Questions</a></span></dt><dt><span class="appendix"><
a href="#tools-reference">B. FreeIPA Tools Reference</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa">B.1. ipa</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-location">B.1.1. Location</a></span></dt><dt><span class="section"><a href="#ipa-syntax">B.1.2. Syntax</a></span></dt><dt><span class="section"><a href="#ipa-commands">B.1.3. Commands</a></span></dt><dt><span class="section"><a href="#ipa-options">B.1.4. Options</a></span></dt><dt><span class="section"><a href="#ipa-command-automount">B.1.5. ipa automountlocation*</a></span></dt><dt><span class="section"><a href="#ipa-command-automountmap">B.1.6. ipa automountmap*</a></span></dt><dt><span class="section"><a href="#ipa-command-automountkey">B.1.7. ipa automountkey*</a></span></dt></dl></dd><dt><span class="section"><a href="#server-tools">B.2. Server Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-compat-manage">B.2.1. ipa-compat-manage</a></span></dt><dt><span class=
"section"><a href="#ipa-compliance">B.2.2. ipa-compliance</a></span></dt><dt><span class="section"><a href="#ipa-dns-install">B.2.3. ipa-dns-install</a></span></dt><dt><span class="section"><a href="#ipa-host-net-manage">B.2.4. ipa-host-net-manage</a></span></dt><dt><span class="section"><a href="#ipa_kpasswd">B.2.5. ipa_kpasswd</a></span></dt><dt><span class="section"><a href="#ipa-ldap-updater">B.2.6. ipa-ldap-updater</a></span></dt><dt><span class="section"><a href="#ipa-nis-manage">B.2.7. ipa-nis-manage</a></span></dt><dt><span class="section"><a href="#ipa-replica-install">B.2.8. ipa-replica-install</a></span></dt><dt><span class="section"><a href="#ipa-replica-manage">B.2.9. ipa-replica-manage</a></span></dt><dt><span class="section"><a href="#ipa-replica-prepare">B.2.10. ipa-replica-prepare</a></span></dt><dt><span class="section"><a href="#ipa-server-certinstall">B.2.11. ipa-server-certinstall</a></span></dt><dt><span class="section"><a href="#ipa-server-install">B.2
.12. ipa-server-install</a></span></dt><dt><span class="section"><a href="#ipa-ugradeconfig">B.2.13. ipa-upgradeconfig</a></span></dt><dt><span class="section"><a href="#ipactl">B.2.14. ipactl</a></span></dt></dl></dd><dt><span class="section"><a href="#client-tools">B.3. Client Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-client-install">B.3.1. ipa-client-install</a></span></dt><dt><span class="section"><a href="#ipa-getkeytab">B.3.2. ipa-getkeytab</a></span></dt><dt><span class="section"><a href="#ipa-join">B.3.3. ipa-join</a></span></dt><dt><span class="section"><a href="#ipa-rmkeytab">B.3.4. ipa-rmkeytab</a></span></dt></dl></dd><dt><span class="section"><a href="#certmonger-tools">B.4. Certmonger Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#getcert">B.4.1. getcert</a></span></dt><dt><span class="section"><a href="#ipa-getcert">B.4.2. ipa-getcert</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="#sect-E
nterprise_Identity_Management_Guide-Working_with_certmonger">C. Services: Working with certmonger</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">C.2. Using certmonger</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">C.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">C.4. Using certmonger with IPA</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Migrating_from_a_Directory_Server_to_IPA">D. Migrating from a Directory Server to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-En
terprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">D.1.6.
Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">D.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Mana
gement_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">D.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span
class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="#Glossary">Glossary</a></span></dt><dt><span class="index"><a href="#id3103175">Index</a></span></dt></dl></div><div xml:lang="en-US" class="preface" id="Preface" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Preface</h1></div></div></div><div class="para">
+ </div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="#Preface">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="#audience">1. Audience and Purpose</a></span></dt><dt><span class="section"><a href="#Document_Conventions">2. Examples and Formatting</a></span></dt><dd><dl><dt><span class="section"><a href="#bracketsexamples">2.1. Brackets</a></span></dt><dt><span class="section"><a href="#tool-locations">2.2. Client Tool Information</a></span></dt><dt><span class="section"><a href="#guide-formatting">2.3. Text Formatting and Styles</a></span></dt></dl></dd><dt><span class="section"><a href="#feedback">3. Giving Feedback</a></span></dt><dt><span class="section"><a href="#doc-history">4. Document Change History</a></span></dt></dl></dd><dt><span class="chapter"><a href="#installing-ipa">1. Installing a FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#Preparing_for_an_IPA_Installation">1.1. Preparin
g to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="#prerequisites">1.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#Installing_the_IPA_Server_Packages">1.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="#creating-server">1.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="#install-command">1.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="#install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</
a></span></dt><dt><span class="section"><a href="#install-examples">1.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="#troubleshooting-install">1.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="#chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">1.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="#installing-replica">1.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="#creating-the-replica">1.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="#troubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="#Uninstalling_IPA_Servers">1.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></dd><dt><span class="chapter"><a href="#setting-up-clients">2. Setting up Syste
ms as FreeIPA Clients</a></span></dt><dd><dl><dt><span class="section"><a href="#what-happens-clients">2.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="#Configuring_Microsoft_Windows">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris">2.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX">2.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP
</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_Kerberos">2.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_PAM">2.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="#hp-test">2.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX">2.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configur
ing_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">2.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_C
lient_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="#testing-config-on-mac">2.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#uninstalling-clients">2.7. Uninstalling a FreeIPA Client</a></span></dt></dl></dd><dt><span class="chapter"><a href="#basic-usage">3. Basic UI Usage</a></span></dt><dd><dl><dt><span class="section"><a href="#using-the-ui">3.1. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="#config-browser">3.1.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="#logging-in">3.1.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="#Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Passw
ord Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a href="#switching-users">3.2. Switching Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="#managing-clients">4. Managing Clients in the FreeIPA Domain</a></span></dt><dd><dl><dt><span class="section"><a href="#IPA_Command_Line_Tools-Working_with_DNS">4.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">4.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="#enrolling-machines">4.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Pri
vileged_Administrator">4.2.1. Manual Host Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="#renaming-machines">4.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="#config-virt-machines">4.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="#certs">4.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="#General_Troubleshooting_Tips-Client_Problems">4.6. Client Problems</a></span></dt></dl></dd><dt><span class="chapter"><a href="#users">5. Identity: Managing Users and User Groups</a></span></dt><dd><dl><dt><span class="section"
><a href="#home-directories">5.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="#adding-users">5.2. Adding Users</a></span></dt><dt><span class="section"><a href="#editing-users">5.3. Editing Users</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">5.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_IPA_Users-Specifying_Default_User_Settings">5.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="#search-limits">5.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Deleting_IPA_Users">5.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="#De
leting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#user-groups">5.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="#user-pwdpolicy">5.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing
Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Auth
entication</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="#searching">5.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#kerberos">6. Identity: Using FreeIPA for a Kerberos Domain</a></span></dt><dd><dl><dt><span class="section"><a href="#about-kerberos">6.1. About Kerberos</a></span></dt><dt><span class="section"><a href="#kerb-policies">6.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Serv
ice_Principals">6.3. Creating and Using Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">6.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">6.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="#rotating-keys">6.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">6.6. Kerberos Errors</a></span></dt></dl></dd>
<dt><span class="chapter"><a href="#automount">7. Identity: Using Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#about-automount">7.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-automount">7.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</a></span></dt><d
t><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#active-directory">8. Identity: Integrating with Microsoft Active Directory</a></span></dt><dd><dl><dt><span class="section"><a href="#about-active-directory">8.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">8.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="#co
nfiguring-active-directory">8.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">8.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">8.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">8.6. Deleti
ng Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">8.7. Winsync Agreement Failures</a></span></dt></dl></dd><dt><span class="chapter"><a href="#nis">9. Identity: Integrating with NIS Domains and Netgroups</a></span></dt><dd><dl><dt><span class="section"><a href="#about-nis">9.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="#adding-netgroups">9.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-
IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">9.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="#migrintg-from-nis">9.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</a></span></dt></dl></dd><
/dl></dd><dt><span class="chapter"><a href="#authz">10. Policy: Configuring Authorization</a></span></dt><dd><dl><dt><span class="section"><a href="#configuring-host-access">10.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">10.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">10.3. HBAC Services</a></span></dt></dl></dd><dt><span class="chapter"><a href="#sudo">11. Policy: Using sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#about-sudo">11.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-I
ntroduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">11.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">11.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-sudo">11.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2
.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="#server-config">12. Configuring the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Server_side_Access_Control">12.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="#creating-roles">12.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="#self-service">12.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#disabling-anon-binds">12.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="#Managing-Unique_UID_and_GID_Attributes">12.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="#id-ranges-at-install">12.3.1. About ID Range Assignments During I
nstallation</a></span></dt><dt><span class="section"><a href="#Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities">12.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="#Using_OCSP">12.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-apache">12.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="#ipa-cluster">12.6. Using FreeIPA in a Clus
ter</a></span></dt><dd><dl><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="#Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">12.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="#promoting-replica">12.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="#logging">12.9. FreeIPA Server Logging</a></span></dt></dl></dd><dt><span class="appendix"><a href="#chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions">A. Frequently Asked Quest
ions</a></span></dt><dt><span class="appendix"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger">B. Services: Working with certmonger</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">B.2. Using certmonger</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">B.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">B.4. Using certmonger with IPA</a></span></dt></dl></dd><dt><span class="appendix"><a href="#Migrating_from_a_Directory_Server_to_IPA">C. Migrating from a Directory Server to IPA</a>
</span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Ide
ntity_Management_Guide-Overview-Implementation_Details">C.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">C.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><d
t><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">C.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Ph
ase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="#Glossary">Glossary</a></span></dt><dt><span class="index"><a href="#id3210842">Index</a></span></dt></dl></div><div xml:lang="en-US" class="preface" id="Preface" lang="en-US"><div class="titlepage"><div><div><h1 cla
ss="title">Preface</h1></div></div></div><div class="para">
FreeIPA is a Fedora-based way to create a security, identity, and authentication domain. The different security and authentication protocols available to Linux and Unix systems (like Kerberos, NIS, DNS, PAM, and sudo) are complex, unrelated, and difficult to manage coherently, especially when combined with different identity stores.
</div><div class="para">
FreeIPA provides a layer that unifies all of these disparate services and simplifies the administrative tasks for managing users, systems, and security. FreeIPA breaks management down into two categories: <span class="emphasis"><em>identity</em></span> and <span class="emphasis"><em>policy</em></span>. It centralizes the functions of managing the users and entities within your IT environment (identity) and then provides a framework to define authentication and authorization for a global security framework and user-friendly tools like single sign-on (policy).
@@ -102,73 +102,19 @@
</td></tr></table></div>
- </div></div></div><div xml:lang="en-US" class="chapter" id="introduction" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 1. Introduction to FreeIPA</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#ipa-v-ldap">1.1. FreeIPA v. LDAP: A More Focused Type of Service</a></span></dt><dt><span class="section"><a href="#ipa-domains">1.2. About FreeIPA Domains</a></span></dt><dd><dl><dt><span class="section"><a href="#The_IPA_Core">1.2.1. The FreeIPA Server</a></span></dt><dt><span class="section"><a href="#IPA_Managed_Hosts">1.2.2. FreeIPA Managed Hosts</a></span></dt><dt><span class="section"><a href="#external-work">1.2.3. Integration with Non-Fedora Services</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-components">1.3. Identity Management: Authentication</a></span></dt><dt><span class="section"><a href="#policy">1.4. Defining Policies: Authorization</a></span></dt></dl></div><div class="para">
- XXXXX introXXXXXXXX
- </div><div class="para">
- FreeIPA is an integrated security information management solution which combines Fedora, 389 Directory Server, MIT Kerberos, DNS, Certificate System CA, and NTP. Its numerous administration tools allow an administrator to quickly install, set up, and administer servers for centralized authentication and identity management. FreeIPA also supports for host identities, netgroups, automount by location and other features.
- </div><div class="para">
- FreeIPA focuses on making centralized identity and policy easy to manage in Linux and Unix environments and includes interoperability with the Windows environment.
- </div><div class="section" id="ipa-v-ldap"><div class="titlepage"><div><div><h2 class="title" id="ipa-v-ldap">1.1. FreeIPA v. LDAP: A More Focused Type of Service</h2></div></div></div><div class="para">
- XXXXXXXXXX fix me XXXXXXXX
- </div><div class="para">
- For efficiency, compliance and risk mitigation, organizations need to centrally manage and correlate vital security information including: * Identity (machine, user, virtual machines, groups, authentication credentials) * Policy (host based access control, sudo) Because of its vital importance and the way it is interrelated, we think identity, policy, and audit information should be open, interoperable, and manageable. Our focus is on making identity, policy, and audit (some day) easy to centrally manage for the Linux and Unix world. Of course, we will need to interoperate well with Windows and much more. We are looking to take concrete and useful steps and so have chosen initially to focus on Identity solutions for the Unix/Linux world. For policy we focus on the host based access control management and enforcement. As for other aspects of the policy management related to systems management and configuration management, after serious evaluation we decided not to address
these segments for now. There are other projects that are working in this direction. We will closely monitor those projects and integrate with them as interfaces become available. We did a lot of research and evaluation in the audit area and realized that this is a significant effort and might require a project of its own. For now we decided not to disperse our energy and work more on improving the identity and authentication aspects of the system. But we will continue to monitor open source projects in the audit related space. One of such projects that was created as a result of our evaluation is ELAPI. We will continue investing into that project.
- </div><div class="para">
- What are the problems freeIPA is trying to solve? * Focus on solving identity management across the enterprise providing a reliable open source alternative to existing solutions * Vendor focus on Web identity management problems has meant less well developed solutions for central management of the Linux and Unix world's vital security info. Organizations are forced to maintain a hodgepodge of internal and proprietary solutions at high TCO. * Proprietary security products don't easily provide access to the vital security information they collect or manage. This makes it difficult to synchronize and analyze effectively.
- </div></div><div class="section" id="ipa-domains"><div class="titlepage"><div><div><h2 class="title" id="ipa-domains">1.2. About FreeIPA Domains</h2></div></div></div><div class="para">
- XXXXXXXXXX fix me XXXXXXXX
- </div><div class="para">
- FreeIPA is broken down into three main components: the FreeIPA server and the FreeIPA client.
- </div><div class="figure" id="figHigh_level_IPA_Architecture"><div class="figure-contents"><div class="mediaobject"><img src="images/IPA_arch.png" width="600" alt="FreeIPA Interactions" /></div></div><h6>Figure 1.1. FreeIPA Interactions</h6></div><br class="figure-break" /><div class="section" id="The_IPA_Core"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Core">1.2.1. The FreeIPA Server</h3></div></div></div><div class="para">
- The FreeIPA core consists of the servers, services, and other utilities necessary to provide the fundamental FreeIPA functionality. This includes the management framework, the directory server, the KDC, the web server, and the DNS.
- </div><div class="formalpara" id="The_IPA_Core-Kerberos_KDC"><h5 class="formalpara">Kerberos KDC</h5>
- The Kerberos KDC is the Kerberos authentication server, and provides authentication services for users, hosts, and services. It stores its data in the directory server.
- </div><div class="para">
- What is Kerberos? Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography to authenticate users to network services, which means that passwords are never actually sent over the network. Consequently, when users authenticate to network services using Kerberos, unauthorized users attempting to gather passwords by monitoring network traffic are effectively thwarted. The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across the network. If used properly, Kerberos effectively eliminates the threat that packet sniffers would otherwise pose on a network. [edit] How IPA and Kerberos Work Together The IPA implementation of Kerberos differs from a typical Kerberos implementation mainly in that it uses Directory Server to store data instead of a flat file. Access control is also provided by the directory. The IPA Kerberos implementation does not use the native tools because by default the KDC is no
t aware of Directory Server. IPA provides its own set of tools for working with Kerberos. Kerberos' native tools, for example, those provided by kadmin.local, should not be used. For many reasons, kadmin.local does not currently have permission to operate outside of cn=kerberos. One reason is that it does not understand LDAP, which means that you cannot create principals where you want. Another reason is that it cannot proxy a password change to the IPA plugin. Consequently, if a password change is performed via kadmin.local, then the user entry would be corrupted. Image:Note.png Note: It is highly recommended that you avoid the use of kadmin and kadmin.local in an IPA deployment. [edit] IPA, Kerberos, and Service Principals A Service Principal is needed by a server program in order to perform Kerberos authentication. Kerberos authentication works by obtaining an encrypted ticket for a service, a ticket that only the service can decrypt (and therefore verify that the user ob
tained it from the KDC, indirectly proving that the client was able to authenticate to the KDC and is therefore trustworthy). The Service Principal is therefore needed to make it possible for the client to tell the KDC which service it needs a ticket for, and for the KDC to be able to store and provide a secret to the service at the moment the Service Principal is created. Service Principals are typically released per service, although it is possible for one Service Principal to be used for more services. For example, host/fqdn at REALM is used for both the SSH service and also as the generic "host" principal. [edit] IPA, Kerberos, and DNS As discussed in How IPA and DNS Work Together, IPA relies heavily on a fully-functional DNS for correct operation. Because of its tight integration with IPA, Kerberos also requires that the DNS be configured correctly. Using CNAME and A Records When Kerberos requests a ticket to begin authentication, it will always resolve a CNAME to its corr
esponding A record; Kerberos libraries will never use a CNAME to ask for a ticket. This means that when you create service or host principals you need to use the host A record. For example, consider the following zone file entry: CNAME www.example.com -> A name web-01.example.com If you use the following command to connect to the host via SSH and want GSSAPI authentication: $ ssh www.example.com it will actually request a ticket for host/web-01.example.com at EXAMPLE.COM This is the service principal that you must use to obtain and save tickets in /etc/krb5.keytab for this host.
- </div><div class="formalpara" id="Directory_Server"><h5 class="formalpara">Directory Server</h5>
- The directory server is the core storage system of the FreeIPA server. The directory server stores all of the information about user accounts used by the KDC for authentication, groups, hosts, services, netgroups and policy information. If configured and used, DNS uses the same instance of the directory server to store DNS information. The directory server provides a multi-master replication capability so that multiple FreeIPA replicas can be deployed.
- </div><div class="para">
- FDS is an integral part of IPA. In freeIPA, FDS serves as the data store, maintaining all of an organization's information. The Directory Server also controls access to all directory information; IPA users are restricted in the level of access they have to FDS information by the controls in place within FDS itself. FDS access control cannot be overridden by permissions, delegations, or other controls in IPA.
- </div><div class="formalpara"><h5 class="formalpara" id="id3133226">DNS</h5>
- The DNS is the Domain Name Service. This is an optional component that can be installed and configured at any time. Alternatively, an existing DNS server can be used. In this case, however, there will be no tight integration between DNS management and the management of hosts that FreeIPA provides.
- </div><div class="para">
- What is DNS? A Domain Name Service (DNS) associates hostnames with their respective IP addresses, so that when users want to connect to other machines on the network, they can refer to them by name, without having to remember IP addresses. DNS is normally implemented using centralized servers that are authoritative for some domains and refer to other DNS servers for other domains. [edit] How IPA and DNS Work Together IPA clients find, or discover, IPA servers using a process known as Service Discovery. This can occur automatically, using DNS, or manually, by entering the IPA server details during the client configuration phase. [edit] Service Discovery using DNS The recommended method for ensuring that IPA clients discover IPA servers is via DNS. This requires adding special records to the DNS configuration. The IPA Server installation generates a sample zone file which contains sample records for this purpose. In particular, it includes records for the LDAP servers, Ker
beros realm, and Kerberos servers required in an IPA deployment. These records can be added to an existing DNS infrastructure - even one hosted on a different OS - or they can be added to a new DNS server if one does not already exist. The following is an extract from a zone file where the IPA server, KDC, and DNS server all exist on the same machine (ipaserver) in the realm EXAMPLE.COM: ; ldap servers _ldap._tcp IN SRV 0 100 389 ipaserver ;kerberos realm _kerberos IN TXT EXAMPLE.COM ; kerberos servers _kerberos._tcp IN SRV 0 100 88 ipaserver _kerberos._udp IN SRV 0 100 88 ipaserver _kerberos-master._tcp IN SRV 0 100 88 ipaserver _kerberos-master._udp IN SRV 0 100 88 ipaserver _kpasswd._tcp IN SRV 0 100 464 ipaserver _kpasswd._udp IN SRV 0 100 464 ipaserver If you already have DNS configured on your network, you can add this to the existing zone file (in this example, /var/named/example.com.zone.db) so that the IPA clients know where to find the LDAP and Kerberos servers. Cl
ients will attempt to discover the IPA server first using parameters passed via the command line, then using the configuration file (/etc/ipa/ipa.conf), and then via DNS. [edit] Service Discovery without using DNS It is possible, but not recommended, to operate without these records. If you do not use DNS for service discovery, then your clients will not automatically find other IPA services in a high-availability setup. During an IPA client installation, if you do not have DNS correctly configured so that the client can discover the IPA server, you will need to enter the appropriate information manually. [edit] Using IPA with Multi-Homed Machines Some of the machines in your IPA deployment may support multiple Network Interface Cards (NICs). This is often the case for servers or other machines where high availability or failover is required. These muti-homed machines will typically have multiple IPs all assigned to the same hostname. Normally this will not cause any issues
for IPA, as it listens on all available interfaces except localhost. The KDC does not listen on this interface; it only listens to the machine's public IP addresses. For a server that has multiple NICs and IP addresses, you need to configure the DNS with the appropriate A records if the IPA server is to be available via any NIC. For example, the zone file on the DNS server might have the following A records for an IPA server (ipaserver.example.com) with three NICs: ipaserver IN A 192.168.1.100 ipaserver IN A 192.168.1.101 ipaserver IN A 192.168.1.102 This allows IPA clients to discover the IPA server using any of the available network interfaces.
- </div><div class="formalpara" id="NTP"><h5 class="formalpara">NTP</h5>
- NTP is an optional service, but can be enabled on the FreeIPA server, in which case the FreeIPA server becomes the NTP server for the deployment. You can use other NTP servers as desired.
- </div><div class="para">
- What is NTP? Many computer services (for example, Kerberos) require that the time differential between different hosts on a network be kept to a minimum for correct or accurate operation. The Network Time Protocol (NTP) is a protocol used to synchronize computer clocks over the network. Most operating systems can be configured to synchronize their clocks with any of a number of time servers. [edit] How IPA and NTP Work Together IPA combines a number of different technologies, many of which constantly communicate with each other over the network. In order for these technologies to work together correctly, the time differential between the clients and servers on the network must be kept to a minimum. Kerberos, for example, only tolerates a five minute time difference between the KDC and a client requesting authentication. A time difference greater than five minutes will result in a failed authentication. System Administrators also rely on accurate time keeping for correlat
ion of system logs across machines on the network. In the event of problems on the network or other aspects of a deployment, it may be necessary to inspect the log files of various machines to determine if specific problems occur at the same time. Without NTP or another time synchronization system, such troubleshooting would be all but impossible. The IPA startup process ensures that the NTP service is started and that the time and date is synchronized before any other IPA-related processes are started. This is to avoid problems with certificates, LDAP entry creation dates, password expiration dates, account expiration dates, and any other date-related issues.
- </div><div class="para">
- mention the CA and certificates
- </div><div class="para">
- mention replicas, replication, and how it works with servers
- </div></div><div class="section" id="IPA_Managed_Hosts"><div class="titlepage"><div><div><h3 class="title" id="IPA_Managed_Hosts">1.2.2. FreeIPA Managed Hosts</h3></div></div></div><div class="para">
- An FreeIPA <em class="firstterm">managed host</em> is a host that is managed by FreeIPA. The definition of "manage" in this context can be stated as "being able to retrieve a keytab and certificates on behalf of another host or service". This management is established by enrolling the host with FreeIPA, a task performed by the <code class="command">ipa-client-install</code> command. As a result of this enrollment, <code class="systemitem">SSSD</code> and <code class="systemitem">certmonger</code> are configured (they are aware of the location of the FreeIPA server), the keytab is provisioned and the host certificate is created. The host certificate is not used by FreeIPA but is created nonetheless, for possible use by services that might be running on the host. The web server is one example of this.
- </div><div class="para">
- As a result of user authentication against the KDC, the TGT (ticket-granting ticket) is stored on the client machine. That ticket is used to access different services that are members of the same Kerberos domain. All services need to be registered in FreeIPA and have a keytab provisioned for them. To do this, you need to create a service record in FreeIPA and then execute the <code class="command">ipa-getkeytab</code> on the host where the service will be running. Note that this operation is independent of making the host a managed host. The service can run on either a managed host or an unmanaged host.
- </div><div class="formalpara" id="SSSD"><h5 class="formalpara">SSSD</h5>
- When configured to use FreeIPA via its FreeIPA back end, SSSD provides user authentication, identity look ups and HBAC (Host-based Access Control) enforcement. The host enrollment and configuration of SSSD are performed automatically by the <code class="command">ipa-client-install</code> command.
- </div><div class="formalpara" id="certmonger"><h5 class="formalpara">certmonger</h5>
- <code class="systemitem">certmonger</code> is an unattended service that can monitor the certificates on the client system and renew them on a scheduled basis when they are about to expire. It can also be used to request new certificates for the services running on the system or for a different system, for example when a management server or hypervisor requests certificates for a set of virtual machines.
- </div></div><div class="section" id="external-work"><div class="titlepage"><div><div><h3 class="title" id="external-work">1.2.3. Integration with Non-Fedora Services</h3></div></div></div><div class="para">
- windows and AD samba solaris, hp, mac
- </div></div></div><div class="section" id="ipa-components"><div class="titlepage"><div><div><h2 class="title" id="ipa-components">1.3. Identity Management: Authentication</h2></div></div></div><div class="para">
- XXXXXXXXXX fix me XXXXXXXX
- </div><div class="para">
- What will be freeIPA's first steps around Identity? We are looking to take concrete and useful steps, and so have chosen to focus our first efforts on centralized Identity Management and Authentication for Linux and Unix * This solution will initially consist of an MIT Kerberos 5 server using a Fedora Directory Server backend. The goal is to make it easy for developers and administrators to set up centralized identity management for their world using the directory as the central username and password store and kerberos as the means of authentication and single sign on. * In version 1 we provided: a fixed schema, simple configuration tools to easily set up an IPA server and replication, and command line tools and an intuitive GUI for user and group management. * In version 2 we are working on: integrating Dogtag Certificate Server, DNS server, added support for hosts, centrally managed netgroups, different automount maps for different locations, extensible UI/CLI framework
, host based access control and more. * We want to make sure this solution can manage identity and authentication well for Linux and Unix boxes and we hope our efforts inspire upstream package owners to kerberize a lot more packages.
- </div></div><div class="section" id="policy"><div class="titlepage"><div><div><h2 class="title" id="policy">1.4. Defining Policies: Authorization</h2></div></div></div><div class="para">
- XXXXXXXXXX fix me XXXXXXXX
- </div></div></div><div xml:lang="en-US" class="chapter" id="installing-ipa" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 2. Installing a FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="#prerequisites">2.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#Installing_the_IPA_Server_Packages">2.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a hr
ef="#creating-server">2.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="#install-command">2.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="#install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="#install-examples">2.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="#troubleshooting-install">2.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="#chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">2.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="#installing-replica">2.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="#creating-the-replica">2.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="#t
roubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="#Uninstalling_IPA_Servers">2.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="installing-ipa" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 1. Installing a FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#Preparing_for_an_IPA_Installation">1.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="#prerequisites">1.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="#Installing_the_IPA_Server_Packages">1.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a hre
f="#creating-server">1.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="#install-command">1.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="#install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="#install-examples">1.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="#troubleshooting-install">1.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="#chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">1.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="#installing-replica">1.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="#creating-the-replica">1.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="#tr
oubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="#Uninstalling_IPA_Servers">1.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></div><div class="para">
The FreeIPA domain is defined and managed by a FreeIPA <span class="emphasis"><em>server</em></span> which is essentially a domain controller. There can be multiple domain controllers within a domain for load-balancing and failover tolerance. These additional servers are called <span class="emphasis"><em>replicas</em></span> of the master FreeIPA server.
</div><div class="para">
Both FreeIPA servers and replicas only run on Fedora systems. For both servers and replicas, the necessary packages must be installed and then the FreeIPA server or replica itself is configured through setup scripts, which configure all of the requisite services.
- </div><div class="section" id="Preparing_for_an_IPA_Installation"><div class="titlepage"><div><div><h2 class="title" id="Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</h2></div></div></div><div class="para">
+ </div><div class="section" id="Preparing_for_an_IPA_Installation"><div class="titlepage"><div><div><h2 class="title" id="Preparing_for_an_IPA_Installation">1.1. Preparing to Install the FreeIPA Server</h2></div></div></div><div class="para">
Before you install FreeIPA, ensure that the installation environment is suitably configured. You also need to provide certain information during the installation and configuration procedures, including realm names and certain usernames and passwords. This section describes the information that you need to provide.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</h3></div></div></div><div class="para">
- A basic user entry is about 1 KB in size, as is a simple host entry with a certificate. The structure of the directory tree and the number of indexes in the Directory Server instance can impact the hardware required for the best performance. <a class="xref" href="#tab.Minimum_hardware_requirements_for_IPA">Table 2.1, “Minimum Hardware Requirements”</a> lists the recommended minimums. For customized systems, additional indexes, or larger user entries, it is more effective to increase the RAM than to increase the disk space because the Directory Server stores much of its data in cache. Add info for disk layout/size recommendations, from https://www.redhat.com/archives/freeipa-users/2011-May/msg00012.html
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</h3></div></div></div><div class="para">
+ A basic user entry is about 1 KB in size, as is a simple host entry with a certificate. The structure of the directory tree and the number of indexes in the Directory Server instance can impact the hardware required for the best performance. <a class="xref" href="#tab.Minimum_hardware_requirements_for_IPA">Table 1.1, “Minimum Hardware Requirements”</a> lists the recommended minimums. For customized systems, additional indexes, or larger user entries, it is more effective to increase the RAM than to increase the disk space because the Directory Server stores much of its data in cache. Add info for disk layout/size recommendations, from https://www.redhat.com/archives/freeipa-users/2011-May/msg00012.html
</div><div class="note"><div class="admonition_header"><h2>TIP</h2></div><div class="admonition"><div class="para">
The Directory Server instance used by the FreeIPA server can be tuned to increase performance. For tuning information, see the Directory Server documentation at <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html</a>.
</div></div></div><div class="para">
The system requirements for both 32-bit and 64-bit platforms are the same.
- </div><div class="table" id="tab.Minimum_hardware_requirements_for_IPA"><h6>Table 2.1. Minimum Hardware Requirements</h6><div class="table-contents"><table summary="Minimum Hardware Requirements" border="1"><colgroup><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /></colgroup><thead><tr><th align="center">
+ </div><div class="table" id="tab.Minimum_hardware_requirements_for_IPA"><h6>Table 1.1. Minimum Hardware Requirements</h6><div class="table-contents"><table summary="Minimum Hardware Requirements" border="1"><colgroup><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /></colgroup><thead><tr><th align="center">
Minimum Hardware Requirements
</th><th align="center">
10,000 - 250,000 Entries
@@ -196,21 +142,21 @@
4 GB
</td><td align="center">
8 GB
- </td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</h3></div></div></div><div class="para">
+ </td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</h3></div></div></div><div class="para">
Most of the packages that a FreeIPA server depends on are installed as dependencies when the FreeIPA packages are installed. There are some packages, however, which are required before installing the FreeIPA packages:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Kerberos 1.9
</div></li><li class="listitem"><div class="para">
The <span class="package">named</span> and <span class="package">bind-dyndb-ldap</span> packages for DNS
- </div></li></ul></div></div><div class="section" id="prerequisites"><div class="titlepage"><div><div><h3 class="title" id="prerequisites">2.1.3. System Prerequisites</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="prerequisites"><div class="titlepage"><div><div><h3 class="title" id="prerequisites">1.1.3. System Prerequisites</h3></div></div></div><div class="para">
The FreeIPA server is set up using a configuration script, and this script makes certain assumption about the host system. If the system does not meet these prerequisites, then server configuration may fail.
- </div><div class="section" id="prereq-ds"><div class="titlepage"><div><div><h4 class="title" id="prereq-ds">2.1.3.1. Directory Server</h4></div></div></div><div class="para">
+ </div><div class="section" id="prereq-ds"><div class="titlepage"><div><div><h4 class="title" id="prereq-ds">1.1.3.1. Directory Server</h4></div></div></div><div class="para">
There must not be any instances of 389 Directory Server installed on the host machine.
- </div></div><div class="section" id="prereq-system"><div class="titlepage"><div><div><h4 class="title" id="prereq-system">2.1.3.2. System Files </h4></div></div></div><div class="para">
+ </div></div><div class="section" id="prereq-system"><div class="titlepage"><div><div><h4 class="title" id="prereq-system">1.1.3.2. System Files </h4></div></div></div><div class="para">
The server script overwrites system files to set up the FreeIPA domain. The system should be clean, without custom configuration for services like DNS and Kerberos, before configuring the FreeIPA server.
- </div></div><div class="section" id="prereq-ports"><div class="titlepage"><div><div><h4 class="title" id="prereq-ports">2.1.3.3. System Ports</h4></div></div></div><div class="para">
- FreeIPA uses a number of ports to communicate with its services. These ports, listed in <a class="xref" href="#tab.ipa-ports">Table 2.2, “FreeIPA Ports”</a>, must be open and available for FreeIPA to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <code class="command">iptables</code> to list the available ports or <code class="command">nc</code>, <code class="command">telnet</code>, or <code class="command">nmap</code> to connect to a port or run a port scan.
- </div><div class="table" id="tab.ipa-ports"><h6>Table 2.2. FreeIPA Ports</h6><div class="table-contents"><table summary="FreeIPA Ports" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
+ </div></div><div class="section" id="prereq-ports"><div class="titlepage"><div><div><h4 class="title" id="prereq-ports">1.1.3.3. System Ports</h4></div></div></div><div class="para">
+ FreeIPA uses a number of ports to communicate with its services. These ports, listed in <a class="xref" href="#tab.ipa-ports">Table 1.2, “FreeIPA Ports”</a>, must be open and available for FreeIPA to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <code class="command">iptables</code> to list the available ports or <code class="command">nc</code>, <code class="command">telnet</code>, or <code class="command">nmap</code> to connect to a port or run a port scan.
+ </div><div class="table" id="tab.ipa-ports"><h6>Table 1.2. FreeIPA Ports</h6><div class="table-contents"><table summary="FreeIPA Ports" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
Service
</th><th>
Ports
@@ -238,16 +184,16 @@
</td><td>
53
</td></tr><tr><td>
- NTP<sup>[<a id="id4327073" href="#ftn.id4327073" class="footnote">b</a>]</sup>
+ NTP<sup>[<a id="id3051824" href="#ftn.id3051824" class="footnote">b</a>]</sup>
</td><td>
123
</td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote" id="ft.udp-tcp"><p><sup>[<a id="ftn.ft.udp-tcp" href="#ft.udp-tcp" class="para">a</a>] </sup>
This service uses both TCP adn UDP ports.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id4327073" href="#id4327073" class="para">b</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.id3051824" href="#id3051824" class="para">b</a>] </sup>
This service uses UDP ports only.
- </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS">2.1.3.4. DNS</h4></div></div></div><div class="para">
+ </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS">1.1.3.4. DNS</h4></div></div></div><div class="para">
FreeIPA uses DNS for the FreeIPA clients to find (<span class="emphasis"><em>discover</em></span>) the FreeIPA servers. The DNS service can be managed by FreeIPA itself, or FreeIPA can use an existing DNS server. Without a properly configured and working DNS, server discovery for clients and FreeIPA services like, LDAP, Kerberos, and SSL may fail to work.
- </div><div class="section" id="dns-requirements"><div class="titlepage"><div><div><h5 class="title" id="dns-requirements">2.1.3.4.1. DNS Requirements</h5></div></div></div><div class="para">
+ </div><div class="section" id="dns-requirements"><div class="titlepage"><div><div><h5 class="title" id="dns-requirements">1.1.3.4.1. DNS Requirements</h5></div></div></div><div class="para">
Regardless of whether the DNS is within the FreeIPA server or external, the server host must have DNS properly configured:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
The server's machine name must be set and resolve to its public IP address. The fully-qualified domain name cannot resolve to the loopback address. It must resolve to the machine's public IP address, not to <code class="systemitem">127.0.0.1</code>. The output of the <code class="command">hostname</code> command cannot be <code class="systemitem">localhost</code> or <code class="systemitem">localhost6</code>.
@@ -259,12 +205,12 @@
The DNS must be correctly configured to resolve forward and reverse addresses. The DNS does not need to be on the same machine as the FreeIPA server, but it does need to be fully functional.
</div><div class="para">
If you do not have a functional DNS, you can use the <code class="option">--setup-dns</code> option when you install FreeIPA to automatically configure a suitable DNS.
- </div></li></ul></div></div><div class="section" id="dns-file"><div class="titlepage"><div><div><h5 class="title" id="dns-file">2.1.3.4.2. FreeIPA-Generated DNS File</h5></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="dns-file"><div class="titlepage"><div><div><h5 class="title" id="dns-file">1.1.3.4.2. FreeIPA-Generated DNS File</h5></div></div></div><div class="para">
To help create and configure a suitable DNS setup, the FreeIPA installation script creates a sample zone file. During the installation, FreeIPA displays a message similar to the following:
</div><pre class="screen">Sample zone file for bind has been created in /tmp/sample.zone.F_uMf4.db
</pre><div class="para">
You should use this file in your DNS zone file.
- </div></div><div class="section" id="DNS-IPA_DNS_and_NSCD"><div class="titlepage"><div><div><h5 class="title" id="DNS-IPA_DNS_and_NSCD">2.1.3.4.3. IPA, DNS, and NSCD</h5></div></div></div><div class="para">
+ </div></div><div class="section" id="DNS-IPA_DNS_and_NSCD"><div class="titlepage"><div><div><h5 class="title" id="DNS-IPA_DNS_and_NSCD">1.1.3.4.3. IPA, DNS, and NSCD</h5></div></div></div><div class="para">
<span class="emphasis"><em>It is strongly recommended</em></span> that you avoid or restrict the use of <code class="systemitem">nscd</code> (Name Service Caching Daemon) in a FreeIPA deployment. The <code class="systemitem">nscd</code> service is extremely useful for reducing the load on the server, and for making clients more responsive, but drawbacks also exist. This is especially true in deployments that take advantage of SSSD, which performs its own caching.
</div><div class="para">
<code class="systemitem">nscd</code> performs caching operations for all services that perform queries via the nsswitch interface, including <code class="command">getent</code>. Because <code class="systemitem">nscd</code> performs both positive and negative caching, if a request determines that a specific FreeIPA user does not exist, it marks this as a negative cache. Values stored in the cache remain until the cache expires, regardless of any changes that may occur on the server. The results of such caching is that new users and memberships may not be visible, and users and memberships that have been removed may still be visible.
@@ -274,7 +220,7 @@
negative-time-to-live group 60
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
-</pre></div><div class="section" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos"><div class="titlepage"><div><div><h5 class="title" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos">2.1.3.4.4. DNS and Kerberos</h5></div></div></div><div class="para">
+</pre></div><div class="section" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos"><div class="titlepage"><div><div><h5 class="title" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos">1.1.3.4.4. DNS and Kerberos</h5></div></div></div><div class="para">
The Kerberos server requires a valid DNS A record, and reverse DNS needs to work correctly. It is safe to use CNAMEs if they point to the A name that corresponds to the principal name used to create SPNs (Service Principal Names) for the host. You should avoid the use of DDNS names, however, as this can cause major problems later on.
</div><div class="para">
If necessary, add the hostname to the <code class="filename">/etc/hosts</code> file, as long as the fully qualified hostname must be listed first. For example:
@@ -290,7 +236,7 @@ negative-time-to-live hosts 20
DNS forwarders must be specified as IP addresses, not as hostnames.
</div></div></div>
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking">2.1.3.5. Configuring Networking</h4></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services">2.1.3.5.1. Configuring Networking Services</h5></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking">1.1.3.5. Configuring Networking</h4></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services">1.1.3.5.1. Configuring Networking Services</h5></div></div></div><div class="para">
The default networking service used by Fedora is NetworkManager, and due to the way this service works, it can cause problems with FreeIPA and the KDC. Consequently, it is highly recommended that you use the <code class="systemitem">network</code> service to manage the networking requirements in a FreeIPA environment and disable the NetworkManager service.
</div><div class="orderedlist" id="proc-Enterprise_Identity_Management_Guide-Configuring_Networking_Services-To_configure_networking_services_for_IPA"><ol><li class="listitem"><div class="para">
Boot the machine into single-user mode and run the following commands:
@@ -304,7 +250,7 @@ negative-time-to-live hosts 20
Ensure that static networking is correctly configured.
</div></li><li class="listitem"><div class="para">
Restart the system.
- </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File">2.1.3.5.2. Configuring the /etc/hosts File</h5></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File">1.1.3.5.2. Configuring the /etc/hosts File</h5></div></div></div><div class="para">
You need to ensure that your <code class="filename">/etc/hosts</code> file is configured correctly. A misconfigured file can prevent the FreeIPA command-line tools from functioning correctly and can prevent the FreeIPA web interface from connecting to the FreeIPA server.
</div><div class="para">
Configure the <code class="filename">/etc/hosts</code> file to list the FQDN for the FreeIPA server <span class="emphasis"><em>before</em></span> any aliases. Also ensure that the hostname is not part of the <code class="literal">localhost</code> entry. The following is an example of a valid hosts file:
@@ -313,15 +259,15 @@ negative-time-to-live hosts 20
192.168.1.1 ipaserver.example.com ipaserver
</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Do not omit the <code class="systemitem">IPv4</code> entry in the <code class="filename">/etc/hosts</code> file. This entry is required by the FreeIPA web service.
- </div></div></div></div></div></div></div><div class="section" id="Installing_the_IPA_Server_Packages"><div class="titlepage"><div><div><h2 class="title" id="Installing_the_IPA_Server_Packages">2.2. Installing the FreeIPA Server Packages</h2></div></div></div><div class="para">
+ </div></div></div></div></div></div></div><div class="section" id="Installing_the_IPA_Server_Packages"><div class="titlepage"><div><div><h2 class="title" id="Installing_the_IPA_Server_Packages">1.2. Installing the FreeIPA Server Packages</h2></div></div></div><div class="para">
Installing only the FreeIPA server requires a single package, . If the FreeIPA server will also manage a DNS server, then it requires two additional packages to set up the DNS.
</div><div class="para">
All of these packages can be installed using the <code class="command">yum</code> command:
</div><pre class="programlisting"><span class="perl_Comment"># yum install freeipa-server bind bind-dyndb-ldap</span></pre><div class="para">
Installing the also installs a large number of dependencies, such as <span class="package">389-ds-base</span> for the LDAP service and <span class="package">krb5-server</span> for the Kerberos service, along with FreeIPA tools.
</div><div class="para">
- After the packages are installed, the server instance must be created using the <code class="command">ipa-server-install</code> command. The options for configuring the new server instance are described in <a class="xref" href="#creating-server">Section 2.3, “Creating a FreeIPA Server Instance”</a>.
- </div></div><div class="section" id="creating-server"><div class="titlepage"><div><div><h2 class="title" id="creating-server">2.3. Creating a FreeIPA Server Instance</h2></div></div></div><div class="para">
+ After the packages are installed, the server instance must be created using the <code class="command">ipa-server-install</code> command. The options for configuring the new server instance are described in <a class="xref" href="#creating-server">Section 1.3, “Creating a FreeIPA Server Instance”</a>.
+ </div></div><div class="section" id="creating-server"><div class="titlepage"><div><div><h2 class="title" id="creating-server">1.3. Creating a FreeIPA Server Instance</h2></div></div></div><div class="para">
The FreeIPA setup script creates a server instance, which includes configuring all of the required services for the FreeIPA domain:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
The network time daemon (ntpd)
@@ -342,21 +288,21 @@ negative-time-to-live hosts 20
</div></li></ul></div><div class="para">
The FreeIPA setup process can be minimal, where the administrator only supplies some required information, or it can be very specific, with user-defined settings for many parts of the FreeIPA services. The configuration is passed using arguments with the <code class="command">ipa-install-server</code> script.
</div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
- The port numbers and directory locations used by FreeIPA are all defined automatically, as defined in <a class="xref" href="#prereq-ports">Section 2.1.3.3, “System Ports”</a> and . These ports and directories <span class="emphasis"><em>cannot</em></span> be changed or customized.
- </div></div></div><div class="section" id="install-command"><div class="titlepage"><div><div><h3 class="title" id="install-command">2.3.1. About ipa-server-install</h3></div></div></div><div class="para">
+ The port numbers and directory locations used by FreeIPA are all defined automatically, as defined in <a class="xref" href="#prereq-ports">Section 1.1.3.3, “System Ports”</a> and . These ports and directories <span class="emphasis"><em>cannot</em></span> be changed or customized.
+ </div></div></div><div class="section" id="install-command"><div class="titlepage"><div><div><h3 class="title" id="install-command">1.3.1. About ipa-server-install</h3></div></div></div><div class="para">
A FreeIPA server instance is created by running the <code class="command">ipa-server-install</code> script. This script can accept user-defined settings for services, like DNS nad Kerberos, that are used by the FreeIPA instance, or it can supply predefined values for minimal input from the administrator.
</div><div class="para">
While <code class="command">ipa-server-install</code> can be run without any options, so that it prompts for the required information, it has numerous arguments which allow the configuration process to be easily scripted or to supply additional information which is not requested during an interactive installation.
</div><div class="para">
- <a class="xref" href="#tab.ipa-server-install-param">Table 2.3, “ipa-server-install Options”</a> lists the possible arguments with <code class="command">ipa-server-install</code>, while <a class="xref" href="#install-examples">Section 2.3.3, “Examples of Creating the FreeIPA Server”</a> has examples of some common installation scenarios. In real life, the <code class="command">ipa-server-install</code> options are versatile enough to be customized to the specific deployment environment.
- </div><div class="table" id="tab.ipa-server-install-param"><h6>Table 2.3. ipa-server-install Options</h6><div class="table-contents"><table summary="ipa-server-install Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
+ <a class="xref" href="#tab.ipa-server-install-param">Table 1.3, “ipa-server-install Options”</a> lists the possible arguments with <code class="command">ipa-server-install</code>, while <a class="xref" href="#install-examples">Section 1.3.3, “Examples of Creating the FreeIPA Server”</a> has examples of some common installation scenarios. In real life, the <code class="command">ipa-server-install</code> options are versatile enough to be customized to the specific deployment environment.
+ </div><div class="table" id="tab.ipa-server-install-param"><h6>Table 1.3. ipa-server-install Options</h6><div class="table-contents"><table summary="ipa-server-install Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
Argument
</th><th>
Alternate Argument
</th><th>
Description
</th></tr></thead><tbody><tr><td colspan="3">
- <span class="bold bold"><strong>Required Options</strong></span><sup>[<a id="id3199507" href="#ftn.id3199507" class="footnote">a</a>]</sup>
+ <span class="bold bold"><strong>Required Options</strong></span><sup>[<a id="id3312576" href="#ftn.id3312576" class="footnote">a</a>]</sup>
</td></tr><tr><td>
-a <span class="emphasis"><em>ipa_admin_password</em></span>
</td><td>
@@ -537,9 +483,9 @@ negative-time-to-live hosts 20
</td><td>
Prints the version number of the <code class="command">ipa-server-install</code> command.
- </td></tr></tbody><tbody class="footnotes"><tr><td colspan="3"><div class="footnote"><p><sup>[<a id="ftn.id3199507" href="#id3199507" class="para">a</a>] </sup>
+ </td></tr></tbody><tbody class="footnotes"><tr><td colspan="3"><div class="footnote"><p><sup>[<a id="ftn.id3312576" href="#id3312576" class="para">a</a>] </sup>
The installation script will prompt for these options if they are not passed with the script.
- </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="install-interactive"><div class="titlepage"><div><div><h3 class="title" id="install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</h3></div></div></div><div class="para">
+ </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="install-interactive"><div class="titlepage"><div><div><h3 class="title" id="install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</h3></div></div></div><div class="para">
All that is required to set up a FreeIPA server is to run the <code class="command">ipa-server-install</code> script. This launchs the script interactively, which prompts for the required information to set up a server, but without more advanced configuration like DNS and CA options.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script.
@@ -625,10 +571,10 @@ Password <span class="perl_Keyword">for</span> admin at EXAMPLE.COM:</pre></li><li
Member of <span class="perl_BString">groups</span>: admins
----------------------------
Number of entries returned 1
- ----------------------------</pre></li></ol></div></div><div class="section" id="install-examples"><div class="titlepage"><div><div><h3 class="title" id="install-examples">2.3.3. Examples of Creating the FreeIPA Server</h3></div></div></div><div class="para">
+ ----------------------------</pre></li></ol></div></div><div class="section" id="install-examples"><div class="titlepage"><div><div><h3 class="title" id="install-examples">1.3.3. Examples of Creating the FreeIPA Server</h3></div></div></div><div class="para">
The way that a FreeIPA server is installed can be different depending on the network environment, security requirements within the organization, and the desired topology. These example illustrate some common options when installing the server. These examples are not mutually exclusive; it is entirely possible to use CA options, DNS options, and FreeIPA configuration options in the same server invocation. These are called out separately simply to make it more clear what each configuration area requires.
- </div><div class="section" id="install-normal"><div class="titlepage"><div><div><h4 class="title" id="install-normal">2.3.3.1. Non-Interactive Basic Installation</h4></div></div></div><div class="para">
- As shown in <a class="xref" href="#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>, only a few pieces of information are required to configured a FreeIPA server. While the setup script can prompt for this information in interactive mode, this information can also be passed with the setup command to allow automated and unattended configuration:
+ </div><div class="section" id="install-normal"><div class="titlepage"><div><div><h4 class="title" id="install-normal">1.3.3.1. Non-Interactive Basic Installation</h4></div></div></div><div class="para">
+ As shown in <a class="xref" href="#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>, only a few pieces of information are required to configured a FreeIPA server. While the setup script can prompt for this information in interactive mode, this information can also be passed with the setup command to allow automated and unattended configuration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Passwords for the FreeIPA administrative user and the Directory Server super user (Directory Manager)
</div></li><li class="listitem"><div class="para">
@@ -639,7 +585,7 @@ Password <span class="perl_Keyword">for</span> admin at EXAMPLE.COM:</pre></li><li
The DNS domain name
</div></li></ul></div><div class="para">
This information can be passed with the <code class="command">ipa-server-install</code>, along with the <code class="option">-U</code> to force it to run without requiring user interaction.
- </div><div class="example" id="ex.basic-opts"><h6>Example 2.1. Basic Installation without Interaction</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U</span></pre><div class="para">
+ </div><div class="example" id="ex.basic-opts"><h6>Example 1.1. Basic Installation without Interaction</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U</span></pre><div class="para">
The script then prints the submitted values:
</div><pre class="programlisting">To accept the default shown in brackets, press the Enter key.
@@ -647,18 +593,18 @@ The IPA Master Server will be configured with
Hostname: ipa2.server.example.com
IP address: 1.2.3.4
Domain name: example.com</pre><div class="para">
- Then the script runs through the configuration progress for each FreeIPA service, as in <a class="xref" href="#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
- </div></div></div><br class="example-break" /></div><div class="section" id="install-ca-options"><div class="titlepage"><div><div><h4 class="title" id="install-ca-options">2.3.3.2. Using Different CAs</h4></div></div></div><div class="para">
+ Then the script runs through the configuration progress for each FreeIPA service, as in <a class="xref" href="#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ </div></div></div><br class="example-break" /></div><div class="section" id="install-ca-options"><div class="titlepage"><div><div><h4 class="title" id="install-ca-options">1.3.3.2. Using Different CAs</h4></div></div></div><div class="para">
The default installation of FreeIPA uses an integrated Dogtag Certificate System instance as a certificate authority to issue certificates. However, this configuration is not required. FreeIPA only requires <span class="emphasis"><em>a</em></span> certificate authority. This can be an external CA like Verisign or a corporate CA inconjunction with the internal Certificate System, or it can even be the FreeIPA server itself, using a self-signed certificate.
</div><div class="para">
For the FreeIPA server itself to work as a CA, it uses a self-signed certificate, meaning that it approved and issued its own certificate. This is done by using the <code class="option">--selfsign</code> option with the <code class="command">ipa-server-install</code> command. When the FreeIPA server uses a self-signed certificate, the setup process is exactly the same as a normal installation, except that no Dogtag Certificate System instance is created. There is still a <code class="filename">cacert.p12</code> file created that can be used by replicas and the domain functions exactly the same. The only difference is what CA issues the certificates.
- </div><div class="example" id="ex.selfsigned"><h6>Example 2.2. Using a Self-Signed Certificate</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U --selfsign</span></pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </div><div class="example" id="ex.selfsigned"><h6>Example 1.2. Using a Self-Signed Certificate</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U --selfsign</span></pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
A self-signed certificate should only be used for a testing or development environment. A production environment should use the Dogtag Certificate System instance or an external, public CA.
</div></div></div><div class="para">
Alternatively, the FreeIPA server can use a certificate issued by an external CA. This can be a corporate CA or a third-party CA like Verisign or Thawte. As with a normal setup process, using an external CA still uses a Dogtag Certificate System instance for the FreeIPA server for issuing all of its client and replica certificates; the initial CA certificate is simply issued by a different CA.
</div><div class="para">
When using an external CA, there are two additional steps that must be performed: submit the generated certificate request to the external CA and then load the CA certificate and issued server certificate to complete the setup.
- </div><div class="example" id="ex.externalca"><h6>Example 2.3. Using an External CA</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div><div class="example" id="ex.externalca"><h6>Example 1.3. Using an External CA</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script, using the <code class="option">--external-ca</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipa.server.example.com --external-ca</span></pre></li><li class="listitem"><div class="para">
The script sets up the NTP and Directory Server services as normal.
@@ -676,12 +622,12 @@ The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-in
</div></li><li class="listitem"><div class="para">
Rerun <code class="command">ipa-server-install</code>, specifying the locations and names of the certificate and CA chain files. For example:
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12</span></pre></li><li class="listitem"><div class="para">
- Complete the setup process and verify that everything is working as expected, as in <a class="xref" href="#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
- </div></li></ol></div></div></div><br class="example-break" /></div><div class="section" id="install-dns"><div class="titlepage"><div><div><h4 class="title" id="install-dns">2.3.3.3. Using DNS</h4></div></div></div><div class="para">
+ Complete the setup process and verify that everything is working as expected, as in <a class="xref" href="#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ </div></li></ol></div></div></div><br class="example-break" /></div><div class="section" id="install-dns"><div class="titlepage"><div><div><h4 class="title" id="install-dns">1.3.3.3. Using DNS</h4></div></div></div><div class="para">
FreeIPA can be configured to manage its own DNS, use an existing DNS, or not use DNS services at all (which is the default). Running the setup script alone does not configure DNS; this requires the <code class="option">--setup-dns</code> option.
</div><div class="para">
As with a basic setup, the DNS setup can either prompt for the required information or the DNS information can be passed with the script to allow an automatic or unattended setup process.
- </div><div class="example" id="ex.dns-w-prompts"><h6>Example 2.4. Interactive DNS Setup</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div><div class="example" id="ex.dns-w-prompts"><h6>Example 1.4. Interactive DNS Setup</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script, using the <code class="option">--setup-dns</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipa.server.example.com --setup-dns</span></pre></li><li class="listitem"><div class="para">
The script configures the hostname and domain name as normal.
@@ -706,16 +652,16 @@ Configuring named:
<span class="perl_Keyword">done</span> configuring named.
==============================================================================
Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"><div class="para">
- Verify that everything is working as expected, as in <a class="xref" href="#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ Verify that everything is working as expected, as in <a class="xref" href="#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
</div></li></ol></div></div></div><br class="example-break" /><div class="para">
If DNS is used with FreeIPA, then two pieces of information are required: any DNS forwarders that will be used and using (or not) reverse DNS. To perform a non-interactive setup, this information can be passed using the <code class="option">--forwarder | --no-forwarders</code> option and <code class="option">--no-reverse</code> option.
- </div><div class="example" id="ex.dns-script"><h6>Example 2.5. Setting up DNS Non-Interactively</h6><div class="example-contents"><div class="para">
+ </div><div class="example" id="ex.dns-script"><h6>Example 1.5. Setting up DNS Non-Interactively</h6><div class="example-contents"><div class="para">
To use DNS always requires the <code class="option">--setup-dns</code>. To user forwarders, use the <code class="option">--forwarder</code> with a comma-separated list of forwarders.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --forwarder=1.2.3.0,1.2.255.0</span></pre><div class="para">
Some kind of forwarder information is required. If no external forwarders will be used with the FreeIPA DNS service, then use the <code class="option">--no-forwarders</code> option to indicate that only root servers will be used.
</div><div class="para">
The script always assumes that reverse DNS is configured along with DNS, so it is not necessary to use any options to <span class="emphasis"><em>enable</em></span> reverse DNS. To disable reverse DNS, use the <code class="option">--no-reverse</code> option.
- </div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --no-reverse</span></pre></div></div><br class="example-break" /></div></div><div class="section" id="troubleshooting-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-install">2.3.4. Troubleshooting Installation Problems</h3></div></div></div><div class="formalpara"><h5 class="formalpara" id="id3933131">GSS Failures When Running IPA Commands</h5>
+ </div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --no-reverse</span></pre></div></div><br class="example-break" /></div></div><div class="section" id="troubleshooting-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-install">1.3.4. Troubleshooting Installation Problems</h3></div></div></div><div class="formalpara"><h5 class="formalpara" id="id4658319">GSS Failures When Running IPA Commands</h5>
Immediately after installation, there can be Kerberos problems when trying to run an <code class="command">ipa-*</code> command. For example:
</div><pre class="programlisting">ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Decrypt integrity check failed', -1765328353)</pre><div class="para">
There are two potential causes for this:
@@ -723,7 +669,7 @@ Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"
DNS is not properly configured.
</div></li><li class="listitem"><div class="para">
Active Directory is in the same domain as the FreeIPA server.
- </div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id3294372">named Daemon Fails to Start</h5>
+ </div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id3315744">named Daemon Fails to Start</h5>
If a FreeIPA server is configured to manage DNS and is set up successfully, but the <code class="systemitem">named</code> service fails to start, this can indicate that there is a package conflict. Check the <code class="filename">/var/log/messages</code> file for error messages related to the <code class="command">named</code> service and the <code class="filename">ldap.so</code> library:
</div><pre class="screen">ipaserver named[6886]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory</pre><div class="para">
This usually means that the <span class="package">bind-chroot</span> package is installed and is preventing the <code class="systemitem">named</code> service from starting. To resolve this issue, remove the <span class="package">bind-chroot</span> package and then restart the FreeIPA server.
@@ -731,7 +677,7 @@ Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"
<span class="perl_Comment"></span>
<span class="perl_Comment"># ipactl restart</span></pre>
- </div></div></div><div class="section" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">2.4. Setting up FreeIPA Replicas</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">1.4. Setting up FreeIPA Replicas</h2></div></div></div><div class="para">
In the FreeIPA domain, there are three types of machines:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Servers, which manage all of the services used by domain members
@@ -743,17 +689,17 @@ Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"
A replica is a clone of a specific FreeIPA server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called <span class="emphasis"><em>replication</em></span>. The two Directory Server instances used by an FreeIPA server — the Directory Server instance used by the FreeIPA server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the FreeIPA replica.
</div><div class="note"><div class="admonition_header"><h2>TIP</h2></div><div class="admonition"><div class="para">
If you are using the integrated Dogtag Certificate System instance as the CA for the FreeIPA domain, then it is possible to make a replica of a replica. It is <span class="emphasis"><em>not</em></span> possible to make a replica of a replica if you use the <code class="option">--selfsign</code> option for the original FreeIPA server.
- </div></div></div><div class="section" id="installing-replica"><div class="titlepage"><div><div><h3 class="title" id="installing-replica">2.4.1. Prepping and Installing the Replica Server</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="installing-replica"><div class="titlepage"><div><div><h3 class="title" id="installing-replica">1.4.1. Prepping and Installing the Replica Server</h3></div></div></div><div class="para">
Replicas are functionally the same as FreeIPA servers, so they have the same installation requirements and packages.
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
- Make sure that the machine meets all of the prerequisites listed in <a class="xref" href="#Preparing_for_an_IPA_Installation">Section 2.1, “Preparing to Install the FreeIPA Server”</a>.
+ Make sure that the machine meets all of the prerequisites listed in <a class="xref" href="#Preparing_for_an_IPA_Installation">Section 1.1, “Preparing to Install the FreeIPA Server”</a>.
</div></li><li class="listitem"><div class="para">
- Install the server packages as in <a class="xref" href="#Installing_the_IPA_Server_Packages">Section 2.2, “Installing the FreeIPA Server Packages”</a>. However, do <span class="emphasis"><em>not</em></span> run the <code class="command">ipa-server-install</code> script.
+ Install the server packages as in <a class="xref" href="#Installing_the_IPA_Server_Packages">Section 1.2, “Installing the FreeIPA Server Packages”</a>. However, do <span class="emphasis"><em>not</em></span> run the <code class="command">ipa-server-install</code> script.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
The replica and the master server must be running the same version of FreeIPA.
</div></div></div></li><li class="listitem"><div class="para">
If there is an existing Dogtag Certificate System or Red Hat Certificate System instance on the replica machine, make sure that port <code class="systemitem">7389</code> is free. This port is used by the master FreeIPA server to communicate with the replica.
- </div></li></ul></div></div><div class="section" id="creating-the-replica"><div class="titlepage"><div><div><h3 class="title" id="creating-the-replica">2.4.2. Creating the Replica</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </div></li></ul></div></div><div class="section" id="creating-the-replica"><div class="titlepage"><div><div><h3 class="title" id="creating-the-replica">1.4.2. Creating the Replica</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
Make sure that the replica machine exists in the server's DNS <span class="emphasis"><em>before</em></span> beginning to configure the replica. If the server cannot contact the replica machine during the configuration process, then the replica configuration fails.
</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
C\On the master server, create a <span class="emphasis"><em>replica information file</em></span>. This contains realm and configuration information taken from the master server which will be used to configure the replica server.
@@ -807,7 +753,7 @@ $ ipa dnsrecord-add example.com @ --ns-rec ipareplica.example.com.</pre>
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
Use the fully-qualified domain name of the replica, including the final period (.), otherwise BIND will treat the hostname as relative to the domain.
- </div></div></div></li></ol></div></div><div class="section" id="troubleshooting-replica-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</h3></div></div></div><div class="para">
+ </div></div></div></li></ol></div></div><div class="section" id="troubleshooting-replica-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</h3></div></div></div><div class="para">
If the replica installation fails on step 3 (<span class="bold bold"><strong>[3/11]: configuring certificate server instance</strong></span>), that usually means that the required port is not available. This can be verified by checking the debug logs for the CA, <code class="filename">/var/log/pki-ca/debug</code>, which may show error messages about being unable to find certain entries. For example:
<pre class="screen">[04/Feb/2011:22:29:03][http-9445-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,o=ipaca not found, let's wait</pre>
@@ -818,11 +764,11 @@ comparetAndWaitEntries ou=people,o=ipaca not found, let's wait</pre>
</div><div class="para">
After uninstalling the replica, ensure that port 7389 on the replica is available, and retry the replica installation.
- </div></div></div><div class="section" id="Uninstalling_IPA_Servers"><div class="titlepage"><div><div><h2 class="title" id="Uninstalling_IPA_Servers">2.5. Uninstalling FreeIPA Servers and Replicas</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Uninstalling_IPA_Servers"><div class="titlepage"><div><div><h2 class="title" id="Uninstalling_IPA_Servers">1.5. Uninstalling FreeIPA Servers and Replicas</h2></div></div></div><div class="para">
To uninstall both a FreeIPA server and a FreeIPA replica, pass the <code class="option">--uninstall</code> option to the <code class="command">ipa-server-install</code> command:
<pre class="programlisting"><span class="perl_Comment"># ipa-server-install --uninstall</span></pre>
- </div></div></div><div xml:lang="en-US" class="chapter" id="setting-up-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 3. Setting up Systems as FreeIPA Clients</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#what-happens-clients">3.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="#Configuring_Microsoft_Windows">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris">3.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_C
lient_on_HP_UX">3.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_PAM">3.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="#hp-test">3.4.7. Testing the Configuration</a></span></dt></d
l></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX">3.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">3.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="#Configuring_an
_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="#testing-config-on-mac">3.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#uninstalling-clients">3.7. Uninstalling a FreeIPA Client</a></span></dt></dl></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="setting-up-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 2. Setting up Systems as FreeIPA Clients</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#what-happens-clients">2.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="#Configuring_Microsoft_Windows">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris">2.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_C
lient_on_HP_UX">2.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_Kerberos">2.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="#Configuring_Kerberos_and_PAM-Configuring_PAM">2.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="#hp-test">2.4.7. Testing the Configuration</a></span></dt></d
l></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX">2.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">2.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="#Configuring_an
_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="#testing-config-on-mac">2.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#uninstalling-clients">2.7. Uninstalling a FreeIPA Client</a></span></dt></dl></div><div class="para">
A <span class="emphasis"><em>client</em></span> is any system which is a member of the FreeIPA domain. While this is frequently a Fedora system (and FreeIPA has special tools to make configuring Fedora clients very simple), machines with other operating systems can also be added to the FreeIPA domain.
</div><div class="para">
One important aspect of a FreeIPA client is that <span class="emphasis"><em>only</em></span> the system configuration determines whether the system is part of the domain. (The configuration includes things like belonging to the Kerberos domain, DNS domain, and having the proper authentication and certificate setup.) FreeIPA does not require any sort of agent or daemon running on a client.
@@ -830,7 +776,7 @@ comparetAndWaitEntries ou=people,o=ipaca not found, let's wait</pre>
This chapter explains how to configure a system to join a FreeIPA domain.
</div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
Clients can only be configured after at least one FreeIPA server has been installed.
- </div></div></div><div class="section" id="what-happens-clients"><div class="titlepage"><div><div><h2 class="title" id="what-happens-clients">3.1. What Happens in Client Setup</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="what-happens-clients"><div class="titlepage"><div><div><h2 class="title" id="what-happens-clients">2.1. What Happens in Client Setup</h2></div></div></div><div class="para">
Whether the client configuration is performed automatically on Fedora systems using the client setup script or manually on other systems, the general process of configuring a machine to serve as a FreeIPA client is mostly the same, with slight variation depending on the platform:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Retrieve the CA certificate for the FreeIPA CA.
@@ -866,7 +812,7 @@ example.com = EXAMPLE.COM
Configures SSSD or LDAP/KRB5, including NSS and PAM configuration files.
</div></li><li class="listitem"><div class="para">
Configure NTP.
- </div></li></ul></div></div><div class="section" id="Configuring_Microsoft_Windows"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Microsoft_Windows">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</h2></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </div></li></ul></div></div><div class="section" id="Configuring_Microsoft_Windows"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Microsoft_Windows">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</h2></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
FreeIPA does <span class="emphasis"><em>not</em></span> support Microsoft Windows client authentication.
</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Download the MIT Kerberos 3.x package for Windows.
@@ -888,7 +834,7 @@ example.com = EXAMPLE.COM
Edit the hosts file and add the FreeIPA server. For example:
</div><pre class="programlisting">1.2.3.4 ipaserver.example.com ipaserver</pre><div class="para">
Depending on the version of Windows, the HOSTS file could be located in different directories.
- </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Solaris">3.3. Configuring a Solaris System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris_10"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</h3></div></div></div><div class="orderedlist"><ol><li class="listitem" id="st.sol1"><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Solaris">2.3. Configuring a Solaris System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris_10"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</h3></div></div></div><div class="orderedlist"><ol><li class="listitem" id="st.sol1"><div class="para">
As with Fedora systems, FreeIPA provides an automated method of configuring Solaris 10 to function as a FreeIPA client. On the Solaris client, run the <code class="command">ldapclient</code> with the name of the FreeIPA domain:
</div><pre class="programlisting"><span class="perl_Comment"># ldapclient init ipa.example.com -v</span></pre><div class="para">
When the command is run, it creates a configuration profile that will automatically set up the necessary PAM and <code class="filename">/etc/ldap.conf</code> configuration.
@@ -965,8 +911,8 @@ forwardable= true
ktutil: <span class="perl_BString">write</span>_kt /etc/krb5/krb5.keytab
ktutil: q</pre>
- </div></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
- Perform steps <a class="xref" href="#st.sol1">1</a> through <a class="xref" href="#st.sol3">3</a> in <a class="xref" href="#Configuring_an_IPA_Client_on_Solaris_10">Section 3.3.1, “Configuring Solaris 10”</a> to set up the Solaris 9 client.
+ </div></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Perform steps <a class="xref" href="#st.sol1">1</a> through <a class="xref" href="#st.sol3">3</a> in <a class="xref" href="#Configuring_an_IPA_Client_on_Solaris_10">Section 2.3.1, “Configuring Solaris 10”</a> to set up the Solaris 9 client.
</div></li><li class="listitem"><div class="para">
Configure the <code class="filename">/etc/pam.conf</code> file to use PAM Kerberos. For example:
</div><pre class="programlisting">login auth requisite pam_authtok_get.so.1
@@ -975,11 +921,11 @@ login auth sufficient pam_unix.so.1 use_first_pass
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
-</pre></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_HP_UX">3.4. Configuring an HP-UX System as a FreeIPA</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+</pre></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_HP_UX">2.4. Configuring an HP-UX System as a FreeIPA</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The FreeIPA client installation process requires that a FreeIPA server already exist.
- </div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP</h3></div></div></div><div class="para">
Configure and enable NTP and make sure that time is synchronized between the client and the FreeIPA server.
- </div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authentication</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Install the <code class="filename">ldapux</code> client.
</div><pre class="programlisting"> <span class="perl_Comment"># swinstall -s J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot</span></pre></li><li class="listitem"><div class="para">
Change to the configuration directory, and run the setup script.
@@ -1037,7 +983,7 @@ Do you want to create custom search descriptors? [ No ]
enable=yes
</pre>
- </div></li></ol></div></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos">2.4.3. Configuring Kerberos</h3></div></div></div><div class="para">
Edit the <code class="filename">/etc/krb5.conf</code> file to reflect the Kerberos domain used by the FreeIPA server. Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
</div><pre class="programlisting">[libdefaults]
default_realm = EXAMPLE.COM
@@ -1061,9 +1007,9 @@ example.com = EXAMPLE.COM
kinit = {
forwardable = true
}
-</pre></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_PAM"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_PAM">3.4.4. Configuring PAM</h3></div></div></div><div class="para">
+</pre></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_PAM"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_PAM">2.4.4. Configuring PAM</h3></div></div></div><div class="para">
The PAM configuration differs slightly between different versions of HP-UX.
- </div><div class="section" id="Configuring_PAM-HP_UX_11i_v2"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v2">3.4.4.1. HP-UX 11i v2</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_PAM-HP_UX_11i_v2"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v2">2.4.4.1. HP-UX 11i v2</h4></div></div></div><div class="para">
Edit the <code class="filename">/etc/pam.conf</code> file so that all of the required modules are loaded for authentication. For example:
</div><pre class="programlisting">#
# PAM configuration
@@ -1149,7 +1095,7 @@ dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1
-</pre></div><div class="section" id="Configuring_PAM-HP_UX_11i_v1"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v1">3.4.4.2. HP-UX 11i v1</h4></div></div></div><div class="para">
+</pre></div><div class="section" id="Configuring_PAM-HP_UX_11i_v1"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v1">2.4.4.2. HP-UX 11i v1</h4></div></div></div><div class="para">
Edit the <code class="filename">/etc/pam.conf</code> file to reflect the following example:
</div><pre class="programlisting">#
# PAM configuration
@@ -1210,7 +1156,7 @@ dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password sufficient /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
-</pre></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+</pre></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Ensure that you have version A.05.10.007 or later of <code class="command">ssh</code> installed. A current package can be downloaded from the HO website at <a href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA</a>.
</div></li><li class="listitem"><div class="para">
Edit the <code class="filename">/etc/opt/ssh/ssh_config</code> file:
@@ -1235,9 +1181,9 @@ OTHER password required /usr/lib/security/libpam_unix.1
Create the host keytab file.
</div><pre class="programlisting"> <span class="perl_Comment"># ipa-getkeytab -s ipaserver.example.com -p host/hpuxipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc</span></pre></li><li class="listitem"><div class="para">
Copy this keytab to the HP-UX machine, and save it as <code class="filename">/etc/krb5/krb5.keytab</code>.
- </div><pre class="programlisting"> <span class="perl_Comment"># scp /tmp/krb5.keytab root at hpuxipaclient.example.com:/etc/krb5/krb5.keytab</span></pre></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</h3></div></div></div><div class="para">
+ </div><pre class="programlisting"> <span class="perl_Comment"># scp /tmp/krb5.keytab root at hpuxipaclient.example.com:/etc/krb5/krb5.keytab</span></pre></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</h3></div></div></div><div class="para">
HP-UX systems provide the <code class="systemitem">pam_authz</code> PAM module, which can be used to control login access to the system based on a user's group membership. For details on how to configure access control with this module, see the HP documenttion at <a href="http://docs.hp.com/en/B3921-60631/pam_authz.5.html">http://docs.hp.com/en/B3921-60631/pam_authz.5.html</a>.
- </div><div class="example" id="ex.hp-pam-authz-mod"><h6>Example 3.1. pam_authz.policy File: Allow User Access, Deny Admin Access</h6><div class="example-contents"><div class="para">
+ </div><div class="example" id="ex.hp-pam-authz-mod"><h6>Example 2.1. pam_authz.policy File: Allow User Access, Deny Admin Access</h6><div class="example-contents"><div class="para">
This configuration in <code class="filename">/etc/opt/ldapux/pam_authz.policy</code> prevents the admin user from logging in while still allowing regular users to log in.
</div><pre class="programlisting">
# pam_authz.policy.template:
@@ -1273,7 +1219,7 @@ OTHER password required /usr/lib/security/libpam_unix.1
deny:unix_group:admins
allow:unix_local_user
-</pre></div></div><br class="example-break" /></div><div class="section" id="hp-test"><div class="titlepage"><div><div><h3 class="title" id="hp-test">3.4.7. Testing the Configuration</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+</pre></div></div><br class="example-break" /></div><div class="section" id="hp-test"><div class="titlepage"><div><div><h3 class="title" id="hp-test">2.4.7. Testing the Configuration</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
By default, the admin user is given <code class="command">/bin/bash</code> as the shell to use and <code class="filename">/home/admin</code> as the home directory. It may be necessary to install bash to be able to log in.
</div></div></div><div class="para">
There are three quick ways to check the Kerberos and PAM configuration for the HP client:
@@ -1284,7 +1230,7 @@ allow:unix_local_user
Attempt to log into the HP machine from another machine in the domain using SSH. The admin user should be able to log in using SSH without being asked for a password.
</div><pre class="programlisting"> <span class="perl_Comment"># ssh admin at hpuxipaclient.example.com</span></pre></li><li class="listitem"><div class="para">
Log into the FreeIPA web UI using the administrator credentials on the HP machine.
- </div></li></ul></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_AIX">3.5. Configuring an AIX System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Prerequisites"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</h3></div></div></div><div class="para">
+ </div></li></ul></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_AIX">2.5. Configuring an AIX System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Prerequisites"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</h3></div></div></div><div class="para">
Make sure that all of these packages are installed on the AIX machine before beginning the client configuration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
v5.3 OS
@@ -1308,7 +1254,7 @@ allow:unix_local_user
modcrypt.base (for gssd)
</div></li></ul></div><div class="para">
Configure and enable NTP and make sure that time is synchronized between the client and the FreeIPA server.
- </div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">3.5.2. Configuring the AIX Client</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">2.5.2. Configuring the AIX Client</h3></div></div></div><div class="para">
Setting up an AIX client requires setting up the client to work in the FreeIPA Kerberos domain and, optionally, to enable SSH authentication to the AIX client using FreeIPA credentials.
</div><div class="para">
Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
@@ -1433,11 +1379,11 @@ userPassword: secretpassword
To test the SSH configuration, try to log in as the admin user using SSH without providing a password.
</div><pre class="programlisting"> <span class="perl_Comment"># ssh admin at ipaclient.example.com</span></pre></li></ol></div></li></ol></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
By default, the admin user is given <code class="command">/bin/bash</code> as the shell to use and <code class="filename">/home/admin</code> as the home directory. It may be necessary to install bash to be able to log in.
- </div></div></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</h2></div></div></div><div class="para">
+ </div></div></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</h2></div></div></div><div class="para">
These instructions are specific to Mac OS X 10.4 (Tiger) because this version includes the required Kerberos tools by default.
- </div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</h3></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</h3></div></div></div><div class="para">
Configuring the Macintosh to use Kerberos for authentication with FreeIPA is a two-step process. First, Kerberos needs to be correctly installed and configured. Then, Kerberos authentication needs to be enabled.
- </div><div class="section" id="Configuring_Kerberos_Authentication-Configuring_Kerberos"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Configuring_Kerberos">3.6.1.1. Configuring Kerberos</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Kerberos_Authentication-Configuring_Kerberos"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Configuring_Kerberos">2.6.1.1. Configuring Kerberos</h4></div></div></div><div class="para">
Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example, this is the Kerberos configuration for Fedora systems:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Make sure that the Kerberos version is 4.2 or higher. The Kerberos directory is <code class="filename">/System/Library/CFMSupport/Kerberos</code>. If that directory does not exist or is the wrong version, install the Kerberos Extras support.
@@ -1476,7 +1422,7 @@ EXAMPLE.COM = {
default_domain = example.com
kdc = ipaserver.example.com:88
}
-</pre></li></ol></div></div><div class="section" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication">3.6.1.2. Enabling Kerberos Authentication</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+</pre></li></ol></div></div><div class="section" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication">2.6.1.2. Enabling Kerberos Authentication</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Log in as the admin user and launch a terminal.
</div></li><li class="listitem"><div class="para">
Change to the <code class="filename">/private/etc</code> directory and make a backup of the existing authorization file.
@@ -1494,7 +1440,7 @@ EXAMPLE.COM = {
Save and close the file.
</div></li><li class="listitem"><div class="para">
Restart the machine to enable Kerberos authentication.
- </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</h3></div></div></div><div class="section" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration">3.6.2.1. Creating the LDAP Configuration</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</h3></div></div></div><div class="section" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration">2.6.2.1. Creating the LDAP Configuration</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Launch the Directory Access utility.
</div></li><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Services</strong></span> tab, clear all check boxes except LDAPv3 and Bonjour.
@@ -1512,7 +1458,7 @@ EXAMPLE.COM = {
Enter the configuration name, such as <code class="command">FreeIPA LDAP</code>.
</div></li><li class="listitem"><div class="para">
Select the <span class="guilabel"><strong>Enable</strong></span> checkbox, and clear the <span class="guilabel"><strong>SSL</strong></span> checkbox.
- </div></li></ol></div></div><div class="section" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">3.6.2.2. Setting up the LDAP Service Configuration Options</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">2.6.2.2. Setting up the LDAP Service Configuration Options</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Select the newly-created LDAP configuration, and click <span class="guibutton"><strong>Edit</strong></span>.
</div></li><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Connection</strong></span> tab, specify the connection settings:
@@ -1582,17 +1528,17 @@ EXAMPLE.COM = {
UniqueID and uidNumber
</div></li></ul></div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>OK</strong></span> to finish setting up the LDAP service configuration options.
- </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2.6.3. Configuring the LDAP Authorization Options</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Authentication</strong></span> tab, change the <span class="guilabel"><strong>Search</strong></span> value to <span class="guilabel"><strong>Custom path</strong></span>.
</div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>Add</strong></span>.
</div></li><li class="listitem"><div class="para">
- Select the configuration created in <a class="xref" href="#Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">Section 3.6.2.2, “Setting up the LDAP Service Configuration Options”</a>, and click <span class="guibutton"><strong>Add</strong></span>.
+ Select the configuration created in <a class="xref" href="#Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">Section 2.6.2.2, “Setting up the LDAP Service Configuration Options”</a>, and click <span class="guibutton"><strong>Add</strong></span>.
</div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>Apply</strong></span> to update the LDAP configuration.
- </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</h3></div></div></div><div class="para">
Open the Date and Time utility and point it to the FreeIPA server URL to set the date and time automatically.
- </div></div><div class="section" id="testing-config-on-mac"><div class="titlepage"><div><div><h3 class="title" id="testing-config-on-mac">3.6.5. Testing the Configuration</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="testing-config-on-mac"><div class="titlepage"><div><div><h3 class="title" id="testing-config-on-mac">2.6.5. Testing the Configuration</h3></div></div></div><div class="para">
If client authentication is properly configured, a user can connect to the FreeIPA server using SSH without being prompted for a password.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Obtain a Kerberos ticket for the admin user.
@@ -1621,17 +1567,11 @@ Valid starting Expires Service principal
Kerberos 4 ticket cache: /tmp/tkt10678
klist: You have no tickets cached</pre>
- </div></li></ol></div></div></div><div class="section" id="uninstalling-clients"><div class="titlepage"><div><div><h2 class="title" id="uninstalling-clients">3.7. Uninstalling a FreeIPA Client</h2></div></div></div><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="uninstalling-clients"><div class="titlepage"><div><div><h2 class="title" id="uninstalling-clients">2.7. Uninstalling a FreeIPA Client</h2></div></div></div><div class="para">
For Fedora clients, the <code class="command">ipa-client-install</code> utility can be used to uninstall the client and remove it from the FreeIPA domaine. To remove the client, use the <code class="option">--uninstall</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-client-install --uninstall</span></pre><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
There is an uninstall option with the <code class="command">ipa-join</code> command. This is called by <code class="command">ipa-client-install --uninstall</code> as part of the uninstallation process. However, while the <code class="command">ipa-join</code> option removes the client from the domain, it does not actually uninstall the client or properly remove all of the FreeIPA-related configuration. Do not run <code class="command">ipa-join -u</code> to attempt to uninstall the FreeIPA client. The only way to uninstall a client completely is to use <code class="command">ipa-client-install --uninstall</code>.
- </div></div></div></div></div><div xml:lang="en-US" class="chapter" id="basic-usage" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 4. Basic UI Usage</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#ipa-ui">4.1. Looking at the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#using-the-ui">4.2. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="#config-browser">4.2.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="#logging-in">4.2.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">4.2.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="#Enabling_UsernamePassword_Authentication_in_Your_Browser">4.2.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a hr
ef="#switching-users">4.3. Switching Users</a></span></dt></dl></div><div class="para">
- XXXXX introXXXXXXXX
- </div><div class="section" id="ipa-ui"><div class="titlepage"><div><div><h2 class="title" id="ipa-ui">4.1. Looking at the FreeIPA UI</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div></div><div class="section" id="using-the-ui"><div class="titlepage"><div><div><h2 class="title" id="using-the-ui">4.2. Using the FreeIPA UI</h2></div></div></div><div class="section" id="config-browser"><div class="titlepage"><div><div><h3 class="title" id="config-browser">4.2.1. Configuring the Browser</h3></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div><div class="para">
+ </div></div></div></div></div><div xml:lang="en-US" class="chapter" id="basic-usage" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 3. Basic UI Usage</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#using-the-ui">3.1. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="#config-browser">3.1.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="#logging-in">3.1.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="#Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a href="#switching-users">3.2. Switching Users</a></span></dt></dl></div><div class="section"
id="using-the-ui"><div class="titlepage"><div><div><h2 class="title" id="using-the-ui">3.1. Using the FreeIPA UI</h2></div></div></div><div class="section" id="config-browser"><div class="titlepage"><div><div><h3 class="title" id="config-browser">3.1.1. Configuring the Browser</h3></div></div></div><div class="para">
Firefox can use your Kerberos credentials for authentication, but you need to specify which domains to communicate with, and using which attributes.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Open Firefox, and type "about:config" in the <span class="guilabel"><strong>Address Bar</strong></span>.
@@ -1679,7 +1619,7 @@ network.negotiate-auth.delegation-uris .example.com
</div></li></ol></div><div class="formalpara" id="Using_the_Browser_Interface-Displaying_the_IPA_Homepage"><h5 class="formalpara">Displaying the FreeIPA Homepage</h5>
Your browser should now be fully configured and ready to connect to the FreeIPA server. In the address bar, type “localhost” or the name of the host. The FreeIPA homepage should now display. Explore this page and the links it provides, familiarize yourself with the available options, and file a bug whenever you find something is not working.
- </div><div class="section" id="Configuring_Your_Local_Browser-Troubleshooting"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Your_Local_Browser-Troubleshooting">4.2.1.1. Troubleshooting</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Your_Local_Browser-Troubleshooting"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Your_Local_Browser-Troubleshooting">3.1.1.1. Troubleshooting</h4></div></div></div><div class="para">
If you have followed the configuration steps and Negotiate authentication is not working, you can turn on verbose logging of the authentication process, and potentially find the cause of the problem.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Exit the browser.
@@ -1713,9 +1653,7 @@ example.com = EXAMPLE.COM
</div></li><li class="listitem"><div class="para">
If nothing appears in the log file it is possible that you are behind a proxy, and that proxy is removing the HTTP headers required for Negotiate authentication. Try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then proceed to debug using the log file, as described above.
- </div></li></ol></div></div></div><div class="section" id="logging-in"><div class="titlepage"><div><div><h3 class="title" id="logging-in">4.2.2. Logging into the FreeIPA UI</h3></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="logging-in"><div class="titlepage"><div><div><h3 class="title" id="logging-in">3.1.2. Logging into the FreeIPA UI</h3></div></div></div><div class="para">
To be able to perform any administrative task you need to authenticate to the server. During the configuration step you were prompted to create two users. The first of these, Directory Manager, is the superuser, used to perform rare, low-level tasks. The second user, admin, is used to perform normal administrative activities.
</div><div class="para">
To authenticate as the admin user:
@@ -1733,7 +1671,7 @@ example.com = EXAMPLE.COM
The Kerberos client libraries used by the <code class="command">kinit</code> utility have some limitations. One of these limitations is the fact that the on-disc ticket storage is overwritten with any new invocation of <code class="command">kinit</code>. This means that if you authenticated as admin, then added aa new user, set the password and then tried to authenticate as that user, the administrator's ticket would be lost. To prevent this from happening, a special environment variable, <code class="varname">KRB5CCNAME</code>, can be used. This allows you to keep credential caches separate in different shells. Refer to the <code class="command">kinit</code> man page for more information.
</div></div></div><div class="para">
You can browse the FreeIPA man pages and help system to explore other FreeIPA commands. Please take some time to become familiar with the ways other FreeIPA objects can be created and modified.
- </div></div><div class="section" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System"><div class="titlepage"><div><div><h3 class="title" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">4.2.3. Using a Browser on Another System</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System"><div class="titlepage"><div><div><h3 class="title" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</h3></div></div></div><div class="para">
If you are unable, or prefer not, to update <code class="filename">/etc/krb5.conf</code> with the FreeIPA realm information, you can create another copy and set an appropriate environment variable. You can then run <code class="command">kinit</code> as before and use your browser to connect to FreeIPA. This is especially useful if you need to manage multiple realms, and if you have overlapping domains.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
This procedure is not necessary if you use <code class="command">ipa-client-install</code> to set up your client.
@@ -1751,7 +1689,7 @@ $ /usr/bin/firefox</pre>
</div></li><li class="listitem"><div class="para">
Configure and test Firefox.
- </div></li></ol></div></div><div class="section" id="Enabling_UsernamePassword_Authentication_in_Your_Browser"><div class="titlepage"><div><div><h3 class="title" id="Enabling_UsernamePassword_Authentication_in_Your_Browser">4.2.4. Enabling Username/Password Authentication in Your Browser</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Enabling_UsernamePassword_Authentication_in_Your_Browser"><div class="titlepage"><div><div><h3 class="title" id="Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Password Authentication in Your Browser</h3></div></div></div><div class="para">
If Kerberos authentication fails, the browser login will also fail, preventing access to the FreeIPA web interface. You can configure FreeIPA to display a username/password authentication dialog box if this situation occurs.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Edit the <code class="filename">/etc/httpd/conf.d/ipa.conf</code> file, and change the <em class="parameter"><code>KrbMethodK5Passwd</code></em> attribute from off to on.
@@ -1763,9 +1701,7 @@ $ /usr/bin/firefox</pre>
You need to perform this procedure on all of the FreeIPA servers in your deployment.
</div></li><li class="listitem"><div class="para">
This change may not be preserved between FreeIPA updates.
- </div></li></ul></div></div></div></div></div><div class="section" id="switching-users"><div class="titlepage"><div><div><h2 class="title" id="switching-users">4.3. Switching Users</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div><div class="para">
+ </div></li></ul></div></div></div></div></div><div class="section" id="switching-users"><div class="titlepage"><div><div><h2 class="title" id="switching-users">3.2. Switching Users</h2></div></div></div><div class="para">
One of the main advantages of FreeIPA is that it uses Kerberos for authentication. This means that if the machine is configured to use FreeIPA as an authentication server and you have an FreeIPA account, then once you have logged in to the machine and authenticated, you can reuse your Kerberos credentials to access other services in the FreeIPA domain. This avoids the need to constantly re-enter your password to access different services.
</div><div class="para">
For example, to connect to the FreeIPA web interface, you can enter the server's address in your browser and it will use your Kerberos ticket to authenticate against FreeIPA. Similar functionality is available if you try to access a file share, a wiki or any other application that is configured to be a Kerberos service in the FreeIPA domain.
@@ -1790,27 +1726,27 @@ klist: You have no tickets cached
You should now be able to connect to the FreeIPA web interface. If you were already connected to the web interface as another user, refresh the browser to display the updated details for the new user.
</div><div class="para">
If you configured SSSD or <code class="systemitem">pam_krb5</code> on the machine with FreeIPA, then the ticket is created for you when you log in to the machine requires authentication (for example, <code class="command">sudo</code>).
- </div></div></div><div xml:lang="en-US" class="chapter" id="managing-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 5. Managing Clients in the FreeIPA Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#IPA_Command_Line_Tools-Working_with_DNS">5.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="#enrolling-machines">5.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Ho
st Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="#renaming-machines">5.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="#config-virt-machines">5.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="#certs">5.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="#General_Troubleshooting_Tips-Client_Problems">5.6. Client Problems</a></span></dt></dl></div><div class="section" id="IPA_Command_Line_Tools-Working_with_DNS"><div class="titlepage"><div><div><h2 class="title" id="IPA_Command_Line_Tools-Working_with_DNS">5.1. Worki
ng with DNS</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="managing-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 4. Managing Clients in the FreeIPA Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#IPA_Command_Line_Tools-Working_with_DNS">4.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">4.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="#Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="#enrolling-machines">4.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">4.2.1. Manual Ho
st Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="#Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="#renaming-machines">4.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="#config-virt-machines">4.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="#certs">4.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="#General_Troubleshooting_Tips-Client_Problems">4.6. Client Problems</a></span></dt></dl></div><div class="section" id="IPA_Command_Line_Tools-Working_with_DNS"><div class="titlepage"><div><div><h2 class="title" id="IPA_Command_Line_Tools-Working_with_DNS">4.1. Worki
ng with DNS</h2></div></div></div><div class="para">
A number of benefits exist if you take advantage of FreeIPA's ability to automatically install and configure a DNS, in particular the ability to ease the modification of DNS records when adding hosts to FreeIPA. For example, options exist to add and remove IP addresses, A entries, PTR entries, etc. These options are not available if you are not using a FreeIPA-based DNS.
</div><div class="para">
IPA stores all DNS information as discrete records in LDAP, and communicates with LDAP using the <span class="package">bind-dyndb-ldap</span> plug-in and the <code class="filename">install/share/60basev2.ldif</code> schema. You can install and configure the DNS as part of the FreeIPA server installation, using the <code class="option">--setup-dns</code> option, or you can add it later using the <code class="command">ipa-dns-install</code> command.
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
The following options are currently only available with IPv4 addresses.
- </div></div></div><div class="section" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</h3></div></div></div><div class="para">
If you are using a FreeIPA-based DNS system, you can use the <code class="option">--ip-address</code> and <code class="option">--force</code> options to the <code class="command">ipa host-add</code> command to provide the IP address and hostname of the FreeIPA machine to the DNS. For example,
<pre class="screen"><code class="command">$ ipa host-add --force --ip-address=192.168.166.31 puma.example.com </code></pre>
- </div></div><div class="section" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">4.1.2. Removing Hosts from a FreeIPA DNS</h3></div></div></div><div class="para">
IPA provides the <code class="command">ipa host-del</code> command to delete FreeIPA hosts. You can pass the <code class="option">--updatedns</code> option to this command to remove the associated records from the DNS. It will attempt to remove any record, A, AAAA, PTR, NS, SRV, and other entries that reference this host. For example,
<pre class="screen"><code class="command">$ ipa host-del --updatedns puma</code></pre>
- </div></div><div class="section" id="Working_with_DNS-Managing_DNS_Zones"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Working_with_DNS-Managing_DNS_Zones"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</h3></div></div></div><div class="para">
IPA provides all the necessary commands to create and manage zones in a FreeIPA-managed DNS server. You can create and delete zones and add entries to any of these zones using the appropriate FreeIPA commands.
- </div><div class="section" id="Managing_DNS_Zones-Adding_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_DNS_Zones">5.1.3.1. Adding DNS Zones</h4></div></div></div><div class="para">
+ </div><div class="section" id="Managing_DNS_Zones-Adding_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_DNS_Zones">4.1.3.1. Adding DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnszone-add</code> command to add a new zone to your DNS server. You can pass optional attributes on the command line, and you will be prompted for any required information. The following example demonstrates adding a new zone to your top-level domain.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You need to restart the <code class="systemitem">named</code> service whenever you create a new zone, otherwise the DNS server will not reply successfully to queries asking for records in the new zone. This is a one-time operation; any subsequent changes to the zone do not require any further action to be effective.
- </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_add_the_sub_domain_translation_to_the_ipadocs.org_domain"><h6>Procedure 5.1. To add the sub-domain "translation" to the ipadocs.org domain</h6><ol class="1"><li class="step"><div class="para">
+ </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_add_the_sub_domain_translation_to_the_ipadocs.org_domain"><h6>Procedure 4.1. To add the sub-domain "translation" to the ipadocs.org domain</h6><ol class="1"><li class="step"><div class="para">
Ensure you have a valid Kerberos ticket:
<pre class="screen"><code class="command">$ kinit admin</code>
Password for admin at IPADOCS.ORG:</pre>
@@ -1838,12 +1774,12 @@ Password for admin at IPADOCS.ORG:</pre>
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-Using_Dynamic_DNS_Updates"><h5 class="formalpara">Using Dynamic DNS Updates</h5>
Dynamic DNS updates are not enabled by default for new DNS zones served by FreeIPA; that is, zones added by the <code class="command">ipa dnszone-add</code> command. This may lead to errors in the <code class="command">ipa-client-install</code> script when it joins this domain and tries to add a DNS record pointing to this new client.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_enable_dynamic_DNS_updates"><h6>Procedure 5.2. To enable dynamic DNS updates</h6><ul><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_enable_dynamic_DNS_updates"><h6>Procedure 4.2. To enable dynamic DNS updates</h6><ul><li class="step"><div class="para">
Use the following command to enable dynamic updates:
</div><pre class="screen"><code class="command">$ ipa dnszone-mod clients.example.com --allow-dynupdate \ </code>
<code class="command">--update-policy="grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAAA;"</code></pre><div class="para">
In this example, <code class="systemitem">clients.example.com</code> is the custom DNS domain managed by the FreeIPA server and TESTRELM is the Kerberos realm.
- </div></li></ul></div></div><div class="section" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones">5.1.3.2. Adding Records to DNS Zones</h4></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones">4.1.3.2. Adding Records to DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnsrecord-add</code> command to add various types of records to DNS zones. The following examples demonstrate adding some of these types of records.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Adding_Records_to_DNS_Zones-Adding_IPv4_Type_A_Resource_Records"><h5 class="formalpara">Adding IPv4 (Type A) Resource Records</h5>
Type A resource records map hostnames to IPv4 addresses. To add a type A resource record, run the following command:
@@ -1869,7 +1805,7 @@ Password for admin at IPADOCS.ORG:</pre>
<pre class="programlisting">A, AAAA, A6, AFSDB, APL, CERT, CNAME, DHCID, DLV, DNAME, DNSKEY, DS, HIP, IPSECKEY, KX, LOC,
MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA, TXT</pre>
- </div></div><div class="section" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones">5.1.3.3. Deleting Records from DNS Zones</h4></div></div></div><div class="para">
+ </div></div><div class="section" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones">4.1.3.3. Deleting Records from DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnsrecord-del</code> command to remove records from DNS zones. The following examples demonstrate how to remove the records added in the preceding examples.
</div><div class="para">
To remove the A type record from the "www" record, run the following command:
@@ -1885,7 +1821,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
You can also delegate zones if you want to allow other areas of your company intranet to reach your DNS server, or if you want to allow access from outside your firewalls. Refer to the <a href="http://www.isc.org/software/bind/documentation">ISC BIND documentation</a> for further information.
</div><div class="para">
Refer to the <code class="command">ipa help dns</code> help page for more information about working with DNS and FreeIPA.
- </div></div></div></div><div class="section" id="enrolling-machines"><div class="titlepage"><div><div><h2 class="title" id="enrolling-machines">5.2. Enrolling Machines</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="enrolling-machines"><div class="titlepage"><div><div><h2 class="title" id="enrolling-machines">4.2. Enrolling Machines</h2></div></div></div><div class="para">
Enrollment is the process whereby a host entry is created and saved in the directory server, and a keytab for that host entry is generated on the server and provisioned to the client. This keytab is saved with specific ownership and permission properties in a specific directory on the client.
</div><div class="para">
With the host entry successfully created and the keytab in place, enrollment is complete and the client machine can now automatically connect to and communicate with the FreeIPA server.
@@ -1903,7 +1839,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
</div><div class="para">
These are examined in more detail below.
- </div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Host Enrollment with Privileged Administrator</h3></div></div></div><div class="para">
+ </div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">4.2.1. Manual Host Enrollment with Privileged Administrator</h3></div></div></div><div class="para">
This scenario implements the following sequence of operations:
<div class="orderedlist"><ol><li class="listitem"><div class="para">
The Administrator logs into the machine that they want to enroll with FreeIPA.
@@ -1926,8 +1862,8 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
</div><div class="para">
At this stage the enrollment is complete and the machine can now automatically connect to and communicate with the FreeIPA server.
- </div></div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</h3></div></div></div><div class="para">
- This scenario assumes that there are different administrators with different levels of privileges regarding host-related operations. One administrator (A) can add and edit host entries, and thus enroll the hosts as described in <a class="xref" href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">Section 5.2.1, “Manual Host Enrollment with Privileged Administrator”</a>. The second administrator (B) has insufficient permissions to create host entries, but is allowed to enroll machines. The following sequence of operations is engaged:
+ </div></div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</h3></div></div></div><div class="para">
+ This scenario assumes that there are different administrators with different levels of privileges regarding host-related operations. One administrator (A) can add and edit host entries, and thus enroll the hosts as described in <a class="xref" href="#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">Section 4.2.1, “Manual Host Enrollment with Privileged Administrator”</a>. The second administrator (B) has insufficient permissions to create host entries, but is allowed to enroll machines. The following sequence of operations is engaged:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Administrator A authorizes enrollment of a host by creating the host entry in the back end using the webUI or command-line script.
</div></li><li class="listitem"><div class="para">
@@ -1945,7 +1881,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
The keytab is saved with <code class="systemitem">root:root</code> ownership and 0600 permissions, and in a specific directory on the client machine.
</div></li></ol></div><div class="para">
At this stage the enrollment is complete and the machine can now automatically connect to and communicate with the FreeIPA server.
- </div></div><div class="section" id="Enrollment_Scenarios-Bulk_Host_Deployment"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Enrollment_Scenarios-Bulk_Host_Deployment"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</h3></div></div></div><div class="para">
This scenario is very useful for automatic provisioning of multiple hosts (or virtual machines). In this scenario you can pre-create a number of hosts on the FreeIPA server and set passwords on them. You can use your kickstart operation to perform the enrollment. For example, the <span class="application"><strong>cobbler</strong></span> utility makes this relatively easy because you can store variables in the <span class="application"><strong>cobbler</strong></span> system configuration.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
There are two ways to set the password. You can either supply your own or have FreeIPA generate a random one.
@@ -1977,7 +1913,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
</div></li><li class="listitem"><div class="para">
Because the password is set to expire, the Kerberos keytab will be generated and the password attribute cleared.
- </div></li></ol></div></div></div><div class="section" id="renaming-machines"><div class="titlepage"><div><div><h2 class="title" id="renaming-machines">5.3. Renaming Machines</h2></div></div></div><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="renaming-machines"><div class="titlepage"><div><div><h2 class="title" id="renaming-machines">4.3. Renaming Machines</h2></div></div></div><div class="para">
The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts, and that no "man-in-the-middle" or other attacks are affecting the system.
</div><div class="para">
In an environment where virtual machines are commonplace, or perhaps in a clustered environment, copying, moving, and renaming hosts could be quite common, resulting in frequent demands for renames of machines.
@@ -1987,7 +1923,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
Due to the nature of service principals, renaming hosts also requires the regeneration of service principals. Each service has a Kerberos principal in the form of <code class="systemitem"><service name>/<hostname>@<REALM></code>, for example, <code class="systemitem">ldap/server.example.com at EXAMPLE.COM</code>. This principal can be referred to as a "service principal". In some cases the <code class="systemitem">@<REALM></code> is omitted, leaving only <code class="systemitem"><service name>/<hostname></code>. (The "/" is a "slash" separator, not an "or" operator.)
</div><div class="para">
The following procedure renames the host <code class="systemitem">server.example.com</code> in the Kerberos realm <code class="systemitem">EXAMPLE.COM</code>, to the new hostname <code class="systemitem">master.example.com</code>. This procedure uses example file names, hostnames and domain names throughout; you need to update these examples to suit your own environment.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine"><h6>Procedure 5.3. To rename a FreeIPA machine:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine"><h6>Procedure 4.3. To rename a FreeIPA machine:</h6><ol class="1"><li class="step"><div class="para">
Identify which services are running on the machine. These need to be re-created when the machine is re-enrolled:
<pre class="screen"><code class="command"># ipa service-find server.example.com</code></pre>
@@ -2031,7 +1967,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
If you need certificates for services, use either <code class="command">certmonger</code> or the FreeIPA administration tools.
</div></li><li class="step"><div class="para">
Re-add the host to any applicable host groups.
- </div></li></ol></div></div><div class="section" id="config-virt-machines"><div class="titlepage"><div><div><h2 class="title" id="config-virt-machines">5.4. Reconfiguring Virtual Machines</h2></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="config-virt-machines"><div class="titlepage"><div><div><h2 class="title" id="config-virt-machines">4.4. Reconfiguring Virtual Machines</h2></div></div></div><div class="para">
There are two cases where it might be necessary to reconfigure a VM enrolled in a FreeIPA domain:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The VM is copied.
@@ -2042,7 +1978,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
</div></li></ul></div>
</div><div class="para">
- In each case, the procedure is identical to that described for renaming a FreeIPA machine: <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine">Procedure 5.3, “To rename a FreeIPA machine:”</a>. Although it is possible to <span class="emphasis"><em>not</em></span> completely unconfigure the client, there is no real downside to doing this (that is, running the <code class="command">ipa-client-install --uninstall</code> command).
+ In each case, the procedure is identical to that described for renaming a FreeIPA machine: <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine">Procedure 4.3, “To rename a FreeIPA machine:”</a>. Although it is possible to <span class="emphasis"><em>not</em></span> completely unconfigure the client, there is no real downside to doing this (that is, running the <code class="command">ipa-client-install --uninstall</code> command).
</div><div class="para">
If you cannot use the <code class="command">ipa-client-install --uninstall</code> command, or it is failing for some reason, use the following manual procedure to remove the FreeIPA configuration from the client. Bear in mind, however, that this procedure cannot be undone:
</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
@@ -2067,9 +2003,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
Add the new host to FreeIPA, or re-join using administrator privileges:
<pre class="programlisting"><code class="command">$ ipa-join</code></pre>
- </div></li></ol></div></div><div class="section" id="certs"><div class="titlepage"><div><div><h2 class="title" id="certs">5.5. Configuring Certificate-Based Machine Authentication</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX bz646240
- </div><div class="para">
+ </div></li></ol></div></div><div class="section" id="certs"><div class="titlepage"><div><div><h2 class="title" id="certs">4.5. Configuring Certificate-Based Machine Authentication</h2></div></div></div><div class="para">
Authentication includes machines on the network. Machine authentication is required for the FreeIPA server to trust the machine and to accept FreeIPA connections from the client software installed on that machine. After authenticating the client, the FreeIPA server can respond to its requests.
</div><div class="para">
FreeIPA supports two different approaches to machine authentication: Key Tables (or <em class="firstterm">keytabs</em>, a symmetric key resembling to some extent a user password); and Machine Certificates. FreeIPA clients use XML-RPC calls to request keytabs and certificates. Keys and certificate requests are generated on machines applying for certificates. Certificates are generated by the CA, in response to certificate requests submitted to FreeIPA and stored in FreeIPA's DS, and at the same time delivered to the machine for use in PKI machine authentication.
@@ -2089,11 +2023,11 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
Machine authentication * Machines coming on the network and requesting services within the IPA realm shall be authenticated against that realm * Machine authentication credentials shall be used to provide mutual authentication/trust, encryption, and SSO capabilities for the services and applications requesting resources and accessing other services within the same IPA realm
</div><div class="para">
Note: Term "Machine" below means is either a physical host or a guest image in virtual machine. * [1.1] Integrate DNS server into the IPA server (Planned) o [1.1.1] Store DNS information in the DS (Planned) o [1.1.2] Allow IPA clients to automatically discover IPA servers (using DNS configuration) (Planned) o [1.1.3] Allow management of the DNS entries through the central IPA management console (Planned) o [1.1.4] Continue to allow IPA to function with an external DNS server (Planned) * [1.2] Policy on an IPA server shall determine the rules of the enrollment for the new machines. Options include: o [1.2.1] The machine shall automatically be registered in IPA and configured with settings that were pre-initialized (Planned) o [1.2.2] An Administrator is required to manually authenticate to the IPA server and initialize the configuration settings (Planned) * [1.3] When machine joins IPA realm the following operations shall be performed: (Planned) o [1.3.1] A unique and perm
anent identifier (machine GUID) shall be set for each machine. (Planned) o [1.3.2] Assign a kerberos principal to the machine. (Planned) o [1.3.3] Kerberos machine principal name will be administrator assigned or automatically set (Planned) o [1.3.4] Kerberos machine principal will default to the hostname (Planned) o [1.3.5] Capture attributes about the machine (Planned to some extent) + [1.3.5.1] Hostname + [1.3.5.2] Identify operating system on the machine + [1.3.5.3] In the case of administrator enrollment, the ID of the administrator o [1.3.6] Generate and provision keytab for machine authentication (Planned) o [1.3.7] Generate and provision machine certificate for the machine/VM to be used by applications and services that require PKI authentication (Planned) * [1.6] Renewal o [1.6.1] Automatically renew kerberos credential according to the centrally managed renewal policies (Planned - do it yourself instructions) o [1.6.2] Automatically renew and provision certificates
before their expiration according to the centrally managed policy (Planned) * [1.7] Allow a machine to leave the realm, de-activating the identity from IPA and destroying/revoking any certificates/keytabs. (Planned) o [1.7.1] The task of de-activating a machine from a realm should not require access (physical or network) to that client machine (Planned) o [1.7.2] Allow machine to be de-activated from IPA realm through the IPA client software (Planned) o [1.7.3] Allow machine to be re-enrolled into the IPA realm. (Planned) * [1.8] Update LDAP schema to support machine identity and related policies (Planned - but only for identity part) * [1.9] Maintain the identity of the machine or virtual machine after an upgrade of the OS including a major upgrade for example from 4 to 5. (Planned)
- </div></div><div class="section" id="General_Troubleshooting_Tips-Client_Problems"><div class="titlepage"><div><div><h2 class="title" id="General_Troubleshooting_Tips-Client_Problems">5.6. Client Problems</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="General_Troubleshooting_Tips-Client_Problems"><div class="titlepage"><div><div><h2 class="title" id="General_Troubleshooting_Tips-Client_Problems">4.6. Client Problems</h2></div></div></div><div class="para">
If you are unable to log into a machine or the standard NSS tools fail to return user and group information (for example, <code class="command">getent passwd admin</code> fails), inspect the SSSD logs in <code class="filename">/var/log/sssd/</code>. You should start with the log file for your domain (<code class="filename">sssd_example.com.log</code>).
</div><div class="para">
To increase the log level, set <code class="varname">debug_level</code> = 9 in the <code class="literal">[domain/<em class="replaceable"><code>example.com</code></em>]</code> section of the <code class="filename">/etc/sssd/sssd.conf</code> file, and restart the <code class="systemitem">sssd</code> daemon for this change to take effect. Monitor the <code class="filename">/var/log/sssd/sssd_example.com.log</code> file for any relevant information.
- </div></div></div><div xml:lang="en-US" class="chapter" id="users" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 6. Identity: Managing Users and User Groups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#home-directories">6.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="#adding-users">6.2. Adding Users</a></span></dt><dt><span class="section"><a href="#editing-users">6.3. Editing Users</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">6.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_IPA_Users-Specifying_Default_User_Settings">6.5. Specifying Default User Settings</a></span></dt><dt><span cla
ss="section"><a href="#search-limits">6.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Deleting_IPA_Users">6.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="#Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#user-groups">6.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="#user-pwdpolicy">6.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#
The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="#The
_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_Local_Logins">6.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="#searching">6.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</a></span></dt></dl></dd></dl></div><div class="section" id="home-directories"><div class="titlepage"><div><div><h2 class="title" id="home-directories">6.1. Managing User Home Directories</h2></div></div></div><div class
="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="users" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 5. Identity: Managing Users and User Groups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#home-directories">5.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="#adding-users">5.2. Adding Users</a></span></dt><dt><span class="section"><a href="#editing-users">5.3. Editing Users</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">5.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_IPA_Users-Specifying_Default_User_Settings">5.5. Specifying Default User Settings</a></span></dt><dt><span cla
ss="section"><a href="#search-limits">5.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Users-Deleting_IPA_Users">5.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="#Deleting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="#user-groups">5.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="#Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="#user-pwdpolicy">5.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="#
The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="#The
_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="#The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="#searching">5.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="#Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</a></span></dt></dl></dd></dl></div><div class="section" id="home-directories"><div class="titlepage"><div><div><h2 class="title" id="home-directories">5.1. Managing User Home Directories</h2></div></div></div><div class
="para">
FreeIPA, as part of managing users, can manage user home directories. However, the FreeIPA server has expectations about
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The default prefix for users' home directories is <code class="filename">/home</code>.
@@ -2109,7 +2043,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
If a suitable directory and mechanism are not available for the creation of home directories, users may not be able to log in.
</div></li></ul></div>
- </div></div><div class="section" id="adding-users"><div class="titlepage"><div><div><h2 class="title" id="adding-users">6.2. Adding Users</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="adding-users"><div class="titlepage"><div><div><h2 class="title" id="adding-users">5.2. Adding Users</h2></div></div></div><div class="para">
FreeIPA supports a wide range of <span class="property">username</span> formats, but you need to be aware of any restrictions that may apply to your particular environment. For example, a <span class="property">username</span> that starts with a digit may cause problems for some UNIX systems.
</div><div class="para">
The range of <span class="property">username</span> formats supported by FreeIPA can be described by the following regular expression:
@@ -2117,7 +2051,7 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
The trailing $ symbol is permitted for Samba 3.x machine support.
</div><div class="para">
Use the <code class="command">ipa user-add</code> command to add users to FreeIPA. You can pass attributes directly on the command line, or run the command with no parameters to enter interactive mode. Interactive mode prompts you to enter the basic attributes required to add a new user. You can add further attributes using the <code class="command">ipa user-mod</code> command. Use the <code class="command">ipa user-mod --list</code> command to view a list of the attributes that you can modify using this command.
- </div><div class="procedure" id="Using_the_Command_Line-To_create_the_user_jlamb_using_the_command_line"><h6>Procedure 6.1. To create the user <code class="systemitem">jlamb</code> using the command line:</h6><ul><li class="step"><div class="para">
+ </div><div class="procedure" id="Using_the_Command_Line-To_create_the_user_jlamb_using_the_command_line"><h6>Procedure 5.1. To create the user <code class="systemitem">jlamb</code> using the command line:</h6><ul><li class="step"><div class="para">
Open a shell and run the following command:
</div><div class="para">
@@ -2147,12 +2081,12 @@ UID: 387115841
</div><div class="para">
Refer to the <code class="command">ipa user-add</code> help page for more information.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
- When a user is created without specifying a UID or GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="#Managing-Unique_UID_and_GID_Attributes">Section 13.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
+ When a user is created without specifying a UID or GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="#Managing-Unique_UID_and_GID_Attributes">Section 12.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
</div><div class="para">
If a number is <span class="emphasis"><em>manually</em></span> assigned to a user entry, the server does not validate that the <em class="parameter"><code>uidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries.
</div><div class="para">
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with <code class="command">ipa user-find --all</code>.
- </div></div></div></div><div class="section" id="editing-users"><div class="titlepage"><div><div><h2 class="title" id="editing-users">6.3. Editing Users</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="editing-users"><div class="titlepage"><div><div><h2 class="title" id="editing-users">5.3. Editing Users</h2></div></div></div><div class="para">
Use the <code class="command">ipa user-mod</code> command to modify user account details, such as adding, removing or changing attributes. Refer to the following examples:
</div><div class="para">
To update attributes for the user <code class="systemitem">jsmith</code>:
@@ -2160,9 +2094,9 @@ UID: 387115841
To retrieve a list of attributes for a user:
</div><pre class="screen">$ ipa user-show --raw <em class="replaceable"><code>userName</code></em></pre><div class="para">
The list of attributes corresponds to those available in the web interface, not including any custom attributes that may have been defined.
- </div></div><div class="section" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">6.4. Activating and Deactivating User Accounts</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">5.4. Activating and Deactivating User Accounts</h2></div></div></div><div class="para">
FreeIPA user accounts can be set to a status of <code class="literal">Active</code> or <code class="literal">Inactive</code>. If you deactivate a user account, that user can no longer log in to FreeIPA, change their password, or perform any other tasks. Any existing connections will remain valid until their <code class="systemitem">Kerberos</code> TGT and other tickets expire, but they will not be able to renew them. The account and all associated information still exists, but is inaccessible by the user.
- </div><div class="section" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</h3></div></div></div><div class="para">
+ </div><div class="section" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</h3></div></div></div><div class="para">
Use the <code class="command">ipa user-enable</code> and <code class="command">ipa user-disable</code> commands to enable and disable user accounts, respectively. Refer to the following examples:
</div><div class="para">
To disable the <code class="systemitem">jsmith</code> user account:
@@ -2172,7 +2106,7 @@ UID: 387115841
To enable the <code class="systemitem">jsmith</code> user account:
</div><div class="para">
$ ipa user-enable jsmith
- </div></div></div><div class="section" id="Configuring_IPA_Users-Specifying_Default_User_Settings"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Specifying_Default_User_Settings">6.5. Specifying Default User Settings</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_IPA_Users-Specifying_Default_User_Settings"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Specifying_Default_User_Settings">5.5. Specifying Default User Settings</h2></div></div></div><div class="para">
You can configure the default settings for FreeIPA users to suit your deployment. For example, you can specify the maximum username length, the default path to the <code class="filename">/home</code> directory, the default shell, and other attributes.
</div><div class="para">
FreeIPA supports the following User Settings:
@@ -2205,7 +2139,7 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
The default root directory for all home directories is <code class="filename">/home</code>, but it is the responsibility of the system administrator to ensure that whatever value is specified for this attribute is actually available.
</div><div class="para">
Fedora includes a <code class="systemitem">PAM</code> module called <code class="systemitem module">pam_mkhomedir</code> that can automatically create a home directory if one does not exist for the user authenticating against the system. FreeIPA does not force the use of this module because it may try to create home directories even when the shared storage is not available. It is the responsibility of the system administrator to activate this module on the clients if needed.
- </div></div></div></div><div class="section" id="search-limits"><div class="titlepage"><div><div><h2 class="title" id="search-limits">6.6. Setting Default Search Limits</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="search-limits"><div class="titlepage"><div><div><h2 class="title" id="search-limits">5.6. Setting Default Search Limits</h2></div></div></div><div class="para">
You can set limits on the number of records returned when performing various queries, for example when you run the <code class="command">ipa user-find</code> command. These limits are specified by the <em class="parameter"><code>Search size limit</code></em> attribute in the default FreeIPA configuration. The default value for this attribute is 100.
</div><div class="para">
To view the current configuration, run the <code class="command"># ipa config-show</code> command. Refer to the <code class="command">ipa help config</code> help page for more information.
@@ -2250,13 +2184,13 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
If you add attributes to the user or group search fields, you should also create a new <code class="systemitem">LDAP</code> index for those attributes to avoid performance degradation. Conversely, the existence of too many indexes can impact write performance, so you need to balance one against the other.
</div><div class="para">
Refer to <a href="http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes-Creating_Indexes.html">Creating Indexes</a> in the <em class="citetitle">389 Directory Server Administration Guide</em> for information on creating indexes.
- </div></div><div class="section" id="Configuring_IPA_Users-Deleting_IPA_Users"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Deleting_IPA_Users">6.7. Deleting FreeIPA Users</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_IPA_Users-Deleting_IPA_Users"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Deleting_IPA_Users">5.7. Deleting FreeIPA Users</h2></div></div></div><div class="para">
If you delete a FreeIPA user account, all of the information stored in the entry for that identity is lost. This includes the user's full name, group membership, phone numbers, and passwords. The actual user account and home directory still exist, be they on a server, local machine, or other provider, but they are no longer accessible by FreeIPA.
</div><div class="para">
Unlike deactivation, if you delete a user account, it cannot be retrieved. If you need this user account again, you need to recreate it and add all of the account details manually.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Unlike in earlier versions of FreeIPA, it is now possible to delete the <code class="systemitem">admin</code> user. If, however, you delete all of the <code class="systemitem">admin</code> users then you will need to use the Directory Manager account to create a new administrative user. Alternatively, if you have a user in the group management role, they can add a new <code class="systemitem">admin</code> user.
- </div></div></div><div class="section" id="Deleting_IPA_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the Command Line</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Deleting_IPA_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Deleting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</h3></div></div></div><div class="para">
Use the <code class="command">ipa user-del</code> command to delete user accounts. For example:
</div><div class="para">
To delete the <code class="systemitem">jsmith</code> user account:
@@ -2270,7 +2204,7 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
If you run this command without using the <code class="option">--continue</code> option, FreeIPA will delete the listed user accounts unless it encounters any errors, at which point it stops. For example, if <em class="parameter"><code>user_02</code></em> did not exist, the previous command would only delete <em class="parameter"><code>user_01</code></em>; <em class="parameter"><code>user_03</code></em> would not be affected.
</div><div class="para">
The <code class="option">--continue</code> option returns a summary of successes and failures to <code class="systemitem">stdout</code>.
- </div></div></div><div class="section" id="user-groups"><div class="titlepage"><div><div><h2 class="title" id="user-groups">6.8. Creating User Groups</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="user-groups"><div class="titlepage"><div><div><h2 class="title" id="user-groups">5.8. Creating User Groups</h2></div></div></div><div class="para">
FreeIPA uses groups to facilitate the management and administration of all types of objects, such as users, hosts, tasks, roles, and others. This section introduces <code class="systemitem">User Groups</code> and how they are used within FreeIPA. Other object groups behave and are used in similar ways; these are discussed elsewhere.
</div><div class="formalpara" id="Configuring_IPA_Groups-User_Groups"><h5 class="formalpara">User Groups</h5>
Three groups are created during the installation process: <code class="systemitem">ipausers</code>, <code class="systemitem">admins</code>, and <code class="systemitem">editors</code>. All of these groups are required for FreeIPA operation.
@@ -2286,7 +2220,7 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
You can also create nested groups. For example, you can create a group called "Documentation", and then create sub-groups such as "Writers", "Translators", and "Editors". You can add users to each of the sub-groups to suit the needs of your organization. Any users that you add to a sub-group automatically become members of the parent group.
</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
Avoid the creation of cyclic groups; that is, groups that contain groups that in turn contain their own ancestors, and avoid creating group names that contain spaces. Either of these conditions can lead to unexpected behavior.
- </div></div></div><div class="section" id="Configuring_IPA_Groups-Creating_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Groups</h3></div></div></div><div class="section" id="Creating_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Creating_IPA_Groups-Using_the_Command_Line">6.8.1.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_IPA_Groups-Creating_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</h3></div></div></div><div class="section" id="Creating_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Creating_IPA_Groups-Using_the_Command_Line">5.8.1.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-add</code> command to add groups. You can include attributes on the command line or use the command interactively. For example:
</div><div class="para">
To create a group called "Engineering" using the command line:
@@ -2310,7 +2244,7 @@ Added group "documentation"
GID: 387115845</pre><div class="para">
The group name and description are mandatory fields. If either of these are not included on the command line, you will be prompted to include them.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
- When a group is created without specifying a GID number, then the group entry is assigned the ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="#Managing-Unique_UID_and_GID_Attributes">Section 13.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a group always has a unique number for its GID number.
+ When a group is created without specifying a GID number, then the group entry is assigned the ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="#Managing-Unique_UID_and_GID_Attributes">Section 12.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a group always has a unique number for its GID number.
</div><div class="para">
If a number is <span class="emphasis"><em>manually</em></span> assigned to a group entry, the server does not validate that the <em class="parameter"><code>gidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries.
</div><div class="para">
@@ -2335,23 +2269,23 @@ Number of members added 3
-------------------------
Number of members added 2
-------------------------
-</pre></div></div><div class="section" id="Configuring_IPA_Groups-Editing_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</h3></div></div></div><div class="para">
+</pre></div></div><div class="section" id="Configuring_IPA_Groups-Editing_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</h3></div></div></div><div class="para">
You can edit many of the attributes that define a group, as well as add or remove members. Some attributes are read-only by default, however you can edit these attributes if required.
</div><div class="para">
You cannot edit the group name. The group name is the primary key, so changing it is the equivalent of deleting the group and creating a new one.
- </div><div class="section" id="Editing_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_IPA_Groups-Using_the_Command_Line">6.8.2.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Editing_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_IPA_Groups-Using_the_Command_Line">5.8.2.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-mod</code> command to modify specific attributes of FreeIPA groups. FreeIPA provides numerous commands for working with groups, such as <code class="command">ipa group-add-member</code> and <code class="command">ipa group-detach</code>; run the <code class="command">ipa help group</code> command to access the FreeIPA group help page for more information.
- </div></div></div><div class="section" id="Configuring_IPA_Groups-Deleting_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_IPA_Groups-Deleting_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</h3></div></div></div><div class="para">
When you delete a FreeIPA group, only the immediate group is removed; members of the group are not affected.
</div><div class="para">
When you delete a FreeIPA group, any delegations that apply to that group are also removed. For example, suppose you added an "EngineeringManager" group specifically to set up delegations for the Engineering Manager. If you delete the EngineeringManager group, then those delegations are also lost. These delegations cannot be retrieved. If you need this group and delegation again, you need to recreate them.
- </div><div class="section" id="Deleting_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Deleting_IPA_Groups-Using_the_Command_Line">6.8.3.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Deleting_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Deleting_IPA_Groups-Using_the_Command_Line">5.8.3.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-del</code> command to delete groups. For example:
</div><div class="para">
To delete the Engineering group:
</div><div class="para">
$ ipa group-del Engineering
- </div></div></div></div><div class="section" id="user-pwdpolicy"><div class="titlepage"><div><div><h2 class="title" id="user-pwdpolicy">6.9. Setting an Individual Password Policy</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="user-pwdpolicy"><div class="titlepage"><div><div><h2 class="title" id="user-pwdpolicy">5.9. Setting an Individual Password Policy</h2></div></div></div><div class="para">
FreeIPA has a default policy of never exposing passwords, even hashed passwords, to clients, in the interests of system security. This policy applies even if you still rely on NIS server functionality to some degree, for example, as a result of a full or partial migration from NIS to FreeIPA. FreeIPA normally expects a switch to Kerberos for authentication, but this may not always be possible.
</div><div class="para">
The FreeIPA password policy supports the specification of various password attributes that help to ensure the security of your system, and also that of individual user accounts. You can specify the password lifetime, length, and the types of characters required, all as part of the FreeIPA password policy.
@@ -2361,17 +2295,17 @@ Number of members added 3
Because the password policy is enforced by the <abbr class="abbrev">KDC</abbr>, any further policy specifications that you implement as part of the Directory Server password policy will not be visible in FreeIPA, and neither will they be enforced.
</div></li><li class="listitem"><div class="para">
Different rules apply to changing passwords, depending on your login credentials.
- </div></li></ul></div></div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</h3></div></div></div><div class="para">
+ </div></li></ul></div></div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</h3></div></div></div><div class="para">
If you reset a password using <em class="parameter entry"><code>cn=Directory Manager</code></em> credentials (only possible if you manually perform an <code class="systemitem">LDAP</code> password change operation) then you override any checks and the password is set to whatever you specify. The FreeIPA password policy is ignored.
- </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing Passwords as the FreeIPA Administrator</h3></div></div></div><div class="para">
If you reset a password using <code class="systemitem">admin</code> credentials (that is, as part of the <code class="systemitem">admins</code> group), the FreeIPA password policy is ignored, but the expiration date is set to "now". This means that the user is forced to change the password at login time, and the password policy is then enforced. This is also true for users who have had password changing rights delegated to them.
</div><div class="para">
Consequently, the FreeIPA Administrator can easily create users with "default" passwords and reset user's passwords, but will not know the actual, final password entered by the user. Further, any password that is transmitted from the FreeIPA Administrator to the user, even over insecure channels, is a temporary password. Consequently, it is not critical if it is accidentally disclosed, provided that the user promptly resets it.
- </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</h3></div></div></div><div class="para">
If you are logged in as a regular user (that is, you are not part of the <code class="systemitem">admins</code> group, or possessed of any elevated privileges), then you can only change your own password, and these changes are always subject to the FreeIPA password policy.
- </div></div><div class="section" id="The_IPA_Password_Policy-Editing_the_Password_Policy"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Editing_the_Password_Policy"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</h3></div></div></div><div class="para">
You can use either the web interface or the command line to edit the FreeIPA password policy. However, you can only edit those attributes supported by FreeIPA.
- </div><div class="section" id="Editing_the_Password_Policy-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_the_Password_Policy-Using_the_Command_Line">6.9.4.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Editing_the_Password_Policy-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_the_Password_Policy-Using_the_Command_Line">5.9.4.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa pwpolicy-*</code> commands to create and modify FreeIPA password policies. These commands are provided as part of the <code class="command">ipa pwpolicy</code> plug-in functionality. The <code class="command">ipa help pwpolicy</code> command displays the help page and some examples of using this plug-in.
</div><div class="para">
For example, use the following command to update the minimum global password length to 10 characters, and to specify that no history of passwords be kept:
@@ -2382,8 +2316,8 @@ Number of members added 3
</div><div class="para">
# ipa pwpolicy-show
</div><div class="para">
- Refer to <a class="xref" href="#The_IPA_Password_Policy-Password_Policy_Attributes">Section 6.9.6, “Password Policy Attributes”</a> for information on password policy attributes.
- </div></div></div><div class="section" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</h3></div></div></div><div class="para">
+ Refer to <a class="xref" href="#The_IPA_Password_Policy-Password_Policy_Attributes">Section 5.9.6, “Password Policy Attributes”</a> for information on password policy attributes.
+ </div></div></div><div class="section" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</h3></div></div></div><div class="para">
The FreeIPA password policy plug-in (<code class="command">ipa pwpolicy</code>) manages both global and per-group password policies. You can use this plug-in to display or modify existing password policies to suit the needs of your environment.
</div><div class="para">
The following examples demonstrate how to display and modify existing password policies.
@@ -2416,7 +2350,7 @@ Max lifetime (days): 5</pre><div class="para">
# ipa pwpolicy-show --user=tuser1
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Password policies are not cumulative. That is, you cannot override a single setting in a policy and let it fall back to the global policy on all the others; it is all or nothing.
- </div></div></div><div class="section" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies"><div class="titlepage"><div><div><h4 class="title" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies">6.9.5.1. Setting the Priority of Password Policies</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies"><div class="titlepage"><div><div><h4 class="title" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies">5.9.5.1. Setting the Priority of Password Policies</h4></div></div></div><div class="para">
The following example demonstrates the use of password priority, where a user and two groups are created, with a separate password policy for each group. Each policy has a different priority, and the user is added to both groups.
</div><div class="procedure"><ol class="1"><li class="step"><div class="formalpara" id="Setting_the_Priority_of_Password_Policies-Adding_a_user"><h5 class="formalpara">Adding a user</h5>
Use the <code class="command">ipa user-add</code> command to add a new user:
@@ -2513,7 +2447,7 @@ Number of members removed 1
$ ipa pwpolicy-show --user=tuser1
Group: g2
Minimum lifetime (in hours): 20
-</pre></li></ol></div></div></div><div class="section" id="The_IPA_Password_Policy-Password_Policy_Attributes"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</h3></div></div></div><div class="para">
+</pre></li></ol></div></div></div><div class="section" id="The_IPA_Password_Policy-Password_Policy_Attributes"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</h3></div></div></div><div class="para">
The password policy is enforced by the <code class="systemitem module">pwd_extop</code> SLAPI plug-in. FreeIPA supports the following password policy attributes:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="guilabel"><strong>Minimum Password Lifetime</strong></span> (<span class="property">krbMinPwdLife</span>): The minimum period of time, in hours, that a user's password must be in effect before the user can change it. The default value is one hour.
@@ -2560,13 +2494,13 @@ $ ipa pwpolicy-show --user=tuser1
<span class="guilabel"><strong>Lockout Time</strong></span> (<span class="property">lockouttime</span>): Specifies the period (in seconds) for which a lockout is enforced.
</div></li></ul></div><div class="para">
Refer to the <code class="command">ipa help pwpolicy-add</code> help page for more information on configuring the FreeIPA password policy.
- </div></div><div class="section" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</h3></div></div></div><div class="para">
If it is installed and configured, SSSD can use the PAM module to send messages to users, warning them about imminent password expiration. Fedora has a <code class="option">pam_pwd_expiration_warning</code> option to fine tune this feature. You can also manually search for passwords that are due to expire by a specified date. For example, to retrieve all user entries whose passwords are due to expire before March 1st, 2011, run the following command:
</div><div class="para">
<pre class="screen">$ ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=example,dc=com" '(krbPasswordExpiration<=20110301000000Z)'</pre>
- </div></div><div class="section" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Authentication</h3></div></div></div><div class="para">
If you use password authentication (no GSSAPI authentication, and no ticket on the client) with a new user, or with a user whose password has expired, you need to enable Challenge-Response authentication. Otherwise, the password changing dialog box will not display.
</div><div class="para">
This is not enabled by default because some older <code class="systemitem">SSL</code> clients may not support Challenge-Response authentication, and it is needed only if the password has expired.
@@ -2575,11 +2509,11 @@ $ ipa pwpolicy-show --user=tuser1
Set <em class="parameter"><code>ChallengeResponseAuthentication</code></em> to <code class="literal">yes</code> in the <code class="filename">/etc/ssh/sshd_config</code> file.
</div></li></ul></div>
- </div></div><div class="section" id="The_IPA_Password_Policy-Using_Local_Logins"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_Local_Logins">6.9.9. Using Local Logins</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Using_Local_Logins"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local Logins</h3></div></div></div><div class="para">
User identity and authentication is managed by SSSD in recent versions of Fedora. The default settings specified by the FreeIPA installation script include timeout settings that still allow local logins to succeed if the client cannot access the FreeIPA server. These settings are specified in the <code class="filename">/etc/sssd/sssd.conf</code> file, and can be tuned to suit your particular deployment. Further, if SSSD's password caching feature is enabled, a user can log in even if the FreeIPA server is down. A typical deployment would normally include two or more servers for redundancy, and so this would not normally be a problem.
</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
These timeout settings are only set on operating systems that support the FreeIPA installation script, meaning Fedora 15 and later. On other versions, specify these values manually or it may be impossible to log into the host if no FreeIPA servers are available.
- </div></div></div></div></div><div class="section" id="searching"><div class="titlepage"><div><div><h2 class="title" id="searching">6.10. Searching for Users and Groups</h2></div></div></div><div class="para">
+ </div></div></div></div></div><div class="section" id="searching"><div class="titlepage"><div><div><h2 class="title" id="searching">5.10. Searching for Users and Groups</h2></div></div></div><div class="para">
FreeIPA provides extensive search capabilities, which enable you to perform simple and partial-match searches on a range of attributes, including:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
First Name (givenname)
@@ -2613,7 +2547,7 @@ $ ipa pwpolicy-show --user=tuser1
Home Page
</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You cannot use wildcards to search for users or groups. The search string must include at least one character that appears in one of the indexed search fields.
- </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Users"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</h3></div></div></div><div class="section" id="Searching_for_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Users-Using_the_Command_Line">6.10.1.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Users"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</h3></div></div></div><div class="section" id="Searching_for_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Users-Using_the_Command_Line">5.10.1.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa user-find</code> command to search for users from the command line. The basic syntax of this command is as follows:
<div class="cmdsynopsis"><p><code class="command">ipa user-find</code> [
options
@@ -2650,7 +2584,7 @@ Member of groups: ipausers
Number of entries returned 2
----------------------------</pre><div class="para">
If you do not see the entry that you are looking for, you may need to adjust the <code class="option">--searchrecordslimit</code> option in the default FreeIPA configuration.
- </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Groups"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</h3></div></div></div><div class="section" id="Searching_for_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Groups-Using_the_Command_Line">6.10.2.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Groups"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</h3></div></div></div><div class="section" id="Searching_for_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Groups-Using_the_Command_Line">5.10.2.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-find</code> command to search for groups from the command line. The basic syntax of this command is as follows:
<div class="cmdsynopsis"><p><code class="command">ipa group-find</code> {
string
@@ -2674,7 +2608,7 @@ Member users: dkim, mkang, lming, klim
Number of entries returned 1
----------------------------</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The <code class="command">ipa group-find</code> command searches both group names and group descriptions. If your search results are too extensive, use a more specific search string.
- </div></div></div></div></div></div></div><div xml:lang="en-US" class="chapter" id="kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 7. Identity: Using FreeIPA for a Kerberos Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-kerberos">7.1. About Kerberos</a></span></dt><dt><span class="section"><a href="#kerb-policies">7.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">7.3. Creating and Using Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">7.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Princip
als-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">7.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="#rotating-keys">7.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">7.6. Kerberos Errors</a></span></dt></dl></div><div class="section" id="about-kerberos"><div class="titlepage"><div><div><h2 class="title" id="about-kerberos">7.1. About Kerberos</h2></div></div></div><div class="para">
+ </div></div></div></div></div></div></div><div xml:lang="en-US" class="chapter" id="kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 6. Identity: Using FreeIPA for a Kerberos Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-kerberos">6.1. About Kerberos</a></span></dt><dt><span class="section"><a href="#kerb-policies">6.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">6.3. Creating and Using Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">6.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Princip
als-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">6.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="#rotating-keys">6.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">6.6. Kerberos Errors</a></span></dt></dl></div><div class="section" id="about-kerberos"><div class="titlepage"><div><div><h2 class="title" id="about-kerberos">6.1. About Kerberos</h2></div></div></div><div class="para">
The Kerberos server is a part of FreeIPA. When you run the <code class="command">kinit</code> command you invoke a client that connects to the Kerberos server. As a result of the authentication the client receives a <em class="firstterm">ticket</em>. This ticket is a temporary pass; or a better description might be a pass-book. The best example from real life might be a pass to a movie festival. A single pass to such a festival would allow someone to attend different movies at their discretion. Kerberos is very similar. When a user tries to access any resource that is protected by Kerberos, that resource requires the user to present a valid ticket, the same as in the movies.
</div><div class="para">
To obtain such a ticket the user needs to prove their identity; that they are who they claim to be. Asking the user to constantly authenticate with their password would soon prove to be too annoying and hard to manage. This is why a multi-tier process exists, where the user first authenticates and obtains a so-called <em class="firstterm">ticket-granting ticket</em> (TGT). This ticket can then be presented to the Kerberos server at any time and a new ticket specific to the resource that the user wants to access can be acquired. All of these tickets have a configurable expiration time, so the user occasionally needs to re-authenticate, but it is much less of a burden.
@@ -2718,7 +2652,7 @@ Number of entries returned 1
Failure to export an updated keytab can cause problems that are difficult to isolate. For example, existing service connections may continue to function, but no new connections may be possible.
</div><div class="para">
Due to the critical role that keytabs play in authenticating users and services, and the issues that can arise if they are compromised, ensure that all keytab files are appropriately secured, and have suitable file ownership and permissions established.
- </div></div></div></div><div class="section" id="kerb-policies"><div class="titlepage"><div><div><h2 class="title" id="kerb-policies">7.2. Setting Kerberos Ticket Policies</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="kerb-policies"><div class="titlepage"><div><div><h2 class="title" id="kerb-policies">6.2. Setting Kerberos Ticket Policies</h2></div></div></div><div class="para">
Kerberos tickets are issued subject to the restraints of the <em class="firstterm">Kerberos ticket policy</em>. This policy defines the maximum ticket lifetime and also the maximum renewal age, the period during which the ticket is renewable. You can use the <code class="command">ipa krbtpolicy-mod</code> command to modify the policy to suit your environment. You can also use the <code class="command">ipa krbtpolicy-reset</code> command to reset the policy to the default values.
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect. Use the following command to restart the KDC:
@@ -2734,7 +2668,7 @@ Number of entries returned 1
</div><div class="para">
Changes to per-user policies take effect immediately for newly-requested tickets, for example, when the user next runs <code class="command">kinit</code>.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">7.3. Creating and Using Service Principals</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">6.3. Creating and Using Service Principals</h2></div></div></div><div class="para">
You can use the web interface to create service principals and also to search for existing service principals. For security and other reasons, however, it is not possible to retrieve a keytab using the web interface. This has to be done either on the command line on the system where the service is accessed, or on the FreeIPA server itself, and the keytab then exported to the client host.
</div><div class="para">
The following example demonstrates creating a service principal and keytab on a client host for the <code class="systemitem">HTTP</code> service. In this example, the client host is <code class="systemitem">ipaclient.example.com</code> and the FreeIPA server is <code class="systemitem">ipaserver.example.com</code>:
@@ -2760,7 +2694,7 @@ Number of entries returned 1
The <code class="command">ipa-getkeytab</code> command resets the secret for the specified principal. This means that all other keytabs for that principal are rendered invalid.
</div></div></div><div class="para">
FreeIPA provides a range of tools and commands to facilitate the creation and administration of services and the service principals and certificates required to use them. Some of this can be automated, but there will always be a certain amount of manual intervention required to create services and certificates after the initial joining of a host to a realm. These requirements and procedures are discussed in the following sections.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">7.3.1. Creating a FreeIPA Service</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Prerequisites"><h5 class="formalpara">Prerequisites</h5>
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">6.3.1. Creating a FreeIPA Service</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Prerequisites"><h5 class="formalpara">Prerequisites</h5>
Before you can create a service for a FreeIPA host, you need to ensure that the host exists. This should be true if it has already joined the realm. Use the following command to determine if the host exists:
<pre class="screen"><code class="command"># ipa host-show myserver.mydomain.net</code></pre>
@@ -2779,7 +2713,7 @@ Number of entries returned 1
Added service "test/myserver.mydomain.net at MYDOMAIN.NET"
-------------------------------------------------------
Principal: test/myserver.mydomain.net at MYDOMAIN.NET
- Managed by: myserver.mydomain.net</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service">7.3.1.1. Requesting a Certificate for a Service</h4></div></div></div><div class="para">
+ Managed by: myserver.mydomain.net</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service">6.3.1.1. Requesting a Certificate for a Service</h4></div></div></div><div class="para">
Use the following command to request a certificate for the new service. The certificate request is contained in the <code class="filename">example.csr</code> file.
<pre class="screen"><code class="command"># ipa cert-request --principal=test/myserver.mydomain.net example.csr </code></pre>
@@ -2811,7 +2745,7 @@ Email Address []:authors at mydomain.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
-An optional company name []:</pre></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests">7.3.1.2. Using certmonger to Manage Certificate Requests</h4></div></div></div><div class="para">
+An optional company name []:</pre></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests">6.3.1.2. Using certmonger to Manage Certificate Requests</h4></div></div></div><div class="para">
You can also use <span class="application"><strong>certmonger</strong></span> to manage the certificate request process for you. Use the following command to request a certificate:
<pre class="screen"><code class="command"># ipa-getcert request -d /etc/pki/nssdb -n Server-Cert</code></pre>
@@ -2827,8 +2761,8 @@ An optional company name []:</pre></div><div class="section" id="sect-Enterprise
<pre class="screen"><code class="command">$ ipa config-show | grep -i subject</code></pre>
FreeIPA will reject requests with invalid subject base values.
</div><div class="para">
- Refer to the <code class="systemitem">certmonger</code> man page and also to <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">Section C.1, “What is certmonger?”</a> for more information.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS">7.3.1.3. Using NSS</h4></div></div></div><div class="para">
+ Refer to the <code class="systemitem">certmonger</code> man page and also to <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">Section B.1, “What is certmonger?”</a> for more information.
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS">6.3.1.3. Using NSS</h4></div></div></div><div class="para">
If you need to create an NSS database in which to store your key, use the <code class="command">certutil</code> command as follows:
<pre class="screen"><code class="command">$ certutil -N -d /path/to/database/dir</code>
<code class="command">$ certutil -R -s "CN=myserver.mydomain.net, O=MYDOMAIN.NET" \</code>
@@ -2844,9 +2778,9 @@ An optional company name []:</pre></div><div class="section" id="sect-Enterprise
Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
This means you need to use MYDOMAIN.NET for the organization. FreeIPA will reject requests whose subject base differs from this value.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</h3></div></div></div><div class="para">
The following procedure describes how to configure <code class="systemitem">NFS</code> on the FreeIPA server and to set up an <code class="systemitem">NFS</code> service principal.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_an_NFS_Service_Principal_on_the_IPA_Server-Configuring_NFS_on_the_IPA_Server"><h6>Procedure 7.1. Configuring <code class="systemitem">NFS</code> on the FreeIPA Server</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_an_NFS_Service_Principal_on_the_IPA_Server-Configuring_NFS_on_the_IPA_Server"><h6>Procedure 6.1. Configuring <code class="systemitem">NFS</code> on the FreeIPA Server</h6><ol class="1"><li class="step"><div class="para">
Configure the export directory.
<pre class="screen"><code class="command"># mkdir /export</code>
<code class="command"># chmod 777 /export</code></pre>
@@ -2887,11 +2821,11 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Note the use of the <code class="option">-k</code> option when restarting <code class="systemitem">rpcgssd</code>. This is necessary to update the NFS configuration with the path to the NFS keytab.
- </div></div></div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">7.4. Refreshing Kerberos Tickets</h2></div></div></div><div class="para">
+ </div></div></div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">6.4. Refreshing Kerberos Tickets</h2></div></div></div><div class="para">
Some compliance or company security policies may require that system administrators manually refresh Kerberos tickets, perhaps annually or more frequently. The current version of FreeIPA does not provide automatic renewal of Kerberos tickets.
</div><div class="para">
Manually refreshing Kerberos tickets is a two step process: you first need to find all of the keytabs that are older than a certain date, and then obtain a new keytab for the host or service in question. This process is described in detail below.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Refreshing_Kerberos_Tickets-How_to_manually_refresh_Kerberos_keytabs"><h6>Procedure 7.2. How to manually refresh Kerberos keytabs</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Refreshing_Kerberos_Tickets-How_to_manually_refresh_Kerberos_keytabs"><h6>Procedure 6.2. How to manually refresh Kerberos keytabs</h6><ol class="1"><li class="step"><div class="para">
Find all keytabs, both for host services and for any other services, issued before today. Use the following queries (update the dates as necessary):
<pre class="screen"><code class="command"># ldapsearch -x -b "cn=computers,cn=accounts,dc=example,dc=com"</code> <code class="command">"(&(krblastpwdchange<=20110110000000)(krblastpwdchange>=19710101000000))" dn krbprincipalname</code></pre>
@@ -2918,7 +2852,7 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Some services, such as NFSv4, only support a limited set of encryption types. Ensure that you pass the appropriate arguments to the <code class="command">ipa-getkeytab</code> command.
- </div></div></div></div><div class="section" id="rotating-keys"><div class="titlepage"><div><div><h2 class="title" id="rotating-keys">7.5. Rotating Keys</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="rotating-keys"><div class="titlepage"><div><div><h2 class="title" id="rotating-keys">6.5. Rotating Keys</h2></div></div></div><div class="para">
Kerberos keys are similar to passwords, and in the interests of security they should occasionally be changed. The frequency of these changes may be determined by company or other policies. Each key has an associated version number, which are stored in the <em class="parameter"><code>KVNO</code></em> parameter.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Rotating_Kerberos_Keys-Obtaining_a_new_service_principal_Kerberos_key"><h5 class="formalpara">Obtaining a new service principal Kerberos key</h5>
Use the <code class="command">ipa-getkeytab</code> command to create a new Kerberos key. For example, use the following command to refresh your FreeIPA keytab:
@@ -2953,7 +2887,7 @@ Valid starting Expires Service principal
</div><div class="para">
This will display service and host keytab information. It is not possible to determine if it has a key directly, but you can infer that a keytab was issued by looking at the last change date.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">7.6. Kerberos Errors</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">6.6. Kerberos Errors</h2></div></div></div><div class="para">
If <code class="command">kinit</code> fails or you see an unusual Kerberos error back in the framework, inspect the following files for possible causes:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
On the server: <code class="filename">/var/log/krb5kdc.log</code>
@@ -2961,11 +2895,11 @@ Valid starting Expires Service principal
If you were using the framework also look in <code class="filename">/var/log/httpd/error_log</code>
</div></li></ul></div>
- </div></div></div><div xml:lang="en-US" class="chapter" id="automount" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 8. Identity: Using Automount</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-automount">8.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-automount">8.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="#sect-
Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</a></span></dt></dl></dd></dl></div><div class="section" id="about-automount"><div class="titlepage"><div><div><h2 class="title" id="about-automount">8.1. About Automount and IPA</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="automount" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 7. Identity: Using Automount</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-automount">7.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-automount">7.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="#sect-
Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</a></span></dt></dl></dd></dl></div><div class="section" id="about-automount"><div class="titlepage"><div><div><h2 class="title" id="about-automount">7.1. About Automount and IPA</h2></div></div></div><div class="para">
This chapter describes how to configure <code class="command">automount</code> on <code class="systemitem">Linux</code> and <code class="systemitem">Solaris</code> for use with IPA. It details the procedures and configuration changes necessary to set up <code class="command">automount</code>, the <code class="filename">auto.master</code> file and other map files used by <code class="command">autofs</code>.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Known_Issues_with_Automount-Additional_Schema_Required_for_Some_Systems"><h5 class="formalpara">Additional Schema Required for Some Systems</h5>
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Known_Issues_with_Automount-Additional_Schema_Required_for_Some_Systems"><h5 class="formalpara">Additional Schema Required for Some Systems</h5>
If you are supporting <code class="systemitem">Solaris</code> clients, you need to use the 2307bis-style <code class="command">automount</code> schema, although Sun's version is NOT identical to the one at <a href="http://people.redhat.com/nalin/schema/autofs.schema">http://people.redhat.com/nalin/schema/autofs.schema</a>.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</h3></div></div></div><div class="para">
In order to illustrate the <code class="command">automount</code> configuration procedures, this chapter assumes that:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The IPA server is correctly installed and operational.
@@ -2990,13 +2924,13 @@ Valid starting Expires Service principal
</div><pre class="programlisting">/home 192.168.1.0/16 (rw,fsid=0,insecure,no_subtree_check,sync,anonuid=65534,anongid=65534)
</pre><div class="para">
You should test that you can mount the <code class="filename">/home</code> directory from the command line before proceeding with the <code class="command">automount</code> configuration. This makes troubleshooting easier if the configuration does not work.
- </div></div></div><div class="section" id="configuring-automount"><div class="titlepage"><div><div><h2 class="title" id="configuring-automount">8.2. Configuring Automount</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="configuring-automount"><div class="titlepage"><div><div><h2 class="title" id="configuring-automount">7.2. Configuring Automount</h2></div></div></div><div class="para">
IPA natively supports automount and so only minimal configuration is required. IPA 2.0 also introduces the concept of a <em class="firstterm">location</em>, which allows for different sets of maps for different purposes, or locations.
<div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You can direct different clients to use different map sets. These map sets use a tree structure, which means that you cannot share maps between locations.
</div></div></div>
Any extra steps required for configuring automount on Linux or Solaris are described below. Refer to the <code class="command">ipa help automount</code> help page for more information and a list of available commands.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-To_configure_autofs_on_Linux"><h6>Procedure 8.1. To configure autofs on Linux:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-To_configure_autofs_on_Linux"><h6>Procedure 7.1. To configure autofs on Linux:</h6><ol class="1"><li class="step"><div class="para">
Edit the <code class="filename">/etc/sysconfig/autofs</code> file as follows. This specifies the attributes that <code class="command">autofs</code> searches for:
</div><pre class="programlisting">#
# Other common LDAP naming
@@ -3018,7 +2952,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
<pre class="screen"><code class="command"># service autofs restart</code></pre>
- </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration">8.2.1.1. Testing the Configuration</h4></div></div></div><div class="para">
+ </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration">7.2.1.1. Testing the Configuration</h4></div></div></div><div class="para">
Test the configuration by attempting to list a user's <code class="filename">/home</code> directory:
</div><div class="para">
@@ -3026,7 +2960,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
</div><div class="para">
If this does not mount the remote file system, check the <code class="filename">/var/log/messages</code> file for errors or other indications of what the problem might be. You can also increase the debug level in the <code class="filename">/etc/sysconfig/autofs</code> file by setting the <em class="parameter"><code>LOGGING</code></em> parameter to <code class="literal">debug</code>.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</h3></div></div></div><div class="para">
The following procedure describes the steps required to configure <code class="command">automount</code> for <code class="systemitem">Solaris</code>.
</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
If the <code class="systemitem">NFS</code> server is running on <code class="systemitem">Linux</code>, you need to specify on the <code class="systemitem">Solaris</code> machine that NFSv3 is the maximum supported version. Edit the <code class="filename">/etc/default/nfs</code> file and set the following parameter:
@@ -3051,7 +2985,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
<pre class="screen"><code class="command"># svcadm enable svc:/system/filesystem/autofs</code></pre>
- </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration">8.2.2.1. Testing the Configuration</h4></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Testing_the_Configuration-_To_test_the_automount_configuration_run_the_following_commands_"><h6>Procedure 8.2. To test the <code class="command">automount</code> configuration, run the following commands: </h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration">7.2.2.1. Testing the Configuration</h4></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Testing_the_Configuration-_To_test_the_automount_configuration_run_the_following_commands_"><h6>Procedure 7.2. To test the <code class="command">automount</code> configuration, run the following commands: </h6><ol class="1"><li class="step"><div class="para">
<pre class="screen"><code class="command"># ldapclient -l auto_master</code>
dn: automountkey=/home,automountmapname=auto.master,cn=<location>,cn=automount,dc=example,dc=com
@@ -3067,7 +3001,7 @@ automountInformation: auto.home
<pre class="screen"><code class="command"># ls /home/<username></code></pre>
- </div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</h3></div></div></div><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</h3></div></div></div><div class="para">
An indirect map defines a container for mount points. For example, if you create an indirect map <code class="filename">/share</code>, then all automount keys are relative to that map. If you define an automount key <code class="systemitem">ipauser</code>, the map would appear as <code class="filename">/share/ipauser</code>. In other words, indirect maps specify relative paths. Compare this to the absolute paths specified by direct maps.
</div><div class="para">
The following example creates an indirect map for <code class="filename">/usr/man</code> using the built-in IPA commands. This creates a single indirect map, <code class="filename">/usr/man/man1</code>, which:
@@ -3077,7 +3011,7 @@ automountInformation: auto.home
Adds <code class="filename">auto.man</code> to <code class="filename">auto.master</code> on the mount point <code class="filename">/usr/man</code>
</div></li><li class="listitem"><div class="para">
Adds an indirect mount of <code class="filename">man1</code> to <code class="filename">auto.man</code>
- </div></li></ul></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-How_to_create_an_indirect_map"><h6>Procedure 8.3. How to create an indirect map:</h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ul></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-How_to_create_an_indirect_map"><h6>Procedure 7.3. How to create an indirect map:</h6><ol class="1"><li class="step"><div class="para">
Create a new location:
</div><pre class="screen"><code class="command">$ ipa automountlocation-add baltimore</code>
Location: baltimore</pre></li><li class="step"><div class="para">
@@ -3100,7 +3034,7 @@ automountInformation: auto.home
On <code class="systemitem">Solaris</code>, use the following arguments with the <code class="command">ldapclient</code> command:
</div><pre class="programlisting">-a serviceSearchDescriptor=auto_man:automountMapName=auto.man, \
cn=<location>,cn=automount,dc=example,dc=com?one \
-</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps">8.2.3.1. Configuring Direct Maps</h4></div></div></div><div class="para">
+</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps">7.2.3.1. Configuring Direct Maps</h4></div></div></div><div class="para">
Direct maps list exact locations to mount specified maps, for example <code class="filename">/usr/local/bin</code> or <code class="filename">/mnt</code>. That is, they specify absolute paths as mount points. Compare this to the relative paths specified by indirect maps.
</div><div class="para">
To add a direct map configuration, IPA requires a number of modifications to the <code class="filename">auto.direct</code> file. The following two entries are created during the installation process:
@@ -3113,7 +3047,7 @@ automountInformation: auto.home
automountMapName: auto.direct
</pre><div class="para">
Use the following procedure to add a mount to this direct map for the <code class="filename">/share</code> directory:
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Direct_Maps-How_to_create_a_direct_map"><h6>Procedure 8.4. How to create a direct map:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Direct_Maps-How_to_create_a_direct_map"><h6>Procedure 7.4. How to create a direct map:</h6><ol class="1"><li class="step"><div class="para">
Create a new location:
</div><pre class="screen"><code class="command">$ ipa automountlocation-add brisbane</code>
Location: brisbane</pre></li><li class="step"><div class="para">
@@ -3125,7 +3059,7 @@ automountInformation: auto.home
On <code class="systemitem">Solaris</code>, use the following arguments with the <code class="command">ldapclient</code> command:
</div><pre class="programlisting">-a serviceSearchDescriptor=auto_direct:automountMapName=auto.direct, \
cn=<location>,cn=automount,dc=example,dc=com?one \
-</pre></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</h3></div></div></div><div class="para">
+</pre></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</h3></div></div></div><div class="para">
The following pages were used as references for this work:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<a href="http://efod.se/blog/archive/2006/06/27/autofs-and-ldap">http://efod.se/blog/archive/2006/06/27/autofs-and-ldap</a>
@@ -3137,13 +3071,13 @@ automountInformation: auto.home
<a href="http://forums.fedoraforum.org/forum/showthread.php?t=135635&highlight=autofs+ldap">http://forums.fedoraforum.org/forum/showthread.php?t=135635&highlight=autofs+ldap</a>
</div></li><li class="listitem"><div class="para">
<a href="http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide">http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide</a>
- </div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="active-directory" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 9. Identity: Integrating with Microsoft Active Directory</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-active-directory">9.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">9.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="#configuring-active-directory">9.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_S
ynchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">9.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">9.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">9.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">9.7.
Winsync Agreement Failures</a></span></dt></dl></div><div class="para">
+ </div></li></ul></div></div></div></div><div xml:lang="en-US" class="chapter" id="active-directory" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 8. Identity: Integrating with Microsoft Active Directory</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-active-directory">8.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">8.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="#configuring-active-directory">8.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_S
ynchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">8.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">8.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">8.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">8.7.
Winsync Agreement Failures</a></span></dt></dl></div><div class="para">
To synchronize user identity information between 389 Directory Server and Windows Active Directory, IPA employs a plug-in that extends the functionality of the 389 Directory Server Windows Sync utility. This plug-in allows IPA to perform the data manipulation necessary to achieve synchronization between 389 Directory Server and Windows Active Directory. The IPA Windows Sync plug-in uses the <em class="parameter"><code>ipaWinSyncUserAttr</code></em> parameter to specify which attributes and values to add to new users that are synchronized from Active Directory.
- </div><div class="section" id="about-active-directory"><div class="titlepage"><div><div><h2 class="title" id="about-active-directory">9.1. About Active Directory, IPA, and Identity Management</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</h3></div></div></div><div class="para">
+ </div><div class="section" id="about-active-directory"><div class="titlepage"><div><div><h2 class="title" id="about-active-directory">8.1. About Active Directory, IPA, and Identity Management</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</h3></div></div></div><div class="para">
IPA clients find, or discover, IPA servers using a process known as <em class="firstterm">Service Discovery</em>. This can occur automatically, using DNS, or manually, by entering the IPA server details during the client configuration phase. If your Active Directory installation is in the same domain as the IPA server, it is possible that when you install IPA clients they will not discover the IPA server, but rather the Active Directory DNS. This means that IPA commands run on the client will fail because the client cannot contact the IPA server.
</div><div class="para">
To avoid this situation, use a separate domain for your IPA and Active Directory servers. If this is not possible, use the <em class="parameter"><code>--force</code></em> parameter when you run the <code class="command">ipa-client-install</code> script.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">9.2. Setting up Active Directory</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">8.2. Setting up Active Directory</h2></div></div></div><div class="para">
The Windows Sync utility requires TLS/SSL to synchronize password changes. Therefore, you need to set up Active Directory as an SSL server. The easiest way to achieve this is to install Microsoft Certificate System in Enterprise Root Mode; Active Directory will then automatically enroll to retrieve its SSL server certificate.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You need to install both the <code class="command">winsync</code> and <code class="command">passsync</code> utilities to synchronize User IDs and attributes as well as passwords.
@@ -3153,7 +3087,7 @@ automountInformation: auto.home
Refer to the <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync">Fedora Project Windows Sync Howto</a> for information on setting up Active Directory as an SSL server.
</div><div class="para">
After you have installed Microsoft Certificate System, you need to save the CA certificate in ASCII (PEM) format. This CA Certificate is required to create the synchronization agreement.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-To_save_the_CA_certificate_in_ASCII_format"><h6>Procedure 9.1. To save the CA certificate in ASCII format:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-To_save_the_CA_certificate_in_ASCII_format"><h6>Procedure 8.1. To save the CA certificate in ASCII format:</h6><ol class="1"><li class="step"><div class="para">
Navigate to My Network Places and drill down to the CA distribution point. On Windows 2003 Server this is typically <code class="filename">C:\WINDOWS\system32\certsrv\CertEnroll\</code>
</div></li><li class="step"><div class="para">
Double-click the security certificate file (<code class="filename">.crt</code> file) to display the <span class="guilabel"><strong>Certificate</strong></span> dialog box.
@@ -3166,12 +3100,12 @@ automountInformation: auto.home
</div></li><li class="step"><div class="para">
Click <span class="guibutton"><strong>OK</strong></span> to exit the wizard.
</div></li></ol></div><div class="para">
- Refer to <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">Section 9.4, “Creating Synchronization Agreements”</a> for information on how to use the CA Certificate to create the synchronization agreement.
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-Select_Base_64_encoded_X.509_to_export_the_security_certificate_as_ASCII"><div class="figure-contents"><div class="mediaobject" align="center"><img src="images/ASCII_Cert_Export.png" align="middle" alt="Select Base-64 encoded X.509 to export the security certificate as ASCII" /></div></div><h6>Figure 9.1. Select Base-64 encoded X.509 to export the security certificate as ASCII</h6></div><br class="figure-break" /></div><div class="section" id="configuring-active-directory"><div class="titlepage"><div><div><h2 class="title" id="configuring-active-directory">9.3. Configuring Active Directory Synchronization</h2></div></div></div><div class="para">
+ Refer to <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">Section 8.4, “Creating Synchronization Agreements”</a> for information on how to use the CA Certificate to create the synchronization agreement.
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-Select_Base_64_encoded_X.509_to_export_the_security_certificate_as_ASCII"><div class="figure-contents"><div class="mediaobject" align="center"><img src="images/ASCII_Cert_Export.png" align="middle" alt="Select Base-64 encoded X.509 to export the security certificate as ASCII" /></div></div><h6>Figure 8.1. Select Base-64 encoded X.509 to export the security certificate as ASCII</h6></div><br class="figure-break" /></div><div class="section" id="configuring-active-directory"><div class="titlepage"><div><div><h2 class="title" id="configuring-active-directory">8.3. Configuring Active Directory Synchronization</h2></div></div></div><div class="para">
The Windows Sync plug-in is installed on the IPA server, and enables one-way replication of users and groups from Windows to IPA. The <code class="command">ipa-server-install</code> script automatically installs the plug-in configuration entry and enables it by default. The Windows Sync plug-in is only ever called if Windows Sync is used.
</div><div class="para">
The passsync plug-in for Windows uses a standard <code class="command">ldapmodify</code> operation to change users' passwords. These operations take effect immediately, and are still normally subject to password policy settings. When the special user used by passsync sets the password, these password policies should be bypassed and the password should not be set to immediately expire, as is the case when a normal administrator resets a user password. To achieve this, you need to add a list of passSync Manager DNs to the password plug-in configuration. These users will be exempt from password policy enforcement in the same way that the Directory Manager is exempt. This currently requires a manual configuration, as follows:
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Windows_Sync_on_the_IPA_Server-To_add_a_list_of_passSync_Manager_DNs_to_the_password_plug_in_configuration"><h6>Procedure 9.2. To add a list of passSync Manager DNs to the password plug-in configuration:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Windows_Sync_on_the_IPA_Server-To_add_a_list_of_passSync_Manager_DNs_to_the_password_plug_in_configuration"><h6>Procedure 8.2. To add a list of passSync Manager DNs to the password plug-in configuration:</h6><ol class="1"><li class="step"><div class="para">
As Directory Manager, modify the entry <em class="parameter"><code>cn=ipa_pwd_extop,cn=plugins,cn=config</code></em>
</div></li><li class="step"><div class="para">
Add or update the <em class="parameter"><code>passSyncManagersDNs</code></em> attribute. This is a multi-valued list of DNs that bypass password policy.
@@ -3185,7 +3119,7 @@ add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The entry <em class="parameter"><code>cn=Directory Manager</code></em> always bypasses policy and does not need to be explicitly listed.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">9.4. Creating Synchronization Agreements</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">8.4. Creating Synchronization Agreements</h2></div></div></div><div class="para">
Use the <code class="command">ipa-replica-manage connect</code> command to create synchronization agreements. The following command-line arguments apply to creating synchronization agreements:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="option">--winsync</code> — specifies that this is a Windows Sync agreement. Winsync replication occurs every five minutes.
@@ -3201,12 +3135,12 @@ passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
<code class="option">--win-subtree</code> — the DN of the Windows subtree containing the users you want to synchronize. The default value is <em class="parameter"><code>cn=Users,$SUFFIX</code></em> — this is what Windows AD typically uses as the default value.
</div></li></ul></div><div class="para">
The following example illustrates adding a new WinSync agreement:
- </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Creating_Synchronization_Agreements-Adding_a_WinSync_agreement_between_an_IPA_server_and_an_AD_server."><h6>Example 9.1. Adding a WinSync agreement between an IPA server and an AD server.</h6><div class="example-contents"><pre class="screen"><code class="command">ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \</code>
-<code class="command">--bindpw password --passsync password --cacert /path/to/certfile.cer adserver.example.com -v</code></pre></div></div><br class="example-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">9.5. Modifying Synchronization Agreements</h2></div></div></div><div class="para">
+ </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Creating_Synchronization_Agreements-Adding_a_WinSync_agreement_between_an_IPA_server_and_an_AD_server."><h6>Example 8.1. Adding a WinSync agreement between an IPA server and an AD server.</h6><div class="example-contents"><pre class="screen"><code class="command">ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \</code>
+<code class="command">--bindpw password --passsync password --cacert /path/to/certfile.cer adserver.example.com -v</code></pre></div></div><br class="example-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">8.5. Modifying Synchronization Agreements</h2></div></div></div><div class="para">
You can change the behavior of the synchronization agreement to suit the changing needs of your organization. You can modify a number of attributes related to the synchronization agreement using default tools provided with IPA.
</div><div class="para">
The following example illustrates changing the synchronization behavior of account lock status. By default, account lock status is synchronized between IPA and AD. This means that accounts that are locked in IPA are also locked (disabled) in AD, and vice versa. You can change this synchronization behavior as follows:
- </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Configuring_the_IPA_WinSync_agreement_to_not_synchronize_account_lock_status_information."><h6>Example 9.2. Configuring the IPA WinSync agreement to not synchronize account lock status information.</h6><div class="example-contents"><pre class="screen"><code class="command">$ ldapmodify -x -D "cn=directory manager" -w password</code>
+ </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Configuring_the_IPA_WinSync_agreement_to_not_synchronize_account_lock_status_information."><h6>Example 8.2. Configuring the IPA WinSync agreement to not synchronize account lock status information.</h6><div class="example-contents"><pre class="screen"><code class="command">$ ldapmodify -x -D "cn=directory manager" -w password</code>
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
replace: ipaWinSyncAcctDisable
@@ -3215,13 +3149,13 @@ ipaWinSyncAcctDisable: none
modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
</pre></div></div><br class="example-break" /><div class="para">
The default value of the <em class="parameter"><code>ipaWinSyncAcctDisable</code></em> attribute is <code class="literal">both</code>. If you change this value to <code class="literal">none</code>, as described in the example, account lock status synchronization is completely disabled. Valid values for <em class="parameter"><code>ipaWinSyncAcctDisable</code></em> are <code class="literal">both</code>, <code class="literal">to_ad</code>, <code class="literal">to_ds</code>, and <code class="literal">none</code>.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</h3></div></div></div><div class="para">
When you create synchronization agreements, two default containers are used as the source of the user accounts to synchronize between IPA and Windows Active Directory. IPA uses the <em class="parameter"><code>cn=users,cn=accounts,$SUFFIX</code></em> subtree as the default container, and Windows uses the <em class="parameter"><code>CN=Users,$SUFFIX</code></em> subtree. You can use the <em class="parameter"><code>--win-subtree</code></em> argument to the <code class="command">ipa-replica-manage connect</code> command to override the default Windows subtree.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
If you pass such arguments to the bash or other shell, ensure that you quote spaces and other shell metacharacters. For example, the argument <em class="parameter"><code>--win-subtree=cn=users, dc=example, dc=com</code></em> will fail. The argument <em class="parameter"><code>--win-subtree="cn=users, dc=example, dc=com"</code></em> will succeed.
</div></div></div><div class="para">
IPA does not currently support modifying the default synchronization container while you are creating the synchronization agreement. You can, however, change the container after the agreement has been established. To do so, you can either modify the <code class="filename">dse.ldif</code> file directly (ensure that you stop the directory server before editing this file), or use <code class="command">ldapmodify</code> to change <em class="parameter"><code>nsds7WindowsReplicaSubtree</code></em>.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">9.6. Deleting Synchronization Agreements</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">8.6. Deleting Synchronization Agreements</h2></div></div></div><div class="para">
You can use the IPA administration tools to delete existing synchronization agreements. For example, to delete an agreement with the AD server <code class="systemitem">adserver.example.com</code>, run the following command:
</div><div class="para">
<code class="command"># ipa-replica-manage disconnect adserver.example.com</code>
@@ -3229,7 +3163,7 @@ modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
This removes the replication agreement between the IPA and AD servers. To complete the operation, you need to remove the AD certificate from the IPA server. Run the following command to remove the AD certificate:
</div><div class="para">
<code class="command"># certutil -D -d /etc/dirsrv/slapd-$REALM/ -n "Imported CA"</code>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">9.7. Winsync Agreement Failures</h2></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Winsync_Agreement_Failures-Symptom"><h5 class="formalpara">Symptom</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">8.7. Winsync Agreement Failures</h2></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Winsync_Agreement_Failures-Symptom"><h5 class="formalpara">Symptom</h5>
If the creation of a winsync agreement fails, you may see an error message similar to the following:
<pre class="screen">"Update failed! Status: [81 - LDAP error: Can't contact LDAP server]
</pre>
@@ -3257,7 +3191,7 @@ Imported CA CT,,C</pre>
</div><pre class="screen">"Windows PassSync entry exists, not resetting password"
</pre><div class="para">
This is not an error, but rather a notification that IPA is not re-adding the <code class="systemitem">passync</code> user, and neither is it changing the original password. The <code class="systemitem">passync</code> user is a special user entry that can change passwords in IPA.
- </div></div></div><div xml:lang="en-US" class="chapter" id="nis" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 10. Identity: Integrating with NIS Domains and Netgroups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-nis">10.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="#adding-netgroups">10.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href
="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">10.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="#migrintg-from-nis">10.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></div><div class="section" id="about-nis"><div class="titlepage"><div><div><h2 class="title" id="abou
t-nis">10.1. About NIS and IPA</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</h3></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="nis" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 9. Identity: Integrating with NIS Domains and Netgroups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-nis">9.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="#adding-netgroups">9.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="#sec
t-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">9.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="#migrintg-from-nis">9.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></div><div class="section" id="about-nis"><div class="titlepage"><div><div><h2 class="title" id="about-nis">9.1.
About NIS and IPA</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</h3></div></div></div><div class="para">
Netgroups are a concept introduced in the directory service NIS. They were designed to contain users, hosts (machines) and other netgroups. A netgroup is a user-host-domain triplet. Refer to the following for more details about netgroups and their uses:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<a href="http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?netgroup+4">http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?netgroup+4</a>
@@ -3269,11 +3203,11 @@ Imported CA CT,,C</pre>
Despite this difference, it is important to underline that there are two plug-ins in IPA that make the data in the new format available via NIS or the old standard RFC2307 and RFC2307bis LDAP schema. For details, refer to the documentation and examples at: <a href="https://fedorahosted.org/slapi-nis/">https://fedorahosted.org/slapi-nis</a>. The entries stored using the new schema are converted into the standard NIS netgroup map and served via the NIS protocol by the first plug-in described on the slapi-nis project page and the compatibility plug-in can be used to create a virtual LDAP view that matches the standard 2307 or 2307bis schema for netgroups using the IPA-specific schema.
</div><div class="para">
Historically, netgroups have been used to define groups of hosts or users. The advantage of netgroups for user aggregation has been that netgroups allow nesting while normal UNIX user groups do not. Netgroups also provide the only way to aggregate hosts. There is no notion of host groups in NIS, although for effective centralized system management they are definitely needed. It is important to understand that netgroups are collections of entities, be they users, hosts, or both, but there is no relation between particular user-host pairs defined in the netgroup triplet.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</h3></div></div></div><div class="para">
IPA defines both user groups and host groups, each of which allow nesting. This is a much cleaner way of aggregation and allows better separation of duties and access control. In an IPA deployment, netgroups are a much less attractive approach to grouping than with other LDAP-based systems compliant with RFC 2307 (this defines the LDAP schema for users, groups, netgroups and other maps).
</div><div class="para">
Client-side applications, for example, SUDO, need netgroups because there is no alternative to host grouping on the client side. Consequently, netgroups are far from obsolete on the client side. A lot of effort is still required within SSSD and IPA to provide clean interfaces to reliably (both online and offline) relay centrally-managed information to applications running on a client machine. IPA therefore provides a way to define and store netgroups, but they are viewed as secondary to user groups and host groups.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups">10.1.2.1. How IPA Stores Netgroups</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups">9.1.2.1. How IPA Stores Netgroups</h4></div></div></div><div class="para">
IPA stores netgroups in a different format from that specified in RFC2307 and RFC2307bis. The netgroup entries defined by the IPA schema allow relating different objects (users, groups, hosts, host groups) to each other. IPA also provides what is known as a <em class="firstterm">compat (compatibility)</em> plug-in. This plug-in creates a virtual view of the data stored in native IPA entries in the format expected by the RFC-compliant clients. This means that even though the internal data representation of netgroups is different from the RFC, this deviation does not affect clients due to the presence of the <code class="systemitem">compat</code> plug-in.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-How_IPA_Stores_Netgroups-Comparison_of_Schema"><h5 class="formalpara">Comparison of Schema</h5>
To realize the differences, we can compare the standard RFC schema for netgroups and the schema used by IPA. IPA defines the following object class:
@@ -3307,7 +3241,7 @@ Imported CA CT,,C</pre>
<a href="http://www.freeipa.org/page/DS_Design_Summary#Netgroups">http://www.freeipa.org/page/DS_Design_Summary#Netgroups</a>
</div></li></ul></div>
- </div></div></div><div class="section" id="adding-netgroups"><div class="titlepage"><div><div><h3 class="title" id="adding-netgroups">10.1.3. Adding Netgroups</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="adding-netgroups"><div class="titlepage"><div><div><h3 class="title" id="adding-netgroups">9.1.3. Adding Netgroups</h3></div></div></div><div class="para">
NIS groups traditionally contain a so-called netgroup triple of the format: (machine, user, domain)
</div><pre class="screen">machine - machine name, a host name
user - user name
@@ -3323,7 +3257,7 @@ NIS domain name: panda
Member User: admin
Member Host: icefloat.panda</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
There is no necessary relationship between the machine and the user. Only one of those fields is usually used at a time to avoid confusion.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</h3></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</h3></div></div></div><div class="para">
The IPA netgroup management plug-in conforms to the Create, Read, Update, Delete (CRUD) command-naming conventions used in all other plug-ins that ship with the default IPA installation. You can use the following command to display a list of the IPA commands available for working with netgroups:
</div><div class="para">
@@ -3371,7 +3305,7 @@ Member Host: icefloat.panda</pre><div class="note"><div class="admonition_header
--netgroups=NETGROUPS
]</p></div></pre><div class="para">
USERS, GROUPS, HOSTS, HOSTGROUPS, and NETGROUPS are comma-separated lists of names of the appropriate objects.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples">10.1.4.1. Examples</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples">9.1.4.1. Examples</h4></div></div></div><div class="para">
The following examples provide an introduction to using the <code class="command">ipa netgroup-*</code> commands:
</div><pre class="screen">
<code class="command"># ipa netgroup-add net0 --desc="test netgroup"</code>
@@ -3408,11 +3342,11 @@ Number of members removed 1
<code class="command"># ipa netgroup-show net0</code>
ipa: ERROR: no such entry
-</pre></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">10.2. Configuring the Network Information Service (NIS)</h2></div></div></div><div class="para">
+</pre></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">9.2. Configuring the Network Information Service (NIS)</h2></div></div></div><div class="para">
The Network Information Service (NIS) is an RPC service, used in conjunction with <code class="systemitem">portmap</code> and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
</div><div class="para">
IPA provides a NIS server plug-in to facilitate the integration of NIS clients with an IPA domain, including exposing any automount maps that have been configured.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</h3></div></div></div><div class="para">
Currently, when the NIS service is enabled, the server is automatically configured to serve the NIS domain with the IPA domain's name, and to serve IPA users, groups, and netgroups (passwd, group, and netgroup maps) to the NIS domain.
</div><div class="para">
If you have defined automount maps, these maps need to be manually added to the NIS server plug-in's configuration in the directory server in order to expose them to NIS clients.
@@ -3420,7 +3354,7 @@ ipa: ERROR: no such entry
The NIS plug-in needs to know the name of the NIS domain, the name of the NIS map, how to find the directory entries to use as the NIS map's contents, and which attributes to use as the NIS map's key and value. Most of these settings will be the same for every map.
</div><div class="para">
The IPA server stores the automount maps, grouped by automount location, in the <em class="parameter"><code>cn=automount</code></em> branch of the IPA domain's tree.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration">10.2.1.1. Example Automount Map Configuration</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration">9.2.1.1. Example Automount Map Configuration</h4></div></div></div><div class="para">
If you have created an automount map named <code class="filename">auto.example</code> in a location named "default", you first need to add an entry to the configuration for the NIS server running on a host named <code class="systemitem">dirsrv</code>, as follows:
<pre class="screen">LOCATION=default
NISDOMAIN=example.com
@@ -3447,11 +3381,11 @@ EOF
This entry instructs the plug-in to create a map named <code class="filename">auto.master</code> in the domain named <code class="systemitem">${NISDOMAIN}</code>, and that the data for that map should be read from the entries at and below <em class="parameter"><code>automountmapname=${NISMAP}</code></em>, which exists inside a container named <code class="systemitem">cn=${LOCATION}</code>. This container is in the automount section of the IPA data store. The keys for the entries in the automount map in NIS are the values of the <em class="parameter"><code>automountKey</code></em> attribute for the directory server entries, and the corresponding values in the NIS map are the values of the <em class="parameter"><code>automountInformation</code></em> attribute in those same entries.
</div><div class="para">
You then need to repeat the process for the <code class="filename">auto.direct</code> map, and then any other maps that you have defined.
- </div></div></div></div><div class="section" id="migrintg-from-nis"><div class="titlepage"><div><div><h2 class="title" id="migrintg-from-nis">10.3. Migrating from NIS to IPA</h2></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="migrintg-from-nis"><div class="titlepage"><div><div><h2 class="title" id="migrintg-from-nis">9.3. Migrating from NIS to IPA</h2></div></div></div><div class="para">
The IPA development team researched the topic of how netgroups are typically used in order to better determine an optimal migration design solution. This research shows that the main use cases for netgroups are the aggregation of users and the aggregation of hosts, but not both at the same time. IPA does not provide a special script or command to facilitate the migration of customers' existing netgroups to IPA. This operation must be performed by the system administrator himself or with the help of professional services. This chapter provides some guidelines to ease the process of migrating netgroups to IPA.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</h3></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</h3></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
These procedures are guidelines only, and are provided to help clean your environment and make it more manageable. It is not a definitive set of instructions, and administrators need to be creative and factor in the real constraints present in their environment. If any steps described below are not possible due to independent conditions, we recommend migrating netgroups on a one-to-one basis. This is described later in this chapter.
- </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment"><h6>Procedure 10.1. To prepare your environment</h6><ol class="1"><li class="step"><div class="para">
+ </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment"><h6>Procedure 9.1. To prepare your environment</h6><ol class="1"><li class="step"><div class="para">
Inspect your client applications and determine which kind of grouping information they need from the central server. For example, if netgroups exist that contain only users, and any applications that rely on these netgroups can be converted to use UNIX groups instead of netgroups, then we recommend doing so. If this is not possible, we still recommend creating UNIX groups out of the netgroups. If no applications use them, we recommend deleting these netgroups altogether. Refer to the following example:
</div><ol class="a"><li class="step"><div class="para">
Given the following netgroup: <code class="systemitem">(host1, user1, )(host2, user2,)(host3, user3, )...</code>, create a group consisting of the users <code class="systemitem">user1</code>, <code class="systemitem">user2</code>, and <code class="systemitem">user3</code> (assuming it does not already exist).
@@ -3481,12 +3415,12 @@ EOF
Add users and hosts as direct members of the netgroup, or, alternatively, put them into groups and then add those groups as members to the netgroup.
</div><div class="para">
For IPA clients, both methods result in the same thing — having the users and hosts managed in the netgroup — but from an administrative perspective, it may be simpler in some environments to use one option instead of the other.
- </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</h3></div></div></div><div class="para">
+ </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</h3></div></div></div><div class="para">
There are three main approaches that can be taken to the actual migration procedure:
</div><div class="orderedlist"><ol><li class="listitem"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Dump the netgroups from the source into an LDIF file.
</div></li><li class="listitem"><div class="para">
- Create a script that follows the instructions in <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment">Procedure 10.1, “To prepare your environment”</a> to convert the LDIF format into an LDIF file that contains IPA native objects.
+ Create a script that follows the instructions in <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment">Procedure 9.1, “To prepare your environment”</a> to convert the LDIF format into an LDIF file that contains IPA native objects.
</div></li><li class="listitem"><div class="para">
Run the conversion script and load the resulting LDIF file into IPA using the <code class="command">ldapmodify</code> command.
</div><div class="para">
@@ -3499,13 +3433,13 @@ EOF
Refer to the IPA CLI help system for more details. Use the <code class="command">ipa help</code> command to display a list of available topics.
</div></li></ol></div></li><li class="listitem"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Use the UI to manually create a new structure of netgroups.
- </div></li></ol></div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" id="authz" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 11. Policy: Configuring Authorization</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#configuring-host-access">11.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">11.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">11.3. HBAC Services</a></span></dt></dl></div><div class="section" id="configuring-host-access"><div class="titlepage"><div><div><h2 class="title" id="configuring-host-access">11.1. Configuring Host-Based Access Control</h2></div></div></div><div class="para">
+ </div></li></ol></div></li></ol></div></div></div></div><div xml:lang="en-US" class="chapter" id="authz" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 10. Policy: Configuring Authorization</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#configuring-host-access">10.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">10.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">10.3. HBAC Services</a></span></dt></dl></div><div class="section" id="configuring-host-access"><div class="titlepage"><div><div><h2 class="title" id="configuring-host-access">10.1. Configuring Host-Based Access Control</h2></div></div></div><div class="para">
Host-based access control (HBAC) uses <em class="firstterm">rules</em> to determine who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
</div><div class="para">
You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future.
</div><div class="para">
The available services and groups of services are controlled by the <code class="systemitem">hbacsvc</code> and <code class="systemitem">hbacsvcgroup</code> plug-ins, respectively.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">11.2. HBAC Service Groups</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">10.2. HBAC Service Groups</h2></div></div></div><div class="para">
HBAC service groups can contain any number of individual services (<em class="firstterm">members</em>), and are typically used to group similar services to make it easier to create HBAC rules. All HBAC service groups require a name and description. IPA provides a single default group, SUDO, used for SUDO-related services.
</div><div class="para">
Use the <code class="command">ipa hbacsvcgroup-find</code> command to display the existing HBAC groups:
@@ -3521,7 +3455,7 @@ Number of entries returned 1
</div><div class="para">
IPA provides commands for adding, removing and modifying HBAC service groups, adding and removing members to and from those groups, and displaying group information. Refer to the <code class="command">ipa help hbacsvcgroup</code> help page for more information.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">11.3. HBAC Services</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">10.3. HBAC Services</h2></div></div></div><div class="para">
HBAC services refer to the PAM services that the IPA HBAC system can control access to. HBAC service names must exactly match the service name that PAM is evaluating. For example, use the following command to add the <code class="systemitem">tftp</code> service as an HBAC service:
<pre class="screen"><code class="command"># ipa hbacsvc-add tftp</code>
-------------------------
@@ -3545,27 +3479,27 @@ Number of entries returned 2
</div><div class="para">
Refer to the <code class="command">ipa help hbacsvc</code> help page for more information.
- </div></div></div><div xml:lang="en-US" class="chapter" id="sudo" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 12. Policy: Using sudo</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-sudo">12.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">12.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configurati
on">12.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-sudo">12.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></div><div class="section" id="about-sudo"><div class="titlepage"><div><div><h2 class="title" id="about-sudo">12.1. About sudo and IPA</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="chapter" id="sudo" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 11. Policy: Using sudo</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#about-sudo">11.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">11.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configurati
on">11.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#configuring-sudo">11.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></div><div class="section" id="about-sudo"><div class="titlepage"><div><div><h2 class="title" id="about-sudo">11.1. About sudo and IPA</h2></div></div></div><div class="para">
The <code class="command">sudo</code> command allows a system administrator to delegate authority, allowing certain users (or groups of users) the ability to run one or more commands as root or as another user, and at the same time providing an audit trail of the commands and their arguments. For more information, including coverage of the options available for use with <code class="command">sudo</code>, refer to the <code class="command">sudo</code> and <code class="command">sudoers</code> man pages.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</h3></div></div></div><div class="para">
In the past, <code class="command">sudo</code> used a single, local, configuration file, <code class="filename">/etc/sudoers</code>. It is possible to share the same <code class="filename">sudoers</code> file among machines, but there is no built-in mechanism to distribute it. Some have attempted to work around this by synchronizing changes using CVS, RSYNC, RDIST, RCP, SCP, and even NFS. By using LDAP for <code class="filename">sudoers</code>, IPA provides a centrally-administered, globally-available configuration source for <code class="command">sudo</code>.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
The current schema relies on LDAP-stored POSIX groups for its groups of users. The limitation here is that you cannot use a group of users for <code class="command">sudo</code> without the users inheriting potential POSIX rights.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Hosts"><h5 class="formalpara">Groups of Hosts</h5>
The current schema does not have a concept of host groups. Instead, it relies on the legacy LDAP nisNetgroupTriple to manage groups of hosts.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Commands"><h5 class="formalpara">Groups of Commands</h5>
The current schema does not have a concept of command groups. This requires that individual commands be present in each Sudo rule. It also limits the ability to reuse a group of commands for multiple Sudo rules.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">12.1.3. Benefits of the IPA Alternative Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">11.1.3. Benefits of the IPA Alternative Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
Groups of users can be either POSIX or non-POSIX groups within IPA. This provides the flexibility to group users without assigning POSIX rights or GID information to the group.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Computers"><h5 class="formalpara">Groups of Computers</h5>
The IPA alternative schema also addresses the issue of host groups and netgroups for the purpose of sudo. The <code class="command">sudo</code> utility itself does not support host groups—a better and cleaner host grouping mechanism—but instead expects netgroups. To resolve this issue, IPA automatically creates a "shadow netgroup" with the same name as every host group that you create. This means that you can create host groups but still use netgroups with <code class="command">sudo</code> without encountering any problems.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Commands"><h5 class="formalpara">Groups of Commands</h5>
Command groups are a new concept introduced by IPA. These objects allow administrators the ability to create groups of <code class="command">sudo</code> commands that can be reused for multiple rules without the need of assigning individual commands throughout.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">12.1.4. Compatibility and Managed Entry Plug-in Configuration</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Compatibility_Translation_for_Native_Sudo"><h5 class="formalpara">Compatibility Translation for Native Sudo</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">11.1.4. Compatibility and Managed Entry Plug-in Configuration</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Compatibility_Translation_for_Native_Sudo"><h5 class="formalpara">Compatibility Translation for Native Sudo</h5>
The native <code class="command">sudo</code> binary does not yet support SSSD or the IPA Sudo Schema. As an interim solution, IPA has implemented a compatibility plug-in which transparently translates IPA Sudo rules into those supported by the current <code class="command">sudo</code> binary.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Managed_Entries_for_NIS_Netgroups"><h5 class="formalpara">Managed Entries for NIS Netgroups</h5>
In order to seamlessly support the current implementation of sudo, IPA provides a managed entry plug-in for NIS netgroups. Whenever an IPA host group is created, a translated nisNetgroupTriple is also created.
- </div></div></div><div class="section" id="configuring-sudo"><div class="titlepage"><div><div><h2 class="title" id="configuring-sudo">12.2. Configuring sudo</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="configuring-sudo"><div class="titlepage"><div><div><h2 class="title" id="configuring-sudo">11.2. Configuring sudo</h2></div></div></div><div class="para">
To fully implement Sudo rules, you need to perform various configuration steps on both the IPA server and client. You should first create a <em class="firstterm">Sudo command object</em>, and optionally create any <em class="firstterm">Sudo command groups</em>. Finally, create a <em class="firstterm">Sudo rule</em>, which should contain at least the following components:
<div class="itemizedlist"><div class="para">
One or more:
@@ -3579,7 +3513,7 @@ Number of entries returned 2
</div><div class="para">
These steps are described in detail in the following sections.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules"><h6>Procedure 12.1. How to configure your server to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules"><h6>Procedure 11.1. How to configure your server to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
Set up a host group, and add the client to the host group:
</div><ol class="a"><li class="step"><pre class="screen"><code class="command">$ ipa hostgroup-add bne_doc</code>
Description: BNE Documentation hosts
@@ -3696,7 +3630,7 @@ Number of members added 1
-------------------------
</pre>
- </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-How_to_configure_your_client_to_use_Sudo_rules"><h6>Procedure 12.2. How to configure your client to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2.2. Client Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-How_to_configure_your_client_to_use_Sudo_rules"><h6>Procedure 11.2. How to configure your client to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
Configure <code class="command">sudo</code> to look to LDAP for the <code class="filename">sudoers</code> file. Add the following line to <code class="filename">/etc/nsswitch.conf</code>:
<pre class="programlisting">sudoers: ldap</pre>
@@ -3729,7 +3663,7 @@ timelimit 15
uri ldap://ipaserver.ipadocs.org
</pre>
<div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
- The sudo user's password in this configuration is the same password you set up in <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules">Procedure 12.1, “How to configure your server to use Sudo rules:”</a>.
+ The sudo user's password in this configuration is the same password you set up in <a class="xref" href="#proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules">Procedure 11.1, “How to configure your server to use Sudo rules:”</a>.
</div></div></div>
</div><div class="para">
@@ -3744,7 +3678,7 @@ uri ldap://ipaserver.ipadocs.org
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
A bug has been filed in Fedora to have this configuration requirement addressed during the boot process.
- </div></div></div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes">12.2.2.1. NIS Configuration Notes</h4></div></div></div><div class="para">
+ </div></div></div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes">11.2.2.1. NIS Configuration Notes</h4></div></div></div><div class="para">
Originally called <em class="firstterm">Yellow Pages (YP)</em>, NIS was created by Sun Microsystems and stands for Network Information Service. It was primarily used by UNIX to centrally manage authentication and enumeration information such as user/password, host/IP address, POSIX groups, and netgroups. NIS (the service) does not actually need to be configured on either the client or the server. Not only is it unnecessary, but might be considered a security risk if it were running. NIS is an RPC service and is insecure by today's standards, partly because:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
It provides no host authentication mechanisms
@@ -3758,7 +3692,7 @@ uri ldap://ipaserver.ipadocs.org
The IPA LDAP implementation provides the schema to support NIS as defined in <a href="http://tools.ietf.org/html/rfc2307">RFC 2307</a>. NIS objects are automatically created inside of LDAP and NSS_LDAP, or SSSD fetches them using an encrypted LDAP connection.
</div><div class="para">
Utilizing SSSD or NSS_LDAP, a client system can enumerate the necessary NIS information using authenticated and encrypted queries to the back end LDAP service provided by the IPA Server. This eliminates the need for NIS client configuration for systems that can support NIS using LDAP when utilizing IPA.
- </div></div></div></div></div><div xml:lang="en-US" class="chapter" id="server-config" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 13. Configuring the FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Server_side_Access_Control">13.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="#creating-roles">13.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="#self-service">13.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#disabling-anon-binds">13.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="#Managing-Unique_UID_and_GID_Attributes">13.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="#id-ran
ges-at-install">13.3.1. About ID Range Assignments During Installation</a></span></dt><dt><span class="section"><a href="#Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities">13.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="#Using_OCSP">13.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-apache">13.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="se
ction"><a href="#ipa-cluster">13.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="#Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">13.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="#promoting-replica">13.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="#logging">13.9. FreeIPA Server Logging</a></span></dt></dl></div><div class="section" id="managing-access-to-ipa"><div class="titlepage">
<div><div><h2 class="title" id="managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</h2></div></div></div><div class="para">
+ </div></div></div></div></div><div xml:lang="en-US" class="chapter" id="server-config" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 12. Configuring the FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="#Server_side_Access_Control">12.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="#creating-roles">12.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="#self-service">12.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="#disabling-anon-binds">12.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="#Managing-Unique_UID_and_GID_Attributes">12.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="#id-ran
ges-at-install">12.3.1. About ID Range Assignments During Installation</a></span></dt><dt><span class="section"><a href="#Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities">12.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="#Using_OCSP">12.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="#ipa-apache">12.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="se
ction"><a href="#ipa-cluster">12.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="#Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">12.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="#promoting-replica">12.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="#logging">12.9. FreeIPA Server Logging</a></span></dt></dl></div><div class="section" id="managing-access-to-ipa"><div class="titlepage">
<div><div><h2 class="title" id="managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</h2></div></div></div><div class="para">
Access control is a mechanism which defines user access. That is, it defines the rights that users and other objects have been granted in order to perform operations on other users or objects. When the FreeIPA directory server receives a request, it uses the authentication information provided by the user in the bind operation together with <em class="firstterm">access control instructions (ACIs)</em> defined in the server to allow or deny access to directory information. The server can allow or deny permissions for actions, such as read, write, search, and compare, on directory server entries. The permission level granted to a user may depend on the authentication information provided.
</div><div class="para">
FreeIPA implements a number of different methods for controlling access to the various objects, commands and processes that exist within a FreeIPA domain. This includes a Kerberos Ticket Policy, a Password Policy, Host-based Access Control and SUDO Command Policies for controlling client access to services and commands; that is, outside of the FreeIPA server, and a separate Access Control Model for controlling server-side objects; that is, LDAP entries within the FreeIPA server.
@@ -3778,7 +3712,7 @@ uri ldap://ipaserver.ipadocs.org
There are several aspects to working with roles. Because it is a hierarchical system, to create a fully operational role you need to create the role itself, add privileges to this role to establish what tasks it can and cannot perform, and finally add members to the role, such as users, groups, etc. The reverse is also true; if you remove a role, then any users or groups who relied on this role to perform certain tasks will no longer be able to do so.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You cannot create nested roles. That is, a role cannot contain another role.
- </div></div></div><div class="section" id="Server_side_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Server_side_Access_Control">13.1.1. Server-side Access Control</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Server_side_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Server_side_Access_Control">12.1.1. Server-side Access Control</h3></div></div></div><div class="para">
The FreeIPA Access Control Model is based on the underlying 389 Directory Server access control model, which uses access control instructions (ACIs) to define user access within the system. An ACI is a construct that can express a complex set of access control information.
</div><div class="para">
As explained in the directory server documentation, the three main parts of an ACI statement are:
@@ -3792,7 +3726,7 @@ uri ldap://ipaserver.ipadocs.org
</div><div class="para">
The ACI structure itself is very flexible, but can also be confusing. FreeIPA attempts to structure these ACIs in order to provide a formalized input and output that can be expressed on the command line and in the WebUI, while at the same time maintaining sufficient flexibility to create complex access control rules. In order to achieve this, FreeIPA implements three types of access control. These are discussed in the following sections.
- </div><div class="section" id="Server_side_Access_Control-Types_of_Access_Control"><div class="titlepage"><div><div><h4 class="title" id="Server_side_Access_Control-Types_of_Access_Control">13.1.1.1. Types of Access Control</h4></div></div></div><div class="para">
+ </div><div class="section" id="Server_side_Access_Control-Types_of_Access_Control"><div class="titlepage"><div><div><h4 class="title" id="Server_side_Access_Control-Types_of_Access_Control">12.1.1.1. Types of Access Control</h4></div></div></div><div class="para">
FreeIPA relies on three separate types of access control rules:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
Role-based
@@ -3810,7 +3744,7 @@ uri ldap://ipaserver.ipadocs.org
Delegation access control defines what operations one group of users or entries can perform on another group of users or entries. In each case, the group of users or entries may be identified by a provided filter. The core difference between delegation access control rules and other rules is that the target—the object of the access control rule—is not a class of entries but rather a set of specific entries that are members of a group or retrieved by a specific filter. The delegation rules allow targeted management of specific user entries.
</div><div class="para">
In each case, the access control rule resolves the constituents of the FreeIPA access control expression: "<em class="firstterm">Who</em> can do <em class="firstterm">What</em> to <em class="firstterm">Whom</em>". The following section explains these constituents in more detail.
- </div><div class="section" id="Types_of_Access_Control-The_IPA_Access_Control_Expression"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-The_IPA_Access_Control_Expression">13.1.1.1.1. The FreeIPA Access Control Expression</h5></div></div></div><div class="formalpara" id="The_IPA_Access_Control_Expression-The_Who_of_Access_Control"><h5 class="formalpara">The "Who" of Access Control</h5>
+ </div><div class="section" id="Types_of_Access_Control-The_IPA_Access_Control_Expression"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-The_IPA_Access_Control_Expression">12.1.1.1.1. The FreeIPA Access Control Expression</h5></div></div></div><div class="formalpara" id="The_IPA_Access_Control_Expression-The_Who_of_Access_Control"><h5 class="formalpara">The "Who" of Access Control</h5>
In simple grammatical terms, the "who" of a FreeIPA <em class="firstterm">access control instruction (ACI)</em>, or expression, is the subject. It specifies the entity that interacts with the system and tries to perform an administrative task. This task could be an administrator adding a user, a user changing his home address, or a host requesting a certificate for a service running on the host.
</div><div class="para">
It is important to understand that the "who" is not necessarily a person; it can be any entity that has successfully authenticated against FreeIPA. In order to authenticate against the FreeIPA server, this entity, the "who", needs to have a Kerberos principal. After the entity has authenticated, it can connect to the FreeIPA server and try to issue administrative commands. The system will either allow or deny the requested operation based on this entity's permissions.
@@ -3842,9 +3776,9 @@ uri ldap://ipaserver.ipadocs.org
As a set of entries selected by filter, for example: <em class="parameter"><code>cn="filter"</code></em>.
</div></li></ul></div>
- </div></div><div class="section" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types">13.1.1.1.2. 389 Directory Server ACIs and FreeIPA Access Control Types</h5></div></div></div><div class="para">
+ </div></div><div class="section" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types">12.1.1.1.2. 389 Directory Server ACIs and FreeIPA Access Control Types</h5></div></div></div><div class="para">
The following table summarizes the relationship between the different 389 Directory Server ACI components and the FreeIPA access control types.
- </div><div class="table" id="tab.aci-mapping"><h6>Table 13.1. Mapping 389 Directory Server and FreeIPA Access Control Types</h6><div class="table-contents"><table summary="Mapping 389 Directory Server and FreeIPA Access Control Types" border="1"><colgroup><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /></colgroup><thead><tr><th align="left">
+ </div><div class="table" id="tab.aci-mapping"><h6>Table 12.1. Mapping 389 Directory Server and FreeIPA Access Control Types</h6><div class="table-contents"><table summary="Mapping 389 Directory Server and FreeIPA Access Control Types" border="1"><colgroup><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /></colgroup><thead><tr><th align="left">
Type of Access Control
</th><th align="left">
Target
@@ -3882,7 +3816,7 @@ uri ldap://ipaserver.ipadocs.org
Write, Add, or Delete. Read is implied.
</td><td align="left">
A group of users, usually a group of administrative users.
- </td></tr></tbody></table></div></div><br class="table-break" /></div></div></div><div class="section" id="creating-roles"><div class="titlepage"><div><div><h3 class="title" id="creating-roles">13.1.2. Creating Roles</h3></div></div></div><div class="orderedlist"><h6>To set up a new role:</h6><ol><li class="listitem"><div class="para">
+ </td></tr></tbody></table></div></div><br class="table-break" /></div></div></div><div class="section" id="creating-roles"><div class="titlepage"><div><div><h3 class="title" id="creating-roles">12.1.2. Creating Roles</h3></div></div></div><div class="orderedlist"><h6>To set up a new role:</h6><ol><li class="listitem"><div class="para">
Add the new role:
</div><pre class="screen"># ipa role-add --desc="User Administrator" useradmin
------------------------
@@ -3921,7 +3855,7 @@ uri ldap://ipaserver.ipadocs.org
As the needs of your enterprise change, you may need to modify the roles that you have established. For example, you may need to change the members of the role, or change the privileges associated with the role. You can use the <code class="command">ipa role-*</code> commands to perform these functions. For example, to remove an existing privilege from a role, use the <code class="command">ipa role-remove-privilege</code> command. To remove members from a role, use the <code class="command">ipa role-remove-member</code> command. Refer to the <code class="command">ipa role help</code> pages for more information.
</div><div class="para">
You can use the <code class="command">ipa role-del</code> command to delete FreeIPA roles from your configuration. Bear in mind, however, that any entities that rely on this role for access to FreeIPA objects or to perform certain tasks will no longer have that ability.
- </div></div><div class="section" id="self-service"><div class="titlepage"><div><div><h3 class="title" id="self-service">13.1.3. Defining Self-Service Settings</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="self-service"><div class="titlepage"><div><div><h3 class="title" id="self-service">12.1.3. Defining Self-Service Settings</h3></div></div></div><div class="para">
Self-service access control rules define the operations that an entity can perform on itself. These rules are attribute based; that is, they define what attributes can be modified for any particular entity. You can create self-service rules so that users can manage their own addresses, keep their contact details current, change their passwords, etc.
</div><div class="para">
Self-service rules are defined and managed by a number of sub-commands. Use the <code class="command">ipa help selfservice</code> command to display the list of available commands.
@@ -3949,7 +3883,7 @@ Attributes: givenname, displayname, title, initials, homephone, mobile, telephon
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
You need to include all of the required attributes when you modify a self-service rule, including existing ones.
- </div></div></div></div></div><div class="section" id="disabling-anon-binds"><div class="titlepage"><div><div><h2 class="title" id="disabling-anon-binds">13.2. Disabling Anonymous Binds</h2></div></div></div><div class="para">
+ </div></div></div></div></div><div class="section" id="disabling-anon-binds"><div class="titlepage"><div><div><h2 class="title" id="disabling-anon-binds">12.2. Disabling Anonymous Binds</h2></div></div></div><div class="para">
Even though the XML-RPC and WebUI always require authentication, the default FreeIPA configuration allows anonymous binds to the LDAP port by anyone in the same domain as the FreeIPA server, and consequent retrieval of a range of data, including user, group, netgroup, host, host group, and service records. This is generally considered insecure, and some RFC standards require that it be disabled to achieve compliance. With anonymous binds disabled, all connections to the directory server need to provide a valid identity.
</div><div class="para">
To disable anonymous binds, perform this LDAP modification:
@@ -3962,7 +3896,7 @@ nsslapd-allow-anonymous-access: off
# service dirsrv restart</pre>
- </div></div><div class="section" id="Managing-Unique_UID_and_GID_Attributes"><div class="titlepage"><div><div><h2 class="title" id="Managing-Unique_UID_and_GID_Attributes">13.3. Managing Unique UID and GID Number Assignments</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="Managing-Unique_UID_and_GID_Attributes"><div class="titlepage"><div><div><h2 class="title" id="Managing-Unique_UID_and_GID_Attributes">12.3. Managing Unique UID and GID Number Assignments</h2></div></div></div><div class="para">
A FreeIPA server must generate random UID and GID values and simultaneously ensure that replicas never generate the same UID or GID value. The need for unique UID and GID numbers might even cross FreeIPA domains, if a single organization has multiple disparate domains.
</div><div class="para">
The UID and GID numbers are divided into <span class="emphasis"><em>ranges</em></span>. By keeping separate numeric ranges for individual servers and replicas, the chances are minimal that any numbers issued by one server or replica will duplicate those from another. Ranges are updated and shared intelligently between servers and replicas through the Dynamic Numeric Assignment (DNA) Plug-in, as part of the backend 389 Directory Server instance for the domain. The same range is used for user IDs (<em class="parameter"><code>uidNumber</code></em>) and group IDs (<em class="parameter"><code>gidNumber</code></em>). A user and a group may have the same ID, but since the ID is set in different attributes, there is no conflict. Using the same ID number for both a user and a group also allows an administrator to configure user private groups, where a unique system group is created for each user and the ID number is the same for both the user and the group.
@@ -3972,7 +3906,7 @@ nsslapd-allow-anonymous-access: off
If a number is <span class="emphasis"><em>manually</em></span> assigned to a user entry, the server does not validate that the <em class="parameter"><code>uidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries. The same is true for group entries: a duplicate <em class="parameter"><code>gidNumber</code></em> can be manually assigned to the entry.
</div><div class="para">
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with <code class="command">ipa user-find --all</code>.
- </div></div></div><div class="section" id="id-ranges-at-install"><div class="titlepage"><div><div><h3 class="title" id="id-ranges-at-install">13.3.1. About ID Range Assignments During Installation</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="id-ranges-at-install"><div class="titlepage"><div><div><h3 class="title" id="id-ranges-at-install">12.3.1. About ID Range Assignments During Installation</h3></div></div></div><div class="para">
The FreeIPA administrator can initially define a range during server installation, using the <code class="option">--idstart</code> and <code class="option">--idmax</code> options with <code class="command">ipa-server-install</code>. These options are not required, so the setup script can assign random ranges during installation.
</div><div class="para">
If no range is set manually when the first FreeIPA server is installed, a range of 200,000 IDs is randomly selected. There are 10,000 possible ranges. Selecting a random range from that number provides a high probability of non-conflicting IDs if two separate FreeIPA domains are ever merged in the future.
@@ -3980,7 +3914,7 @@ nsslapd-allow-anonymous-access: off
With a single FreeIPA server, IDs are assigned to entries in order through the range. With replicas, the initial server ID range is split and distributed.
</div><div class="para">
When a replica is installed, it is configured with an invalid range. It also has a directory entry (that is shared among replicas) that instructs the replica where it can request a valid range. When the replica starts, or as its current range is depleted so that less than 100 IDs are available, it can contact one of the available servers for a new range allotment. A special extended operation splits the range in two, so that the original server and the replica each have half of the available range.
- </div></div><div class="section" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges"><div class="titlepage"><div><div><h3 class="title" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges"><div class="titlepage"><div><div><h3 class="title" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</h3></div></div></div><div class="para">
If the range for the entire domain is close to depletion, a new range can be manually selected and assigned to one of the master servers. All replicas then request ID ranges from the master as necessary.
</div><div class="para">
The changes to the range are done by editing the 389 Directory Server configuration to change the DNA Plug-in instance. The range is defined in the <em class="parameter"><code>dnaNextRange</code></em> parameter. For example:
@@ -3991,11 +3925,11 @@ changetype: modify
add: dnaNextRange
dnaNextRange: 123400000-123500000</pre><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
This command only adds the specified range of values; it does not check that the values in that range are actually available. This check is performed when an attempt is made to allocate those values. If a range is added that contains mostly values that were already allocated, the system will cycle through the entire range searching for unallocated values, and then the operation ultimately fails if none are available.
- </div></div></div></div></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Certificates_and_Certificate_Authorities">13.4. Configuring Certificates and Certificate Authorities</h2></div></div></div><div class="para">
+ </div></div></div></div></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Certificates_and_Certificate_Authorities">12.4. Configuring Certificates and Certificate Authorities</h2></div></div></div><div class="para">
FreeIPA creates a self-signed Certificate Authority (<abbr class="abbrev">CA</abbr>) during the installation process. If you have your own or a preferred <abbr class="abbrev">CA</abbr>, however, and want to use your own certificates, FreeIPA provides the necessary tools to import certificates for use by 389 Directory Server and the <code class="systemitem">HTTP</code> server. While not a prerequisite for the correct operation of FreeIPA, it is recommended that you save an <acronym class="acronym">ASCII</acronym> copy of your <abbr class="abbrev">CA</abbr> certificate as <code class="filename">/usr/share/ipa/html/ca.crt</code> to ensure that users download the correct certificate.
- </div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</h3></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</h3></div></div></div><div class="para">
Use the <code class="command">ipa-server-certinstall</code> command to install your own certificate. You can install the certificate for use by 389 Directory Server, <code class="systemitem">HTTP</code> Server, or both.
- </div><pre class="screen"># /usr/sbin/ipa-server-certinstall -d /path/to/pkcs12.p12</pre></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</h3></div></div></div><div class="para">
+ </div><pre class="screen"># /usr/sbin/ipa-server-certinstall -d /path/to/pkcs12.p12</pre></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</h3></div></div></div><div class="para">
To continue using the Firefox auto-configuration feature, you need an object-signing certificate, and you need to regenerate the <code class="filename">/usr/share/ipa/html/configure.jar</code> file.
</div><div class="orderedlist"><h6>To use your own certificate with Firefox:</h6><ol><li class="listitem"><div class="para">
Create a suitable directory and then create the new certificate database in that directory.
@@ -4015,7 +3949,7 @@ dnaNextRange: 123400000-123500000</pre><div class="note"><div class="admonition_
Use the certificate you created earlier to sign the javascript file and to regenerate the <code class="filename">configure.jar</code> file.
<pre class="screen"># signtool -d /tmp/signdb -k Signing_cert_nickname -Z /usr/share/ipa/html/configure.jar -e .html</pre>
- </div></li></ol></div></div><div class="section" id="Using_OCSP"><div class="titlepage"><div><div><h3 class="title" id="Using_OCSP">13.4.3. Using OCSP</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Using_OCSP"><div class="titlepage"><div><div><h3 class="title" id="Using_OCSP">12.4.3. Using OCSP</h3></div></div></div><div class="para">
The Online Certificate Status Protocol (OCSP) is natively provided by the CA embedded into FreeIPA. This is so that any client that supports it can use OCSP for certificate validity checks.
</div><div class="para">
The OCSP responder URL is encoded into the certificates issued by FreeIPA. In order for that responder to be available, port 9180 needs to be open in the firewall. The OCSP URL uses the following format:
@@ -4023,7 +3957,7 @@ dnaNextRange: 123400000-123500000</pre><div class="note"><div class="admonition_
</div><div class="para">
For more information on OCSP, refer to the RFC at <a href="http://www.ietf.org/rfc/rfc2560.txt">http://www.ietf.org/rfc/rfc2560.txt</a>.
- </div></div></div><div class="section" id="ipa-apache"><div class="titlepage"><div><div><h2 class="title" id="ipa-apache">13.5. Setting a FreeIPA Server as an Apache Virtual Host</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="ipa-apache"><div class="titlepage"><div><div><h2 class="title" id="ipa-apache">12.5. Setting a FreeIPA Server as an Apache Virtual Host</h2></div></div></div><div class="para">
If you have a standard Apache instance running on port 80, you can configure FreeIPA to run on a secondary port, for example, on port 8089. You should be aware, however, that in this configuration, FreeIPA does not use <code class="systemitem">SSL</code>; all requests will use standard <code class="systemitem">HTTP</code>.
</div><div class="para">
The following procedure assumes that FreeIPA is configured to run on port 80, and that you want to move it to port 8089.
@@ -4063,9 +3997,9 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
</div></li></ol></div><div class="para">
This configures FreeIPA to run on port 8089, leaving port 80 free for your normal web site.
- </div></div><div class="section" id="ipa-cluster"><div class="titlepage"><div><div><h2 class="title" id="ipa-cluster">13.6. Using FreeIPA in a Cluster</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="ipa-cluster"><div class="titlepage"><div><div><h2 class="title" id="ipa-cluster">12.6. Using FreeIPA in a Cluster</h2></div></div></div><div class="para">
The FreeIPA server currently does not specifically handle the case of a service running in a cluster. That is, the FreeIPA server is not <em class="firstterm">cluster aware</em>. It is possible to configure a clustered service to be part of FreeIPA, although a certain amount of manual configuration is required. This involves sharing and synchronizing Kerberos keys across all of the participating hosts, and also configuring services running on the hosts to respond to whatever names the clients want to use.
- </div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</h3></div></div></div><div class="para">
+ </div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</h3></div></div></div><div class="para">
Use the following procedure to set up the Kerberos credentials for an environment where your managed host is a cluster of nodes.
</div><div class="orderedlist"><h6>Configuring Kerberos Credentials for a Clustered Environment</h6><ol><li class="listitem"><div class="para">
Enroll all of the hosts in the FreeIPA domain, and collect any keytabs that have been set up. At a minimum, this is <code class="filename">/etc/krb5.keytab</code>, although additional services may have their keys in other files.
@@ -4079,7 +4013,7 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
Replace the keytab files on each host with the newly-created keytab file.
</div></li></ol></div><div class="para">
Each host in this cluster should now be able to impersonate any other host.
- </div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration">13.6.1.1. Service-specific Configuration</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration">12.6.1.1. Service-specific Configuration</h4></div></div></div><div class="para">
Additional service-specific configuration may be required if cluster members do not reset their hostnames when they take over for a failed service.
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
For <code class="systemitem">sshd</code>, set <em class="parameter"><code>GSSAPIStrictAcceptorCheck no</code></em> in <code class="filename">/etc/ssh/sshd_config</code>
@@ -4087,9 +4021,9 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
For <code class="systemitem">mod_auth_kerb</code>, set <em class="parameter"><code>KrbServiceName Any</code></em> in <code class="filename">/etc/httpd/conf.d/auth_kerb.conf</code>
</div></li></ul></div>
- </div></div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration">13.6.1.2. SSL Server Configuration</h4></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration">12.6.1.2. SSL Server Configuration</h4></div></div></div><div class="para">
For SSL servers, it is important that the subject name or a <em class="parameter"><code>subjectAlternativeName</code></em> value for the server's certificate look correct when a client connects to the clustered item. The simplest way to do this is to keep the private key and certificate synchronized across all of the hosts, but it is better to share the private key if possible. Ensuring that certificates issued to each cluster member contain <em class="parameter"><code>subjectAlternativeName</code></em> values naming all of the cluster members should satisfy any client connection requirements.
- </div></div></div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</h3></div></div></div><div class="para">
One aspect of applying FreeIPA in a cluster use case is using the same service principal for multiple services, spread across different machines. This is a simple procedure and could be implemented as follows:
<div class="orderedlist"><ol><li class="listitem"><div class="para">
Retrieve a service principal in the normal way, using the <code class="command">ipa-getkeytab</code> command, or use the keytab that is set up when the host joins the realm. That is, by using <code class="command">ipa-join</code>, which creates or updates the <code class="filename">/etc/krb5.keytab</code> file with a host/principal.
@@ -4097,11 +4031,11 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
When you have the principal in a keytab on the system, you can direct multiple servers or services to use the same file, or you can copy the file to discrete locations as required.
</div></li></ol></div>
- </div></div></div><div class="section" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">13.7. Creating DNS Entries for FreeIPA Replicas</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">12.7. Creating DNS Entries for FreeIPA Replicas</h2></div></div></div><div class="para">
You can use the <code class="option">--ip-address</code> option with the <code class="command">ipa-replica-prepare</code> command to pre-create DNS entries for a replica. If you include this option, FreeIPA will add the A and PTR records for the replica to the DNS. For example:
<pre class="screen">$ ipa-replica-prepare master2.example.com --ip-address 192.168.1.2</pre>
- </div></div><div class="section" id="promoting-replica"><div class="titlepage"><div><div><h2 class="title" id="promoting-replica">13.8. Promoting a Read-Only Replica to a FreeIPA Server</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="promoting-replica"><div class="titlepage"><div><div><h2 class="title" id="promoting-replica">12.8. Promoting a Read-Only Replica to a FreeIPA Server</h2></div></div></div><div class="para">
The only difference between a replica and the master server is that the master owns the self-signed CA. If you copy the appropriate files from the master to the replica, import the CA into the replica directory server, and delete the existing replication agreements, that replica will then appear as a master server.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
If you install with the <code class="option">--selfsign</code> option, follow this procedure if you want to promote a replica to a master. This is because the private key for the self-signed CA is stored in the Apache database (<code class="filename">/etc/httpd/alias</code>). The private key for a Dogtag Certificate System CA is stored in its own security database.
@@ -4122,7 +4056,7 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
</div></li></ol></div><div class="para">
You now have two identical FreeIPA servers, neither of which know about the other. You can shut down the old master and bring up the new machine (if you are introducing a new replica into your network). Create a replica file on the new master and install it on the new machine.
- </div></div><div class="section" id="logging"><div class="titlepage"><div><div><h2 class="title" id="logging">13.9. FreeIPA Server Logging</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="logging"><div class="titlepage"><div><div><h2 class="title" id="logging">12.9. FreeIPA Server Logging</h2></div></div></div><div class="para">
If you are using the FreeIPA command-line tools or the WebUI to manage FreeIPA data then you should refer to the following sections to help troubleshoot any problems.
</div><div class="para">
You should first check the <code class="filename">/var/log/httpd/error_log</code> file. This may contain more information on the error and/or a python stacktrace.
@@ -4139,761 +4073,51 @@ debug=True</pre>
You can use the <code class="option">-v</code> option twice to display the XML-RPC exchange:
<pre class="screen">$ ipa -vv user-show admin</pre>
- </div></div></div><div xml:lang="en-US" class="appendix" id="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Frequently Asked Questions</h1></div></div></div><div class="qandaset"><dl><dt>Q: <a href="#id3389352">
+ </div></div></div><div xml:lang="en-US" class="appendix" id="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Frequently Asked Questions</h1></div></div></div><div class="qandaset"><dl><dt>Q: <a href="#id3352516">
Is it possible to change the IP address of the master server?
- </a></dt><dt>Q: <a href="#id3293041">
+ </a></dt><dt>Q: <a href="#id3346472">
Why are there restrictions on the length of user and group names? How can I change this?
- </a></dt><dt>Q: <a href="#id3091138">
+ </a></dt><dt>Q: <a href="#id3296982">
What is the difference between a replica and a master server?
- </a></dt><dt>Q: <a href="#id3388580">
+ </a></dt><dt>Q: <a href="#id3155288">
Can I promote a replica to function as the master? How?
- </a></dt><dt>Q: <a href="#id3389616">
+ </a></dt><dt>Q: <a href="#id3366611">
Why does the ipa-client-install script fail to find the IPA server on a network that uses Active Directory DNS?
- </a></dt><dt>Q: <a href="#id3151157">
+ </a></dt><dt>Q: <a href="#id3271572">
Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
- </a></dt></dl><div class="qandaset"><div id="id3389352" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl><div class="qandaset"><div id="id3352516" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Is it possible to change the IP address of the master server?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Yes. If you are only changing the IP address then it is sufficient to update the <code class="filename">/etc/hosts</code> file, the system configuration and the DNS entry.
- </div></div></div></div><div id="id3293041" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3346472" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Why are there restrictions on the length of user and group names? How can I change this?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
User and group name lengths are specified in the policy. The default maximum username length is 32 characters. The maximum configurable length for user or group names is 255 characters. This restriction was introduced because some non-Linux operating systems have limitations on the length of username that they can support.
</div><div class="para">
You can modify these settings either in the user interface or on the command line. For example, to specify the maximum username length, run the following command: <code class="command">ipa config-mod --maxusername=INT</code>
- </div></div></div></div><div id="id3091138" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3296982" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
What is the difference between a replica and a master server?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The only difference between a replica and the initial IPA install (the "master") is that the first server owns the self-signed CA.
- </div></div></div></div><div id="id3388580" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3155288" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Can I promote a replica to function as the master? How?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
- Yes. Refer to <a class="xref" href="#promoting-replica">Section 13.8, “Promoting a Read-Only Replica to a FreeIPA Server”</a>.
- </div></div></div></div><div id="id3389616" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ Yes. Refer to <a class="xref" href="#promoting-replica">Section 12.8, “Promoting a Read-Only Replica to a FreeIPA Server”</a>.
+ </div></div></div></div><div id="id3366611" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Why does the <code class="command">ipa-client-install</code> script fail to find the IPA server on a network that uses Active Directory DNS?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
This is probably due to the fact that Active Directory has its own SRV records for Kerberos and LDAP, and so the <code class="command">ipa-client-install</code> script retrieves those records instead of any that you may have added for IPA.
- </div></div></div></div><div id="id3151157" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3271572" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Yes, assuming that Servers A and B contain non-cloned CAs whose portion of internal storage has been replicated to share revocation information only.
- </div></div></div></div></div></div></div><div xml:lang="en-US" class="appendix" id="tools-reference" lang="en-US"><div class="titlepage"><div><div><h1 class="title">FreeIPA Tools Reference</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#ipa">B.1. ipa</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-location">B.1.1. Location</a></span></dt><dt><span class="section"><a href="#ipa-syntax">B.1.2. Syntax</a></span></dt><dt><span class="section"><a href="#ipa-commands">B.1.3. Commands</a></span></dt><dt><span class="section"><a href="#ipa-options">B.1.4. Options</a></span></dt><dt><span class="section"><a href="#ipa-command-automount">B.1.5. ipa automountlocation*</a></span></dt><dt><span class="section"><a href="#ipa-command-automountmap">B.1.6. ipa automountmap*</a></span></dt><dt><span class="section"><a href="#ipa-command-automountkey">B.1.7. ipa automountkey*</a></span></dt></dl></dd><dt><span class="section"><a href="#server-
tools">B.2. Server Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-compat-manage">B.2.1. ipa-compat-manage</a></span></dt><dt><span class="section"><a href="#ipa-compliance">B.2.2. ipa-compliance</a></span></dt><dt><span class="section"><a href="#ipa-dns-install">B.2.3. ipa-dns-install</a></span></dt><dt><span class="section"><a href="#ipa-host-net-manage">B.2.4. ipa-host-net-manage</a></span></dt><dt><span class="section"><a href="#ipa_kpasswd">B.2.5. ipa_kpasswd</a></span></dt><dt><span class="section"><a href="#ipa-ldap-updater">B.2.6. ipa-ldap-updater</a></span></dt><dt><span class="section"><a href="#ipa-nis-manage">B.2.7. ipa-nis-manage</a></span></dt><dt><span class="section"><a href="#ipa-replica-install">B.2.8. ipa-replica-install</a></span></dt><dt><span class="section"><a href="#ipa-replica-manage">B.2.9. ipa-replica-manage</a></span></dt><dt><span class="section"><a href="#ipa-replica-prepare">B.2.10. ipa-replica-prepare</a></span></dt><dt>
<span class="section"><a href="#ipa-server-certinstall">B.2.11. ipa-server-certinstall</a></span></dt><dt><span class="section"><a href="#ipa-server-install">B.2.12. ipa-server-install</a></span></dt><dt><span class="section"><a href="#ipa-ugradeconfig">B.2.13. ipa-upgradeconfig</a></span></dt><dt><span class="section"><a href="#ipactl">B.2.14. ipactl</a></span></dt></dl></dd><dt><span class="section"><a href="#client-tools">B.3. Client Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#ipa-client-install">B.3.1. ipa-client-install</a></span></dt><dt><span class="section"><a href="#ipa-getkeytab">B.3.2. ipa-getkeytab</a></span></dt><dt><span class="section"><a href="#ipa-join">B.3.3. ipa-join</a></span></dt><dt><span class="section"><a href="#ipa-rmkeytab">B.3.4. ipa-rmkeytab</a></span></dt></dl></dd><dt><span class="section"><a href="#certmonger-tools">B.4. Certmonger Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="#getcert">B.4.1. getcert<
/a></span></dt><dt><span class="section"><a href="#ipa-getcert">B.4.2. ipa-getcert</a></span></dt></dl></dd></dl></div><div class="para">
- XXXXX introXXXXXXXX
- </div><div class="section" id="ipa"><div class="titlepage"><div><div><h2 class="title" id="ipa">B.1. ipa</h2></div></div></div><div class="para">
- IPA uses a plugin system where the same plugin is used both for the XML-RPC server-side interface and for the command-line interface. This results in a consistent, unified interface that is easy to maintain. From the user's perspective, plugins are more or less interchangeable with commands. Most plugins implement commands used to manage IPA and its data. With the exception of two build-ins (`help` and `console`) all commands are introduced by plugins. Commands are invoked like this: ipa [global-options] COMMAND [command-parameters-that-is-options-and-arguments] A list of global options can be displayed using: ipa --help The plugins are organized by type of objects they manage. This type can also be used to get an overview of the available commands. To display all commands in a specific module, use the `help` command as follows: ipa help TOPIC Parameters available for a specific command are displayed with: ipa COMMAND --help If a list of parameter isn't enough, more infor
mation about specific commands is available through the `help` command: ipa help COMMAND Description
- </div><div class="section" id="ipa-location"><div class="titlepage"><div><div><h3 class="title" id="ipa-location">B.1.1. Location</h3></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-admintools
- </td></tr></tbody></table></div></div><div class="section" id="ipa-syntax"><div class="titlepage"><div><div><h3 class="title" id="ipa-syntax">B.1.2. Syntax</h3></div></div></div><div class="cmdsynopsis"><p><code class="command">ipa</code>
- <em class="replaceable"><code>commands</code></em>
- [
- <em class="replaceable"><code>options</code></em>
- ]</p></div></div><div class="section" id="ipa-commands"><div class="titlepage"><div><div><h3 class="title" id="ipa-commands">B.1.3. Commands</h3></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Command
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- automountkey-add Create a new automount key. automountkey-del Delete an automount key. automountkey-find Search for an automount key. automountkey-mod Modify an automount key. automountkey-show Display an automount key. automountlocation-add Create a new automount location. automountlocation-del Delete an automount location. automountlocation-find Search for an automount location. automountlocation-import Import automount files for a specific location. automountlocation-show Display an automount location. automountlocation-tofiles Generate automount files for a specific location. automountmap-add Create a new automount map. automountmap-add-indirect Create a new indirect mount point. automountmap-del Delete an automount map. automountmap-find Search for an automount map. automountmap-mod Modify an automount map. automountmap-show Display an automount map. cert-remove-hold Take a revoked certificate off hold. cert-request Submit a certificate signing request. cert-rev
oke Revoke a certificate. cert-show Retrieve an existing certificate. cert-status Check the status of a certificate signing request. config-mod Modify configuration options. config-show Show the current configuration. console Start the IPA interactive Python console. delegation-add Add a new delegation. delegation-del Delete a delegation. delegation-find Search for delegations. delegation-mod Modify a delegation. delegation-show Display information about a delegation. dns-resolve Resolve a host name in DNS dnsrecord-add Add new DNS resource record. dnsrecord-del Delete DNS resource record. dnsrecord-find Search for DNS resources. dnsrecord-show Display DNS resource. dnszone-add Create new DNS zone (SOA record). dnszone-del Delete DNS zone (SOA record). dnszone-disable Disable DNS Zone. dnszone-enable Enable DNS Zone. dnszone-find Search for DNS zones (SOA records). dnszone-mod Modify DNS zone (SOA record). dnszone-show Display information about a DNS zone (SOA record). entit
le-consume Consume an entitlement entitle-find Search for entitlement accounts. entitle-get Retrieve the entitlement certs entitle-import Import an entitlement certificate. entitle-register Register to the entitlement system entitle-status Display current entitlements entitle-sync Re-sync the local entitlement cache with the entitlement server env Show environment variables group-add Create a new group. group-add-member Add members to a group. group-del Delete group. group-detach Detach a managed group from a user group-find Search for groups. group-mod Modify a group. group-remove-member Remove members from a group. group-show Display information about a named group. hbacrule-add Create a new HBAC rule. hbacrule-add-host Add target hosts and hostgroups to an HBAC rule hbacrule-add-service Add services to an HBAC rule. hbacrule-add-sourcehost Add source hosts and hostgroups from a HBAC rule. hbacrule-add-user Add users and groups to an HBAC rule. hbacrule-del Delete an HBAC
rule. hbacrule-disable Disable an HBAC rule. hbacrule-enable Enable an HBAC rule. hbacrule-find Search for HBAC rules. hbacrule-mod Modify an HBAC rule. hbacrule-remove-host Remove target hosts and hostgroups from an HBAC rule. hbacrule-remove-service Remove service and service groups from an HBAC rule. hbacrule-remove-sourcehost Remove source hosts and hostgroups from an HBAC rule. hbacrule-remove-user Remove users and groups from an HBAC rule. hbacrule-show Display the properties of an HBAC rule. hbacsvc-add Add a new HBAC service. hbacsvc-del Delete an existing HBAC service. hbacsvc-find Search for HBAC services. hbacsvc-mod Modify an HBAC service. hbacsvc-show Display information about an HBAC service. hbacsvcgroup-add Add a new HBAC service group. hbacsvcgroup-add-member Add members to an HBAC service group. hbacsvcgroup-del Delete an HBAC service group. hbacsvcgroup-find Search for an HBAC service group. hbacsvcgroup-mod Modify an HBAC service group. hbacsvcgroup-remov
e-member Remove members from an HBAC service group. hbacsvcgroup-show Display information about an HBAC service group. help Display help for a command or topic. host-add Add a new host. host-add-managedby Add hosts that can manage this host. host-del Delete a host. host-disable Disable the Kerberos key, SSL certificate and all services of a host. host-find Search for hosts. host-mod Modify information about a host. host-remove-managedby Remove hosts that can manage this host. host-show Display information about a host. hostgroup-add Add a new hostgroup. hostgroup-add-member Add members to a hostgroup. hostgroup-del Delete a hostgroup. hostgroup-find Search for hostgroups. hostgroup-mod Modify a hostgroup. hostgroup-remove-member Remove members from a hostgroup. hostgroup-show Display information about a hostgroup. krbtpolicy-mod Modify Kerberos ticket policy. krbtpolicy-reset Reset Kerberos ticket policy to the default values. krbtpolicy-show Display the current Kerberos tic
ket policy. migrate-ds Migrate users and groups from DS to IPA. netgroup-add Add a new netgroup. netgroup-add-member Add members to a netgroup. netgroup-del Delete a netgroup. netgroup-find Search for a netgroup. netgroup-mod Modify a netgroup. netgroup-remove-member Remove members from a netgroup. netgroup-show Display information about a netgroup. passwd Set a user's password permission-add Add a new permission. permission-del Delete a permission. permission-find Search for permissions. permission-mod Modify a permission. permission-show Display information about a permission. ping ping a remote server plugins Show all loaded plugins privilege-add Add a new privilege. privilege-add-permission Add permissions to a privilege. privilege-del Delete a privilege. privilege-find Search for privileges. privilege-mod Modify a privilege. privilege-remove-permission Remove permissions from a privilege. privilege-show Display information about a privilege. pwpolicy-add Add a new group
password policy. pwpolicy-del Delete a group password policy. pwpolicy-find Search for group password policies. pwpolicy-mod Modify a group password policy. pwpolicy-show Display information about password policy. role-add Add a new role. role-add-member Add members to a role. role-add-privilege Add privileges to a role. role-del Delete a role. role-find Search for roles. role-mod Modify a role. role-remove-member Remove members from a role. role-remove-privilege Remove privileges from a role. role-show Display information about a role. selfservice-add Add a new self-service permission. selfservice-del Delete a self-service permission. selfservice-find Search for a self-service permission. selfservice-mod Modify a self-service permission. selfservice-show Display information about a self-service permission. service-add Add a new IPA new service. service-add-host Add hosts that can manage this service. service-del Delete an IPA service. service-disable Disable the Kerberos k
ey and SSL certificate of a service. service-find Search for IPA services. service-mod Modify an existing IPA service. service-remove-host Remove hosts that can manage this service. service-show Display information about an IPA service. show-mappings ipalib.cli.show_mappings sudocmd-add Create new sudo command. sudocmd-del Delete sudo command. sudocmd-find Search for commands. sudocmd-mod Modify command. sudocmd-show Display sudo command. sudocmdgroup-add Create new sudo command group. sudocmdgroup-add-member Add members to sudo command group. sudocmdgroup-del Delete sudo command group. sudocmdgroup-find Search for sudo command groups. sudocmdgroup-mod Modify group. sudocmdgroup-remove-member Remove members from sudo command group. sudocmdgroup-show Display sudo command group. sudorule-add Create new Sudo Rule. sudorule-add-allow-command Add commands and sudo command groups affected by Sudo Rule. sudorule-add-deny-command Add commands and sudo command groups affected by Sudo
Rule. sudorule-add-host Add hosts and hostgroups affected by Sudo Rule. sudorule-add-option Add an option to the Sudo rule. sudorule-add-runasgroup Add group for Sudo to execute as. sudorule-add-runasuser Add user for Sudo to execute as. sudorule-add-user Add users and groups affected by Sudo Rule. sudorule-del Delete Sudo Rule. sudorule-disable Disable a Sudo rule. sudorule-enable Enable a Sudo rule. sudorule-find Search for Sudo Rule. sudorule-mod Modify Sudo Rule. sudorule-remove-allow-command Remove commands and sudo command groups affected by Sudo Rule. sudorule-remove-deny-command Remove commands and sudo command groups affected by Sudo Rule. sudorule-remove-host Remove hosts and hostgroups affected by Sudo Rule. sudorule-remove-option Remove an option from Sudo rule. sudorule-remove-runasgroup Remove group for Sudo to execute as. sudorule-remove-runasuser Remove user for Sudo to execute as. sudorule-remove-user Remove users and groups affected by Sudo Rule. sudorule-
show Dispaly Sudo Rule. user-add Add a new user. user-del Delete a user. user-disable Disable a user account. user-enable Enable a user account. user-find Search for users. user-mod Modify a user. user-show Display information about a user. user-unlock Unlock a user account
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="ipa-options"><div class="titlepage"><div><div><h3 class="title" id="ipa-options">B.1.4. Options</h3></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- -h, --help show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE -d, --debug Produce full debuging output -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf
- </td><td>
- Location
- </td></tr></tbody></table></div><div class="para">
- help topics: automount Automount cert IPA certificate operations config Manage the IPA configuration delegation Group to Group Delegation dns Domain Name System (DNS) entitle Entitlements group Groups of users hbac Host-based access control commands host Hosts/Machines hostgroup Groups of hosts. krbtpolicy Kerberos ticket policy migration Migration to IPA misc Misc plug-ins netgroup Netgroups passwd Set a user's password permission Permissions ping Ping the remote IPA server privilege Privileges pwpolicy Password policy role Roles selfservice Self-service Permissions service Services sudo commands for controlling sudo configuration user Users
- </div></div><div class="section" id="ipa-command-automount"><div class="titlepage"><div><div><h3 class="title" id="ipa-command-automount">B.1.5. ipa automountlocation*</h3></div></div></div><div class="para">
- info
- </div><div class="section" id="ipa-automount-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-automount-syntax">B.1.5.1. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">ipa</code>
- <em class="replaceable"><code>commands</code></em>
- [
- <em class="replaceable"><code>options</code></em>
- ]</p></div></div><div class="section" id="ipa-automount-commands"><div class="titlepage"><div><div><h4 class="title" id="ipa-automount-commands">B.1.5.2. Commands</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Command
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- automountkey-add Create a new automount key. automountkey-del Delete an automount key. automountkey-find Search for an automount key. automountkey-mod Modify an automount key. automountkey-show Display an automount key. automountlocation-add Create a new automount location. automountlocation-del Delete an automount location. automountlocation-find Search for an automount location. automountlocation-import Import automount files for a specific location. automountlocation-show Display an automount location. automountlocation-tofiles Generate automount files for a specific location. automountmap-add Create a new automount map. automountmap-add-indirect Create a new indirect mount point. automountmap-del Delete an automount map. automountmap-find Search for an automount map. automountmap-mod Modify an automount map. automountmap-show Display an automount map.
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="ipa-automount-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-automount-options">B.1.5.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- -h, --help show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE -d, --debug Produce full debuging output -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-command-automountmap"><div class="titlepage"><div><div><h3 class="title" id="ipa-command-automountmap">B.1.6. ipa automountmap*</h3></div></div></div><div class="para">
- info
- </div><div class="section" id="ipa-automountmap-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountmap-syntax">B.1.6.1. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">ipa</code>
- <em class="replaceable"><code>commands</code></em>
- [
- <em class="replaceable"><code>options</code></em>
- ]</p></div></div><div class="section" id="ipa-automountmap-commands"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountmap-commands">B.1.6.2. Commands</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Command
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- automountkey-add Create a new automount key. automountkey-del Delete an automount key. automountkey-find Search for an automount key. automountkey-mod Modify an automount key. automountkey-show Display an automount key. automountlocation-add Create a new automount location. automountlocation-del Delete an automount location. automountlocation-find Search for an automount location. automountlocation-import Import automount files for a specific location. automountlocation-show Display an automount location. automountlocation-tofiles Generate automount files for a specific location. automountmap-add Create a new automount map. automountmap-add-indirect Create a new indirect mount point. automountmap-del Delete an automount map. automountmap-find Search for an automount map. automountmap-mod Modify an automount map. automountmap-show Display an automount map.
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="ipa-automountmap-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountmap-options">B.1.6.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- -h, --help show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE -d, --debug Produce full debuging output -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-command-automountkey"><div class="titlepage"><div><div><h3 class="title" id="ipa-command-automountkey">B.1.7. ipa automountkey*</h3></div></div></div><div class="para">
- info
- </div><div class="section" id="ipa-automountkey-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountkey-syntax">B.1.7.1. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">ipa</code>
- <em class="replaceable"><code>commands</code></em>
- [
- <em class="replaceable"><code>options</code></em>
- ]</p></div></div><div class="section" id="ipa-automountkey-commands"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountkey-commands">B.1.7.2. Commands</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Command
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- automountkey-add Create a new automount key. automountkey-del Delete an automount key. automountkey-find Search for an automount key. automountkey-mod Modify an automount key. automountkey-show Display an automount key. automountlocation-add Create a new automount location. automountlocation-del Delete an automount location. automountlocation-find Search for an automount location. automountlocation-import Import automount files for a specific location. automountlocation-show Display an automount location. automountlocation-tofiles Generate automount files for a specific location. automountmap-add Create a new automount map. automountmap-add-indirect Create a new indirect mount point. automountmap-del Delete an automount map. automountmap-find Search for an automount map. automountmap-mod Modify an automount map. automountmap-show Display an automount map.
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="ipa-automountkey-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-automountkey-options">B.1.7.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- -h, --help show this help message and exit -e KEY=VAL Set environment variable KEY to VAL -c FILE Load configuration from FILE -d, --debug Produce full debuging output -v, --verbose Produce more verbose output. A second -v displays the XML-RPC request -a, --prompt-all Prompt for ALL values (even if optional) -n, --no-prompt Prompt for NO values (even if required) -f, --no-fallback Only use the server configured in /etc/ipa/default.conf
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div></div><div class="section" id="server-tools"><div class="titlepage"><div><div><h2 class="title" id="server-tools">B.2. Server Scripts</h2></div></div></div><div class="para">
- XXXXXXXXXXXXX
- </div><div class="section" id="ipa-compat-manage"><div class="titlepage"><div><div><h3 class="title" id="ipa-compat-manage">B.2.1. ipa-compat-manage</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-compat-manage-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-compat-manage-location">B.2.1.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-compat-manage-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-compat-manage-syntax">B.2.1.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-compat-manage-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-compat-manage-options">B.2.1.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-compliance"><div class="titlepage"><div><div><h3 class="title" id="ipa-compliance">B.2.2. ipa-compliance</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-compliance-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-compliance-location">B.2.2.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-compliance-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-compliance-syntax">B.2.2.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-compliance-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-compliance-options">B.2.2.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-dns-install"><div class="titlepage"><div><div><h3 class="title" id="ipa-dns-install">B.2.3. ipa-dns-install</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-dns-install-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-dns-install-location">B.2.3.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-dns-install-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-dns-install-syntax">B.2.3.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-dns-install-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-dns-install-options">B.2.3.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-host-net-manage"><div class="titlepage"><div><div><h3 class="title" id="ipa-host-net-manage">B.2.4. ipa-host-net-manage</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-host-net-manage-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-host-net-manage-location">B.2.4.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-host-net-manage-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-host-net-manage-syntax">B.2.4.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-host-net-manage-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-host-net-manage-options">B.2.4.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa_kpasswd"><div class="titlepage"><div><div><h3 class="title" id="ipa_kpasswd">B.2.5. ipa_kpasswd</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa_kpasswd-location"><div class="titlepage"><div><div><h4 class="title" id="ipa_kpasswd-location">B.2.5.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa_kpasswd-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa_kpasswd-syntax">B.2.5.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa_kpasswd-options"><div class="titlepage"><div><div><h4 class="title" id="ipa_kpasswd-options">B.2.5.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-ldap-updater"><div class="titlepage"><div><div><h3 class="title" id="ipa-ldap-updater">B.2.6. ipa-ldap-updater</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-ldap-updater-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-ldap-updater-location">B.2.6.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-ldap-updater-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-ldap-updater-syntax">B.2.6.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-ldap-updater-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-ldap-updater-options">B.2.6.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-nis-manage"><div class="titlepage"><div><div><h3 class="title" id="ipa-nis-manage">B.2.7. ipa-nis-manage</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-nis-manage-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-nis-manage-location">B.2.7.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-nis-manage-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-nis-manage-syntax">B.2.7.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-nis-manage-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-nis-manage-options">B.2.7.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-replica-install"><div class="titlepage"><div><div><h3 class="title" id="ipa-replica-install">B.2.8. ipa-replica-install</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-replica-install-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-install-location">B.2.8.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-replica-install-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-install-syntax">B.2.8.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-replica-install-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-install-options">B.2.8.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-replica-manage"><div class="titlepage"><div><div><h3 class="title" id="ipa-replica-manage">B.2.9. ipa-replica-manage</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-replica-manage-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-manage-location">B.2.9.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-replica-manage-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-manage-syntax">B.2.9.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-replica-manage-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-manage-options">B.2.9.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-replica-prepare"><div class="titlepage"><div><div><h3 class="title" id="ipa-replica-prepare">B.2.10. ipa-replica-prepare</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-replica-prepare-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-prepare-location">B.2.10.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-replica-prepare-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-prepare-syntax">B.2.10.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-replica-prepare-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-replica-prepare-options">B.2.10.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-server-certinstall"><div class="titlepage"><div><div><h3 class="title" id="ipa-server-certinstall">B.2.11. ipa-server-certinstall</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-server-certinstall-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-certinstall-location">B.2.11.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-server-certinstall-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-certinstall-syntax">B.2.11.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-server-certinstall-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-certinstall-options">B.2.11.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-server-install"><div class="titlepage"><div><div><h3 class="title" id="ipa-server-install">B.2.12. ipa-server-install</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-server-install-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-install-location">B.2.12.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-server-install-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-install-syntax">B.2.12.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-server-install-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-server-install-options">B.2.12.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-ugradeconfig"><div class="titlepage"><div><div><h3 class="title" id="ipa-ugradeconfig">B.2.13. ipa-upgradeconfig</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-upgradeconfig-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-upgradeconfig-location">B.2.13.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-upgradeconfig-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-upgradeconfig-syntax">B.2.13.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-upgradeconfig-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-upgradeconfig-options">B.2.13.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipactl"><div class="titlepage"><div><div><h3 class="title" id="ipactl">B.2.14. ipactl</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipactl-location"><div class="titlepage"><div><div><h4 class="title" id="ipactl-location">B.2.14.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipactl-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipactl-syntax">B.2.14.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipactl-options"><div class="titlepage"><div><div><h4 class="title" id="ipactl-options">B.2.14.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div></div><div class="section" id="client-tools"><div class="titlepage"><div><div><h2 class="title" id="client-tools">B.3. Client Scripts</h2></div></div></div><div class="para">
- XXXXXXXXXXXXX
- </div><div class="section" id="ipa-client-install"><div class="titlepage"><div><div><h3 class="title" id="ipa-client-install">B.3.1. ipa-client-install</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-client-install-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-client-install-location">B.3.1.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="ipa-client-install-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-client-install-syntax">B.3.1.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-client-install-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-client-install-options">B.3.1.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-getkeytab"><div class="titlepage"><div><div><h3 class="title" id="ipa-getkeytab">B.3.2. ipa-getkeytab</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-getkeytab-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-getkeytab-location">B.3.2.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-getkeytab-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-getkeytab-syntax">B.3.2.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-getkeytab-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-getkeytab-options">B.3.2.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-join"><div class="titlepage"><div><div><h3 class="title" id="ipa-join">B.3.3. ipa-join</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-join-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-join-location">B.3.3.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-join-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-join-syntax">B.3.3.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-join-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-join-options">B.3.3.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-rmkeytab"><div class="titlepage"><div><div><h3 class="title" id="ipa-rmkeytab">B.3.4. ipa-rmkeytab</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-rmkeytab-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-rmkeytab-location">B.3.4.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- ipa-server
- </td></tr></tbody></table></div></div><div class="section" id="ipa-rmkeytab-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-rmkeytab-syntax">B.3.4.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-rmkeytab-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-rmkeytab-options">B.3.4.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div></div><div class="section" id="certmonger-tools"><div class="titlepage"><div><div><h2 class="title" id="certmonger-tools">B.4. Certmonger Scripts</h2></div></div></div><div class="para">
- XXXXXXXXXXXXX
- </div><div class="section" id="getcert"><div class="titlepage"><div><div><h3 class="title" id="getcert">B.4.1. getcert</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="getcert-location"><div class="titlepage"><div><div><h4 class="title" id="getcert-location">B.4.1.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div><div class="section" id="getcert-syntax"><div class="titlepage"><div><div><h4 class="title" id="getcert-syntax">B.4.1.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="getcert-options"><div class="titlepage"><div><div><h4 class="title" id="getcert-options">B.4.1.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- certmonger
- </td></tr></tbody></table></div></div></div><div class="section" id="ipa-getcert"><div class="titlepage"><div><div><h3 class="title" id="ipa-getcert">B.4.2. ipa-getcert</h3></div></div></div><div class="para">
- Description
- </div><div class="section" id="ipa-getcert-location"><div class="titlepage"><div><div><h4 class="title" id="ipa-getcert-location">B.4.2.1. Location</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Description
- </th><th>
- Location
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- certmonger
- </td></tr></tbody></table></div></div><div class="section" id="ipa-getcert-syntax"><div class="titlepage"><div><div><h4 class="title" id="ipa-getcert-syntax">B.4.2.2. Syntax</h4></div></div></div><div class="cmdsynopsis"><p><code class="command">PKCS12Export</code>
- -d <em class="replaceable"><code>/path/to/cert-directory</code></em>
- [
- -debug
- ]</p></div></div><div class="section" id="ipa-getcert-options"><div class="titlepage"><div><div><h4 class="title" id="ipa-getcert-options">B.4.2.3. Options</h4></div></div></div><div class="informaltable"><table border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
- Parameter
- </th><th>
- Description
- </th></tr></thead><tbody><tr><td>
- Tool directory
- </td><td>
- Location
- </td></tr><tr><td>
- Package
- </td><td>
- Location
- </td></tr></tbody></table></div></div></div></div></div><div xml:lang="en-US" class="appendix" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Services: Working with certmonger</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">C.2. Using certmonger</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">C.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">C.4. Using certmonger with IPA</a></span></dt></dl>
</div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</h2></div></div></div><div class="para">
+ </div></div></div></div></div></div></div><div xml:lang="en-US" class="appendix" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Services: Working with certmonger</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">B.2. Using certmonger</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">B.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">B.4. Using certmonger with IPA</a></span></dt></dl></div><div class="
section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</h2></div></div></div><div class="para">
The <code class="systemitem">certmonger</code> daemon, together with its command line clients, attempts to simplify the process of generating public/private key pairs and Certificate Signing Requests (CSRs), and submitting CSRs to Certificate Authorities (CAs) for signing.
</div><div class="para">
The <code class="systemitem">certmonger</code> daemon also monitors certificates for imminent expiration and, with the help of a CA, can optionally refresh certificates that are about to expire. It can also drive the entire IPA enrollment process, from key generation through to enrollment itself and refreshing certificates.
</div><div class="para">
The set of certificates that <code class="systemitem">certmonger</code> monitors is tracked in files stored in a user-configurable directory. The default location is <code class="filename">/var/lib/certmonger/requests</code>.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">C.2. Using certmonger</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">B.2. Using certmonger</h2></div></div></div><div class="para">
Probably the simplest use case is to generate a certificate which is signed by the subject itself. These are not typically used in production, but are suitable for demonstration and testing purposes. Consider the following command:
</div><pre class="screen"><code class="command"># selfsign-getcert request -f /tmp/server.crt -k /tmp/server.key</code></pre><div class="para">
This informs <code class="systemitem">certmonger</code> that we want a key to be stored in the file <code class="filename">/tmp/server.key</code>, to generate a corresponding certificate, and to store that certificate in the file <code class="filename">/tmp/server.crt</code>. Using <code class="command">selfsign-getcert</code> also implicitly tells <code class="systemitem">certmonger</code> to <span class="emphasis"><em>self-sign</em></span> the CSR, which it generates and uses internally, with the subject's own key. During this process, certmonger:
@@ -4905,7 +4129,7 @@ debug=True</pre>
created the CSR
</div></li><li class="listitem"><div class="para">
used the same key to produce a signed certificate.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">C.3. Using certmonger with NSS</h2></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">B.3. Using certmonger with NSS</h2></div></div></div><div class="para">
The previous example used plain files for holding the key and the certificate, but certmonger can also take advantage of NSS database storage. In this scenario, you need to pass the database's location and a nickname for the certificate to certmonger. Consider the following example:
<pre class="screen"><code class="command"># selfsign-getcert request -d /tmp -n Test-Certificate</code></pre>
@@ -4916,7 +4140,7 @@ debug=True</pre>
</div><div class="para">
Refer to the <code class="command">getcert</code> man page for more information about the available command options.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">C.4. Using certmonger with IPA</h2></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">B.4. Using certmonger with IPA</h2></div></div></div><div class="para">
The only difference between using <code class="systemitem">certmonger</code> with the IPA CA and producing a self-signed certificate is changing the command prefix. Instead of using <code class="command">selfsign-getcert</code>, use the <code class="command">ipa-getcert</code> command. For example:
<pre class="screen"><code class="command">ipa-getcert request -r \</code>
<code class="command">-f /etc/httpd/conf/ssl.crt/server.crt \</code>
@@ -4925,9 +4149,9 @@ debug=True</pre>
<code class="command">-D `hostname --fqdn` \</code>
<code class="command">-U id-kp-serverAuth</code></pre>
- </div></div></div><div xml:lang="en-US" class="appendix" id="Migrating_from_a_Directory_Server_to_IPA" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Migrating from a Directory Server to IPA</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</a></sp
an></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">D.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">D.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</a
></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">D.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring
_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></div><div class="sectio
n" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</h2></div></div></div><div class="para">
+ </div></div></div><div xml:lang="en-US" class="appendix" id="Migrating_from_a_Directory_Server_to_IPA" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Migrating from a Directory Server to IPA</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</a></sp
an></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">C.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">C.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</a
></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">C.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring
_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></div><div class="sectio
n" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</h2></div></div></div><div class="para">
This appendix addresses the situation where a customer has previously deployed an internal Directory Server (DS) and is planning to use IPA instead. The customer needs to transfer all user data from the DS to IPA so that IPA can function fully and correctly. The goal is to perform this migration without requiring that users change their passwords or perform some other specific action.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</h3></div></div></div><div class="para">
It is not practical to identify and address each of the scenarios in which a DS and IPA might be deployed, and where migration might be required. Consequently, the following assumptions are made:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
This is a one-to-one transition from one DS realm to one IPA realm. No consolidation is involved.
@@ -4939,7 +4163,7 @@ debug=True</pre>
Some machines might be present that are managed by <code class="systemitem">NIS</code> or are not part of the DS deployment, but are planned to be part of the IPA domain
</div><div class="para">
Machines that cannot be moved from the <code class="systemitem">NIS</code> domain to LDAP or IPA because they are old and do not support <code class="systemitem">nss_ldap</code> are assumed to remain in and be served by the <code class="systemitem">NIS</code> domain. The migration of such machines to the IPA domain, while possible, is a challenging task and is out of the scope of the current use case.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</h3></div></div></div><div class="para">
A number of issues exist that need to be considered when planning the migration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
A generic DS uses a different schema and <em class="firstterm">Directory Information Tree (DIT)</em> when compared to IPA. No known DS uses the same flat DIT structure that IPA uses. IPA is optimized for performance, and attempts to avoid any architectural design flaws that have occurred in the past.
@@ -4947,7 +4171,7 @@ debug=True</pre>
IPA uses Kerberos for authentication, and so each user requires that Kerberos keys be stored in the IPA DS, in addition to the standard LDAP hashes used by the DS
</div><div class="para">
In order to generate these keys, the password needs to be available in clear text to IPA's DS password plug-in. It is available when the user is created in IPA using IPA tools or LDAP, but this is not the case when the user is migrated from other external storage such as another DS. Consequently, the existing password hashes can be reloaded, but the Kerberos hashes cannot be generated. IPA provides a number of solutions to overcome this issue; these are described later in this appendix.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</h3></div></div></div><div class="para">
The following have been identified as typical migration scenarios:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Migrate an existing environment to IPA but do not use its Kerberos features for now
@@ -4955,13 +4179,13 @@ debug=True</pre>
Migrate an existing environment to IPA and use its Kerberos features using only IPA v1 functionality. That is, do not use SSSD.
</div></li><li class="listitem"><div class="para">
Migrate an existing environment to IPA and use its Kerberos features on some machines, while some machines will use SSSD and some will not; this is the primary use case.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</h3></div></div></div><div class="para">
The following sections describe the initial, pre‐migration state, and the final, post‐migration state of a DS deployment when migrating to a single IPA domain.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State">D.1.4.1. Initial State</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State">C.1.4.1. Initial State</h4></div></div></div><div class="para">
In the initial state, there is a single data source (the Directory Server) and a single client machine configuration. This client configuration uses <code class="systemitem">LDAP</code> to connect to the Directory Server and retrieve information about users and groups. This configuration uses <code class="systemitem">PAM_LDAP</code> and <code class="systemitem">NSS_LDAP</code> for authentication and identity lookups. These modules enable the client systems to use data retrieved from the DS just as if it were stored in <code class="filename">/etc/passwd</code> or <code class="filename">/etc/shadow</code>. The following diagram illustrates this type of implementation, where <code class="systemitem">LDAP</code> is used to connect to the DS for both authentication and authorization. The case where <code class="systemitem">Kerberos</code> is used for authentication and <code class="systemitem">LDAP</code> for identity, and where these two data stores are synchronized, is not
described here. Consequently, the initial state may not be as simple or as straightforward as displayed here, however the approach and the final state will be similar.
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Initial_State-Initial_state_of_deployment_before_migrating_to_IPA."><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Initial_State.png" alt="Initial state of deployment before migrating to IPA." /></div></div><h6>Figure D.1. Initial state of deployment before migrating to IPA.</h6></div><br class="figure-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State">D.1.4.2. Final State</h4></div></div></div><div class="para">
- In the final state, even though only a single data source exists, multiple possible machine configurations are now possible. This is illustrated in <a class="xref" href="#figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA">Figure D.2, “Final state of deployment after migrating to IPA”</a>
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA"><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Final_State.png" alt="Final state of deployment after migrating to IPA" /></div></div><h6>Figure D.2. Final state of deployment after migrating to IPA</h6></div><br class="figure-break" /><div class="section" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options">D.1.4.2.1. Configuration Options</h5></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Configuration_Options-Connected_to_IPA_via_SSSD_Using_SSSDs_LDAP_Back_End"><h5 class="formalpara">Connected to IPA via SSSD Using SSSD's LDAP Back End</h5>
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Initial_State-Initial_state_of_deployment_before_migrating_to_IPA."><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Initial_State.png" alt="Initial state of deployment before migrating to IPA." /></div></div><h6>Figure C.1. Initial state of deployment before migrating to IPA.</h6></div><br class="figure-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State">C.1.4.2. Final State</h4></div></div></div><div class="para">
+ In the final state, even though only a single data source exists, multiple possible machine configurations are now possible. This is illustrated in <a class="xref" href="#figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA">Figure C.2, “Final state of deployment after migrating to IPA”</a>
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA"><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Final_State.png" alt="Final state of deployment after migrating to IPA" /></div></div><h6>Figure C.2. Final state of deployment after migrating to IPA</h6></div><br class="figure-break" /><div class="section" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options">C.1.4.2.1. Configuration Options</h5></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Configuration_Options-Connected_to_IPA_via_SSSD_Using_SSSDs_LDAP_Back_End"><h5 class="formalpara">Connected to IPA via SSSD Using SSSD's LDAP Back End</h5>
Clients connect to IPA via SSSD. SSSD is integrated into the PAM and NSS stacks by means of PAM_SSS and NSS_SSS, respectively. SSSD's LDAP back end is configured for both authentication and for identity lookups. In this use case, IPA functions like a normal DS.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Kerberos authentication can be configured instead of LDAP authentication. In this case, IPA acts as a normal DS for identity lookups and a normal KDC for Kerberos authentication.
@@ -4973,7 +4197,7 @@ debug=True</pre>
Clients connect directly to IPA and use PAM_KRB5 and NSS_LDAP. This is the same configuration as that provided for IPA v1.x
</div><div class="para">
In the initial state, clients use LDAP to communicate with the Directory Server to retrieve information about users and groups. <code class="systemitem">PAM_LDAP</code> and <code class="systemitem">NSS_LDAP</code> are modules that enable the client systems to use data retrieved from the Directory Server as if it were stored in <code class="filename">/etc/passwd</code> or <code class="filename">/etc/shadow</code>. In the final state, IPA provides all of the same functionality and many more features besides.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</h3></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</h3></div></div></div><div class="para">
The migration from DS to IPA requires:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Installing IPA on a suitable machine
@@ -4997,13 +4221,13 @@ debug=True</pre>
Deploy SSSD first
</div></li></ul></div><div class="para">
Each approach is valid and accomplishes the same goal, but using a different sequence of operations.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies">D.1.5.1. Comparison of Migration Strategies</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies">C.1.5.1. Comparison of Migration Strategies</h4></div></div></div><div class="para">
Each approach has a different impact on the IT team and the users. You need to select the approach that best suits your deployment. These scenarios can be modified to meet the needs of your enterprise. Provided you understand the implications and reasoning behind each step, there is no requirement to follow the steps in the given order. It is important to understand that until the Kerberos keys are generated in IPA, users will not be able to authenticate with Kerberos credentials using <code class="systemitem">PAM_KRB5</code> or <code class="command">kinit</code>.
</div><div class="para">
You should also consider an alternative migration scenario, where passwords are not migrated. In this scenario, users are not migrated into IPA but rather added as new users with new passwords. Users would then change their password the first time they authenticate. The initial password would be defined by IT and sent to users by email or communicated in some other way.
</div><div class="para">
Migrating users from an existing system provides a smoother transition but also requires parallel management of DS and IPA during the migration. If you do not preserve passwords, the migration can be performed more quickly and you can avoid the period of double management of IPA and DS.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">D.1.6. Implementation Details</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">C.1.6. Implementation Details</h3></div></div></div><div class="para">
The following sequence of operations occurs when users are migrated using SSSD:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
A user tries to log in to the machine.
@@ -5029,15 +4253,15 @@ debug=True</pre>
If the bind operation fails for any reason, the IPA identity provider back end will fail authentication, otherwise it will continue.
</div></li><li class="listitem"><div class="para">
The IPA identity provider back end will unbind and try Kerberos authentication again. This time it is expected to succeed because the keys already exist in the entry.
- </div></li></ul></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">D.2. Performing a Server-based Migration</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ </div></li></ul></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">C.2. Performing a Server-based Migration</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Each phase of the migration should be performed as a single step.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
The first phase of the migration consists of setting up IPA and migrating data from the existing DS to that used by IPA. This involves the use of the <code class="command">ipa migrate-ds</code> command, which dumps the user data from the original DS, converts it into a format suitable for use by IPA, and then loads the converted data into IPA.
</div><div class="para">
The <code class="command">ipa migrate-ds</code> command connects to the DS and binds as the <code class="systemitem">Directory Manager</code>, and then extracts all objectClass=person objects from ou=People. This can be changed using the <code class="option">--user-container</code> option. It also extracts all objects from ou=Groups. This can be changed using the <code class="option">--group-container</code> option. It adds all object classes and attributes required by IPA (if they are missing) and coverts DNs in attributes to match the IPA Directory Information Tree (DIT). The command returns an error if migration is not enabled.
</div><div class="para">
Refer to the <code class="command">ipa migrate-ds</code> help page for more details about this command (<code class="command">ipa help migrate-ds</code>).
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_1_Migrating_Existing_Data_to_IPA-To_migrate_existing_data_to_IPA"><h6>Procedure D.1. To migrate existing data to IPA:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_1_Migrating_Existing_Data_to_IPA-To_migrate_existing_data_to_IPA"><h6>Procedure C.1. To migrate existing data to IPA:</h6><ol class="1"><li class="step"><div class="para">
Install IPA, including any custom DS schema, on a different machine from the existing DS. Refer to
</div></li><li class="step"><div class="para">
Use the following command to enable IPA migration mode:
@@ -5061,7 +4285,7 @@ debug=True</pre>
The migration log file is currently not implemented. Instead, any error messages are printed to standard output.
</div></div></div>
- </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_2_Updating_the_Client_Configuration-To_update_the_client_configuration"><h6>Procedure D.2. To update the client configuration:</h6><ul><li class="step"><div class="para">
+ </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_2_Updating_the_Client_Configuration-To_update_the_client_configuration"><h6>Procedure C.2. To update the client configuration:</h6><ul><li class="step"><div class="para">
Update the client configuration to use PAM_LDAP and NSS_LDAP to connect to IPA instead of connecting to DS, NIS, or using local files.
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
If the intention is to automatically generate the Kerberos keys when a user authenticates, the configuration should use startTLS and simple bind authentication. For this to occur, the IT department needs to ensure the IPA server certificate is copied to the client.
@@ -5071,7 +4295,7 @@ debug=True</pre>
</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
You should not update your client configuration to use PAM_KRB5 and NSS_LDAP (that is, the equivalent of IPA v1) at this stage unless absolutely necessary. This is because the Kerberos keys will not yet exist in the IPA user entries, and consequently users will not be able to log in. If such a configuration is required, users can be directed to a specific web page on the IPA server after the data has been loaded into the IPA server. This page will prompt the user for their password and perform an LDAP bind. The DS password plug-in will capture these passwords and generate the Kerberos keys.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_3_Installing_and_Configuring_SSSD-To_install_and_configure_SSSD"><h5 class="formalpara">To install and configure SSSD:</h5>
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: Installing and Configuring SSSD</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_3_Installing_and_Configuring_SSSD-To_install_and_configure_SSSD"><h5 class="formalpara">To install and configure SSSD:</h5>
<div class="orderedlist"><ol><li class="listitem"><div class="para">
Install SSSD on the machines that can support it:
</div><div class="para">
@@ -5080,24 +4304,24 @@ debug=True</pre>
Configure SSSD to use IPA as a back end (Kerberos and LDAP). Installing SSSD and enrolling the client with IPA will ensure delivery of the machine Kerberos key and server certificate to the client. Refer to
</div></li></ol></div>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_4_Migrating_Users-To_migrate_the_users_from_DS_to_IPA"><h5 class="formalpara">To migrate the users from DS to IPA:</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_4_Migrating_Users-To_migrate_the_users_from_DS_to_IPA"><h5 class="formalpara">To migrate the users from DS to IPA:</h5>
<div class="orderedlist"><ol><li class="listitem"><div class="para">
- Instruct users to log in to IPA using either an SSSD client or a client that supports PAM_LDAP with startTLS and simple bind. An SSSD client configured as described in <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">Section D.2.3, “Phase 3: Installing and Configuring SSSD”</a> will perform a silent migration. Clients configured with startTLS and simple bind will also trigger key generation. A Kerberos key is created the first time a user logs in, and this key is stored in the IPA back end.
+ Instruct users to log in to IPA using either an SSSD client or a client that supports PAM_LDAP with startTLS and simple bind. An SSSD client configured as described in <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">Section C.2.3, “Phase 3: Installing and Configuring SSSD”</a> will perform a silent migration. Clients configured with startTLS and simple bind will also trigger key generation. A Kerberos key is created the first time a user logs in, and this key is stored in the IPA back end.
</div></li><li class="listitem"><div class="para">
As the migration of the user population progresses (that is, as the Kerberos keys are generated on the IPA server), you can begin to configure other, non-SSSD clients to suit your requirements.
</div></li></ol></div>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
When the migration of all clients and users is complete, decommission the DS.
- </div></li></ul></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">D.3. Performing a Client-based Migration</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></li></ul></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">C.3. Performing a Client-based Migration</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Install SSSD first on the machines that can support it:
</div><div class="para">
<code class="command"># yum install sssd</code>
</div></li><li class="listitem"><div class="para">
Configure SSSD with the LDAP back end and point it to the existing DS deployment.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
- Install IPA and migrate the existing DS data as described in <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">Section D.2.1, “Phase 1: Migrating Existing Data to IPA”</a>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Phase 2: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
+ Install IPA and migrate the existing DS data as described in <a class="xref" href="#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">Section C.2.1, “Phase 1: Migrating Existing Data to IPA”</a>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Start moving clients that have SSSD installed from the LDAP back end to the IPA back end, and enroll them with IPA. This will download the required keys and certificates.
</div></li><li class="listitem"><div class="para">
Instruct users to use (that is, to log in at least once) the machines with SSSD and IPA back end, or go to the web page and authenticate.
@@ -5110,9 +4334,9 @@ debug=True</pre>
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
It is important to include the quotes around the filter so that it is not interpreted by the shell.
- </div></div></div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></div></div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
As the user population is migrated (the Kerberos keys are generated), you can start reconfiguring other (non‐SSSD) clients as required. The clients can be set up in any state shown on the diagram above.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
When the migration of the clients is complete, decommission the DS.
</div></li></ul></div></div></div></div><div xml:lang="en-US" class="glossary" id="Glossary" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Glossary</h2></div></div></div><div class="glossdiv"><h3 class="title">A</h3><dl><dt>access control instruction</dt><dd><p>See <a class="glosssee" href="#aci">ACI</a>.</p></dd><dt>access control list</dt><dd><p>See <a class="glosssee" href="#ACL">ACL</a>.</p></dd><dt>access rights</dt><dd><div class="para">
In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
@@ -5448,4 +4672,4 @@ debug=True</pre>
Speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branch point in the directory tree to improve display performance.
</div><p>See Also <a class="glossseealso" href="#browsing-index">browsing index</a>.</p></dd></dl></div><div class="glossdiv"><h3 class="title">X</h3><dl><dt>X.500 standard</dt><dd><div class="para">
The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation.
-</div></dd></dl></div></div><div class="index" id="id3103175"><div class="titlepage"><div><div><h2 class="title">Index</h2></div></div></div><div class="index"></div></div></div></body></html>
+</div></dd></dl></div></div><div class="index" id="id3210842"><div class="titlepage"><div><div><h2 class="title">Index</h2></div></div></div><div class="index"></div></div></div></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Certificates_and_Certificate_Authorities.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Certificates_and_Certificate_Authorities.html
index b6b4e1d..c3b1461 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Certificates_and_Certificate_Authorities.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Certificates_and_Certificate_Authorities.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.4. Configuring Certificates and Certificate Authorities</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.4. Configuring Certificates and Certificate Authorities</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="Managing-Unique_UID_and_GID_Attributes.html" title="13.3. Managing Unique UID and GID Number Assignments" /><link rel="next" href="ipa-apache.html" title="13.5. Setting a FreeIPA Server as an Apache Virtual Host" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p"
href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ipa-apache.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_Certificates_and_Certificate_Authorities"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Certificates_and_Certificate_Authorities">13.4. Configuring Certificates and Certificate Authorities</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="Managing-Unique_UID_and_GID_Attributes.html" title="12.3. Managing Unique UID and GID Number Assignments" /><link rel="next" href="ipa-apache.html" title="12.5. Setting a FreeIPA Server as an Apache Virtual Host" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p"
href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ipa-apache.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_Certificates_and_Certificate_Authorities"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Certificates_and_Certificate_Authorities">12.4. Configuring Certificates and Certificate Authorities</h2></div></div></div><div class="para">
FreeIPA creates a self-signed Certificate Authority (<abbr class="abbrev">CA</abbr>) during the installation process. If you have your own or a preferred <abbr class="abbrev">CA</abbr>, however, and want to use your own certificates, FreeIPA provides the necessary tools to import certificates for use by 389 Directory Server and the <code class="systemitem">HTTP</code> server. While not a prerequisite for the correct operation of FreeIPA, it is recommended that you save an <acronym class="acronym">ASCII</acronym> copy of your <abbr class="abbrev">CA</abbr> certificate as <code class="filename">/usr/share/ipa/html/ca.crt</code> to ensure that users download the correct certificate.
- </div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</h3></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</h3></div></div></div><div class="para">
Use the <code class="command">ipa-server-certinstall</code> command to install your own certificate. You can install the certificate for use by 389 Directory Server, <code class="systemitem">HTTP</code> Server, or both.
- </div><pre class="screen"># /usr/sbin/ipa-server-certinstall -d /path/to/pkcs12.p12</pre></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</h3></div></div></div><div class="para">
+ </div><pre class="screen"># /usr/sbin/ipa-server-certinstall -d /path/to/pkcs12.p12</pre></div><div class="section" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</h3></div></div></div><div class="para">
To continue using the Firefox auto-configuration feature, you need an object-signing certificate, and you need to regenerate the <code class="filename">/usr/share/ipa/html/configure.jar</code> file.
</div><div class="orderedlist"><h6>To use your own certificate with Firefox:</h6><ol><li class="listitem"><div class="para">
Create a suitable directory and then create the new certificate database in that directory.
@@ -31,7 +31,7 @@
Use the certificate you created earlier to sign the javascript file and to regenerate the <code class="filename">configure.jar</code> file.
<pre class="screen"># signtool -d /tmp/signdb -k Signing_cert_nickname -Z /usr/share/ipa/html/configure.jar -e .html</pre>
- </div></li></ol></div></div><div class="section" id="Using_OCSP"><div class="titlepage"><div><div><h3 class="title" id="Using_OCSP">13.4.3. Using OCSP</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Using_OCSP"><div class="titlepage"><div><div><h3 class="title" id="Using_OCSP">12.4.3. Using OCSP</h3></div></div></div><div class="para">
The Online Certificate Status Protocol (OCSP) is natively provided by the CA embedded into FreeIPA. This is so that any client that supports it can use OCSP for certificate validity checks.
</div><div class="para">
The OCSP responder URL is encoded into the certificates issued by FreeIPA. In order for that responder to be available, port 9180 needs to be open in the firewall. The OCSP URL uses the following format:
@@ -39,4 +39,4 @@
</div><div class="para">
For more information on OCSP, refer to the RFC at <a href="http://www.ietf.org/rfc/rfc2560.txt">http://www.ietf.org/rfc/rfc2560.txt</a>.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Prev</strong>13.3. Managing Unique UID and GID Number Assignme...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ipa-apache.html"><strong>Next</strong>13.5. Setting a FreeIPA Server as an Apache Virtu...</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Prev</strong>12.3. Managing Unique UID and GID Number Assignme...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ipa-apache.html"><strong>Next</strong>12.5. Setting a FreeIPA Server as an Apache Virtu...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html
index 1880d5a..45b961c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.4. Activating and Deactivating User Accounts</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.4. Activating and Deactivating User Accounts</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="editing-users.html" title="6.3. Editing Users" /><link rel="next" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html" title="6.5. Specifying Default User Settings" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="editing-users.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">6.4. Activating and Deactivating User Accounts</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="editing-users.html" title="5.3. Editing Users" /><link rel="next" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html" title="5.5. Specifying Default User Settings" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="editing-users.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts">5.4. Activating and Deactivating User Accounts</h2></div></div></div><div class="para">
FreeIPA user accounts can be set to a status of <code class="literal">Active</code> or <code class="literal">Inactive</code>. If you deactivate a user account, that user can no longer log in to FreeIPA, change their password, or perform any other tasks. Any existing connections will remain valid until their <code class="systemitem">Kerberos</code> TGT and other tickets expire, but they will not be able to renew them. The account and all associated information still exists, but is inaccessible by the user.
- </div><div class="section" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</h3></div></div></div><div class="para">
+ </div><div class="section" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</h3></div></div></div><div class="para">
Use the <code class="command">ipa user-enable</code> and <code class="command">ipa user-disable</code> commands to enable and disable user accounts, respectively. Refer to the following examples:
</div><div class="para">
To disable the <code class="systemitem">jsmith</code> user account:
@@ -19,4 +19,4 @@
To enable the <code class="systemitem">jsmith</code> user account:
</div><div class="para">
$ ipa user-enable jsmith
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="editing-users.html"><strong>Prev</strong>6.3. Editing Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Next</strong>6.5. Specifying Default User Settings</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="editing-users.html"><strong>Prev</strong>5.3. Editing Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Next</strong>5.5. Specifying Default User Settings</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Deleting_IPA_Users.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Deleting_IPA_Users.html
index c6f5add..ced7f5e 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Deleting_IPA_Users.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Deleting_IPA_Users.html
@@ -1,19 +1,19 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.7. Deleting FreeIPA Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.7. Deleting FreeIPA Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="search-limits.html" title="6.6. Setting Default Search Limits" /><link rel="next" href="user-groups.html" title="6.8. Creating User Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="search-limits.html"><strong>Prev</strong></a></li><li class="next"
><a accesskey="n" href="user-groups.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Deleting_IPA_Users"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Deleting_IPA_Users">6.7. Deleting FreeIPA Users</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="search-limits.html" title="5.6. Setting Default Search Limits" /><link rel="next" href="user-groups.html" title="5.8. Creating User Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="search-limits.html"><strong>Prev</strong></a></li><li class="next"
><a accesskey="n" href="user-groups.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Deleting_IPA_Users"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Deleting_IPA_Users">5.7. Deleting FreeIPA Users</h2></div></div></div><div class="para">
If you delete a FreeIPA user account, all of the information stored in the entry for that identity is lost. This includes the user's full name, group membership, phone numbers, and passwords. The actual user account and home directory still exist, be they on a server, local machine, or other provider, but they are no longer accessible by FreeIPA.
</div><div class="para">
Unlike deactivation, if you delete a user account, it cannot be retrieved. If you need this user account again, you need to recreate it and add all of the account details manually.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Unlike in earlier versions of FreeIPA, it is now possible to delete the <code class="systemitem">admin</code> user. If, however, you delete all of the <code class="systemitem">admin</code> users then you will need to use the Directory Manager account to create a new administrative user. Alternatively, if you have a user in the group management role, they can add a new <code class="systemitem">admin</code> user.
- </div></div></div><div class="section" id="Deleting_IPA_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the Command Line</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Deleting_IPA_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h3 class="title" id="Deleting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</h3></div></div></div><div class="para">
Use the <code class="command">ipa user-del</code> command to delete user accounts. For example:
</div><div class="para">
To delete the <code class="systemitem">jsmith</code> user account:
@@ -27,4 +27,4 @@
If you run this command without using the <code class="option">--continue</code> option, FreeIPA will delete the listed user accounts unless it encounters any errors, at which point it stops. For example, if <em class="parameter"><code>user_02</code></em> did not exist, the previous command would only delete <em class="parameter"><code>user_01</code></em>; <em class="parameter"><code>user_03</code></em> would not be affected.
</div><div class="para">
The <code class="option">--continue</code> option returns a summary of successes and failures to <code class="systemitem">stdout</code>.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="search-limits.html"><strong>Prev</strong>6.6. Setting Default Search Limits</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="user-groups.html"><strong>Next</strong>6.8. Creating User Groups</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="search-limits.html"><strong>Prev</strong>5.6. Setting Default Search Limits</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="user-groups.html"><strong>Next</strong>5.8. Creating User Groups</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Specifying_Default_User_Settings.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Specifying_Default_User_Settings.html
index c6e56dc..a6d2905 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Specifying_Default_User_Settings.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_IPA_Users-Specifying_Default_User_Settings.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.5. Specifying Default User Settings</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.5. Specifying Default User Settings</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html" title="6.4. Activating and Deactivating User Accounts" /><link rel="next" href="search-limits.html" title="6.6. Setting Default Search Limits" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p"
href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="search-limits.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Specifying_Default_User_Settings"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Specifying_Default_User_Settings">6.5. Specifying Default User Settings</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html" title="5.4. Activating and Deactivating User Accounts" /><link rel="next" href="search-limits.html" title="5.6. Setting Default Search Limits" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p"
href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="search-limits.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_IPA_Users-Specifying_Default_User_Settings"><div class="titlepage"><div><div><h2 class="title" id="Configuring_IPA_Users-Specifying_Default_User_Settings">5.5. Specifying Default User Settings</h2></div></div></div><div class="para">
You can configure the default settings for FreeIPA users to suit your deployment. For example, you can specify the maximum username length, the default path to the <code class="filename">/home</code> directory, the default shell, and other attributes.
</div><div class="para">
FreeIPA supports the following User Settings:
@@ -40,4 +40,4 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
The default root directory for all home directories is <code class="filename">/home</code>, but it is the responsibility of the system administrator to ensure that whatever value is specified for this attribute is actually available.
</div><div class="para">
Fedora includes a <code class="systemitem">PAM</code> module called <code class="systemitem module">pam_mkhomedir</code> that can automatically create a home directory if one does not exist for the user authenticating against the system. FreeIPA does not force the use of this module because it may try to create home directories even when the shared storage is not available. It is the responsibility of the system administrator to activate this module on the clients if needed.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Prev</strong>6.4. Activating and Deactivating User Accounts</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="search-limits.html"><strong>Next</strong>6.6. Setting Default Search Limits</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Prev</strong>5.4. Activating and Deactivating User Accounts</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="search-limits.html"><strong>Next</strong>5.6. Setting Default Search Limits</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html
index 8073a51..e375cba 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_Microsoft_Windows.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.2. Configuring a Microsoft Windows System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2. Configuring a Microsoft Windows System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="next" href="Configuring_an_IPA_Client_on_Solaris.html" title="3.3. Configuring a Solaris System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a acc
esskey="p" href="setting-up-clients.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_Microsoft_Windows"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Microsoft_Windows">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</h2></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="next" href="Configuring_an_IPA_Client_on_Solaris.html" title="2.3. Configuring a Solaris System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a acc
esskey="p" href="setting-up-clients.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_Microsoft_Windows"><div class="titlepage"><div><div><h2 class="title" id="Configuring_Microsoft_Windows">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</h2></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
FreeIPA does <span class="emphasis"><em>not</em></span> support Microsoft Windows client authentication.
</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Download the MIT Kerberos 3.x package for Windows.
@@ -29,4 +29,4 @@
Edit the hosts file and add the FreeIPA server. For example:
</div><pre class="programlisting">1.2.3.4 ipaserver.example.com ipaserver</pre><div class="para">
Depending on the version of Windows, the HOSTS file could be located in different directories.
- </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="setting-up-clients.html"><strong>Prev</strong>Chapter 3. Setting up Systems as FreeIPA Clients</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Next</strong>3.3. Configuring a Solaris System as a FreeIPA Cl...</a></li></ul></body></html>
+ </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="setting-up-clients.html"><strong>Prev</strong>Chapter 2. Setting up Systems as FreeIPA Clients</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Next</strong>2.3. Configuring a Solaris System as a FreeIPA Cl...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html
index ce0f57c..666021d 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_AIX.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.5. Configuring an AIX System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.5. Configuring an AIX System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_HP_UX.html" title="3.4. Configuring an HP-UX System as a FreeIPA" /><link rel="next" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html" title="3.6. Configuring a Macintosh OS X System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><
li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_AIX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_AIX">3.5. Configuring an AIX System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Prerequisites"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</h3></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_HP_UX.html" title="2.4. Configuring an HP-UX System as a FreeIPA" /><link rel="next" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html" title="2.6. Configuring a Macintosh OS X System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><
li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_AIX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_AIX">2.5. Configuring an AIX System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Prerequisites"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</h3></div></div></div><div class="para">
Make sure that all of these packages are installed on the AIX machine before beginning the client configuration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
v5.3 OS
@@ -31,7 +31,7 @@
modcrypt.base (for gssd)
</div></li></ul></div><div class="para">
Configure and enable NTP and make sure that time is synchronized between the client and the FreeIPA server.
- </div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">3.5.2. Configuring the AIX Client</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">2.5.2. Configuring the AIX Client</h3></div></div></div><div class="para">
Setting up an AIX client requires setting up the client to work in the FreeIPA Kerberos domain and, optionally, to enable SSH authentication to the AIX client using FreeIPA credentials.
</div><div class="para">
Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
@@ -156,4 +156,4 @@ userPassword: secretpassword
To test the SSH configuration, try to log in as the admin user using SSH without providing a password.
</div><pre class="programlisting"> <span class="perl_Comment"># ssh admin at ipaclient.example.com</span></pre></li></ol></div></li></ol></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
By default, the admin user is given <code class="command">/bin/bash</code> as the shell to use and <code class="filename">/home/admin</code> as the home directory. It may be necessary to install bash to be able to log in.
- </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Prev</strong>3.4. Configuring an HP-UX System as a FreeIPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Next</strong>3.6. Configuring a Macintosh OS X System as a Fre...</a></li></ul></body></html>
+ </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Prev</strong>2.4. Configuring an HP-UX System as a FreeIPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Next</strong>2.6. Configuring a Macintosh OS X System as a Fre...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_HP_UX.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_HP_UX.html
index 1f12db9..ce222da 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_HP_UX.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_HP_UX.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.4. Configuring an HP-UX System as a FreeIPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.4. Configuring an HP-UX System as a FreeIPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_Solaris.html" title="3.3. Configuring a Solaris System as a FreeIPA Client" /><link rel="next" href="Configuring_an_IPA_Client_on_AIX.html" title="3.5. Configuring an AIX System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="p
revious"><a accesskey="p" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_HP_UX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_HP_UX">3.4. Configuring an HP-UX System as a FreeIPA</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_Solaris.html" title="2.3. Configuring a Solaris System as a FreeIPA Client" /><link rel="next" href="Configuring_an_IPA_Client_on_AIX.html" title="2.5. Configuring an AIX System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="p
revious"><a accesskey="p" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_HP_UX"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_HP_UX">2.4. Configuring an HP-UX System as a FreeIPA</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The FreeIPA client installation process requires that a FreeIPA server already exist.
- </div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP</h3></div></div></div><div class="para">
Configure and enable NTP and make sure that time is synchronized between the client and the FreeIPA server.
- </div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authentication</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Install the <code class="filename">ldapux</code> client.
</div><pre class="programlisting"> <span class="perl_Comment"># swinstall -s J4269AA_B.04.15.01_HP-UX_B.11.23_IA_PA.depot</span></pre></li><li class="listitem"><div class="para">
Change to the configuration directory, and run the setup script.
@@ -69,7 +69,7 @@ Do you want to create custom search descriptors? [ No ]
enable=yes
</pre>
- </div></li></ol></div></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_Kerberos">2.4.3. Configuring Kerberos</h3></div></div></div><div class="para">
Edit the <code class="filename">/etc/krb5.conf</code> file to reflect the Kerberos domain used by the FreeIPA server. Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example:
</div><pre class="programlisting">[libdefaults]
default_realm = EXAMPLE.COM
@@ -93,9 +93,9 @@ example.com = EXAMPLE.COM
kinit = {
forwardable = true
}
-</pre></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_PAM"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_PAM">3.4.4. Configuring PAM</h3></div></div></div><div class="para">
+</pre></div><div class="section" id="Configuring_Kerberos_and_PAM-Configuring_PAM"><div class="titlepage"><div><div><h3 class="title" id="Configuring_Kerberos_and_PAM-Configuring_PAM">2.4.4. Configuring PAM</h3></div></div></div><div class="para">
The PAM configuration differs slightly between different versions of HP-UX.
- </div><div class="section" id="Configuring_PAM-HP_UX_11i_v2"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v2">3.4.4.1. HP-UX 11i v2</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_PAM-HP_UX_11i_v2"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v2">2.4.4.1. HP-UX 11i v2</h4></div></div></div><div class="para">
Edit the <code class="filename">/etc/pam.conf</code> file so that all of the required modules are loaded for authentication. For example:
</div><pre class="programlisting">#
# PAM configuration
@@ -181,7 +181,7 @@ dtaction password required libpam_hpsec.so.1
dtaction password sufficient libpam_krb5.so.1
dtaction password required libpam_unix.so.1
OTHER password required libpam_unix.so.1
-</pre></div><div class="section" id="Configuring_PAM-HP_UX_11i_v1"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v1">3.4.4.2. HP-UX 11i v1</h4></div></div></div><div class="para">
+</pre></div><div class="section" id="Configuring_PAM-HP_UX_11i_v1"><div class="titlepage"><div><div><h4 class="title" id="Configuring_PAM-HP_UX_11i_v1">2.4.4.2. HP-UX 11i v1</h4></div></div></div><div class="para">
Edit the <code class="filename">/etc/pam.conf</code> file to reflect the following example:
</div><pre class="programlisting">#
# PAM configuration
@@ -242,7 +242,7 @@ dtlogin password required /usr/lib/security/libpam_unix.1
dtaction password sufficient /usr/lib/security/libpam_krb5.1
dtaction password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
-</pre></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+</pre></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Ensure that you have version A.05.10.007 or later of <code class="command">ssh</code> installed. A current package can be downloaded from the HO website at <a href="http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA">http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA</a>.
</div></li><li class="listitem"><div class="para">
Edit the <code class="filename">/etc/opt/ssh/ssh_config</code> file:
@@ -267,9 +267,9 @@ OTHER password required /usr/lib/security/libpam_unix.1
Create the host keytab file.
</div><pre class="programlisting"> <span class="perl_Comment"># ipa-getkeytab -s ipaserver.example.com -p host/hpuxipaclient.example.com -k /tmp/krb5.keytab -e des-cbc-crc</span></pre></li><li class="listitem"><div class="para">
Copy this keytab to the HP-UX machine, and save it as <code class="filename">/etc/krb5/krb5.keytab</code>.
- </div><pre class="programlisting"> <span class="perl_Comment"># scp /tmp/krb5.keytab root at hpuxipaclient.example.com:/etc/krb5/krb5.keytab</span></pre></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</h3></div></div></div><div class="para">
+ </div><pre class="programlisting"> <span class="perl_Comment"># scp /tmp/krb5.keytab root at hpuxipaclient.example.com:/etc/krb5/krb5.keytab</span></pre></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</h3></div></div></div><div class="para">
HP-UX systems provide the <code class="systemitem">pam_authz</code> PAM module, which can be used to control login access to the system based on a user's group membership. For details on how to configure access control with this module, see the HP documenttion at <a href="http://docs.hp.com/en/B3921-60631/pam_authz.5.html">http://docs.hp.com/en/B3921-60631/pam_authz.5.html</a>.
- </div><div class="example" id="ex.hp-pam-authz-mod"><h6>Example 3.1. pam_authz.policy File: Allow User Access, Deny Admin Access</h6><div class="example-contents"><div class="para">
+ </div><div class="example" id="ex.hp-pam-authz-mod"><h6>Example 2.1. pam_authz.policy File: Allow User Access, Deny Admin Access</h6><div class="example-contents"><div class="para">
This configuration in <code class="filename">/etc/opt/ldapux/pam_authz.policy</code> prevents the admin user from logging in while still allowing regular users to log in.
</div><pre class="programlisting">
# pam_authz.policy.template:
@@ -305,7 +305,7 @@ OTHER password required /usr/lib/security/libpam_unix.1
deny:unix_group:admins
allow:unix_local_user
-</pre></div></div><br class="example-break" /></div><div class="section" id="hp-test"><div class="titlepage"><div><div><h3 class="title" id="hp-test">3.4.7. Testing the Configuration</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+</pre></div></div><br class="example-break" /></div><div class="section" id="hp-test"><div class="titlepage"><div><div><h3 class="title" id="hp-test">2.4.7. Testing the Configuration</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
By default, the admin user is given <code class="command">/bin/bash</code> as the shell to use and <code class="filename">/home/admin</code> as the home directory. It may be necessary to install bash to be able to log in.
</div></div></div><div class="para">
There are three quick ways to check the Kerberos and PAM configuration for the HP client:
@@ -316,4 +316,4 @@ allow:unix_local_user
Attempt to log into the HP machine from another machine in the domain using SSH. The admin user should be able to log in using SSH without being asked for a password.
</div><pre class="programlisting"> <span class="perl_Comment"># ssh admin at hpuxipaclient.example.com</span></pre></li><li class="listitem"><div class="para">
Log into the FreeIPA web UI using the administrator credentials on the HP machine.
- </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Prev</strong>3.3. Configuring a Solaris System as a FreeIPA Cl...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Next</strong>3.5. Configuring an AIX System as a FreeIPA Client</a></li></ul></body></html>
+ </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_Solaris.html"><strong>Prev</strong>2.3. Configuring a Solaris System as a FreeIPA Cl...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Next</strong>2.5. Configuring an AIX System as a FreeIPA Client</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Macintosh_OS_X.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Macintosh_OS_X.html
index 28333a6..e533588 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Macintosh_OS_X.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Macintosh_OS_X.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.6. Configuring a Macintosh OS X System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.6. Configuring a Macintosh OS X System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_AIX.html" title="3.5. Configuring an AIX System as a FreeIPA Client" /><link rel="next" href="uninstalling-clients.html" title="3.7. Uninstalling a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Con
figuring_an_IPA_Client_on_AIX.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="uninstalling-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_AIX.html" title="2.5. Configuring an AIX System as a FreeIPA Client" /><link rel="next" href="uninstalling-clients.html" title="2.7. Uninstalling a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Con
figuring_an_IPA_Client_on_AIX.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="uninstalling-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</h2></div></div></div><div class="para">
These instructions are specific to Mac OS X 10.4 (Tiger) because this version includes the required Kerberos tools by default.
- </div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</h3></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</h3></div></div></div><div class="para">
Configuring the Macintosh to use Kerberos for authentication with FreeIPA is a two-step process. First, Kerberos needs to be correctly installed and configured. Then, Kerberos authentication needs to be enabled.
- </div><div class="section" id="Configuring_Kerberos_Authentication-Configuring_Kerberos"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Configuring_Kerberos">3.6.1.1. Configuring Kerberos</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Kerberos_Authentication-Configuring_Kerberos"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Configuring_Kerberos">2.6.1.1. Configuring Kerberos</h4></div></div></div><div class="para">
Setting up the Kerberos configuration includes specifying the realm and domain details, and default ticket attributes. Forwardable tickets are configured by default, which facilitates connection to the administration interface from any operating system, and also provides for auditing of administration operations. For example, this is the Kerberos configuration for Fedora systems:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Make sure that the Kerberos version is 4.2 or higher. The Kerberos directory is <code class="filename">/System/Library/CFMSupport/Kerberos</code>. If that directory does not exist or is the wrong version, install the Kerberos Extras support.
@@ -50,7 +50,7 @@ EXAMPLE.COM = {
default_domain = example.com
kdc = ipaserver.example.com:88
}
-</pre></li></ol></div></div><div class="section" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication">3.6.1.2. Enabling Kerberos Authentication</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+</pre></li></ol></div></div><div class="section" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Authentication-Enabling_Kerberos_Authentication">2.6.1.2. Enabling Kerberos Authentication</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Log in as the admin user and launch a terminal.
</div></li><li class="listitem"><div class="para">
Change to the <code class="filename">/private/etc</code> directory and make a backup of the existing authorization file.
@@ -68,7 +68,7 @@ EXAMPLE.COM = {
Save and close the file.
</div></li><li class="listitem"><div class="para">
Restart the machine to enable Kerberos authentication.
- </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</h3></div></div></div><div class="section" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration">3.6.2.1. Creating the LDAP Configuration</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</h3></div></div></div><div class="section" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Creating_the_LDAP_Configuration">2.6.2.1. Creating the LDAP Configuration</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Launch the Directory Access utility.
</div></li><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Services</strong></span> tab, clear all check boxes except LDAPv3 and Bonjour.
@@ -86,7 +86,7 @@ EXAMPLE.COM = {
Enter the configuration name, such as <code class="command">FreeIPA LDAP</code>.
</div></li><li class="listitem"><div class="para">
Select the <span class="guilabel"><strong>Enable</strong></span> checkbox, and clear the <span class="guilabel"><strong>SSL</strong></span> checkbox.
- </div></li></ol></div></div><div class="section" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">3.6.2.2. Setting up the LDAP Service Configuration Options</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options"><div class="titlepage"><div><div><h4 class="title" id="Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">2.6.2.2. Setting up the LDAP Service Configuration Options</h4></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Select the newly-created LDAP configuration, and click <span class="guibutton"><strong>Edit</strong></span>.
</div></li><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Connection</strong></span> tab, specify the connection settings:
@@ -156,17 +156,17 @@ EXAMPLE.COM = {
UniqueID and uidNumber
</div></li></ul></div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>OK</strong></span> to finish setting up the LDAP service configuration options.
- </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2.6.3. Configuring the LDAP Authorization Options</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
In the <span class="guilabel"><strong>Authentication</strong></span> tab, change the <span class="guilabel"><strong>Search</strong></span> value to <span class="guilabel"><strong>Custom path</strong></span>.
</div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>Add</strong></span>.
</div></li><li class="listitem"><div class="para">
- Select the configuration created in <a class="xref" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">Section 3.6.2.2, “Setting up the LDAP Service Configuration Options”</a>, and click <span class="guibutton"><strong>Add</strong></span>.
+ Select the configuration created in <a class="xref" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_LDAP_Authorization-Setting_up_the_LDAP_Service_Configuration_Options">Section 2.6.2.2, “Setting up the LDAP Service Configuration Options”</a>, and click <span class="guibutton"><strong>Add</strong></span>.
</div></li><li class="listitem"><div class="para">
Click <span class="guibutton"><strong>Apply</strong></span> to update the LDAP configuration.
- </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</h3></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</h3></div></div></div><div class="para">
Open the Date and Time utility and point it to the FreeIPA server URL to set the date and time automatically.
- </div></div><div class="section" id="testing-config-on-mac"><div class="titlepage"><div><div><h3 class="title" id="testing-config-on-mac">3.6.5. Testing the Configuration</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="testing-config-on-mac"><div class="titlepage"><div><div><h3 class="title" id="testing-config-on-mac">2.6.5. Testing the Configuration</h3></div></div></div><div class="para">
If client authentication is properly configured, a user can connect to the FreeIPA server using SSH without being prompted for a password.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Obtain a Kerberos ticket for the admin user.
@@ -195,4 +195,4 @@ Valid starting Expires Service principal
Kerberos 4 ticket cache: /tmp/tkt10678
klist: You have no tickets cached</pre>
- </div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Prev</strong>3.5. Configuring an AIX System as a FreeIPA Client</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="uninstalling-clients.html"><strong>Next</strong>3.7. Uninstalling a FreeIPA Client</a></li></ul></body></html>
+ </div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_AIX.html"><strong>Prev</strong>2.5. Configuring an AIX System as a FreeIPA Client</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="uninstalling-clients.html"><strong>Next</strong>2.7. Uninstalling a FreeIPA Client</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
index 2d9779e..35784e3 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.3. Configuring a Solaris System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.3. Configuring a Solaris System as a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_Microsoft_Windows.html" title="3.2. Configuring a Microsoft Windows System as a FreeIPA Client" /><link rel="next" href="Configuring_an_IPA_Client_on_HP_UX.html" title="3.4. Configuring an HP-UX System as a FreeIPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="p
revious"><a accesskey="p" href="Configuring_Microsoft_Windows.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_Solaris"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Solaris">3.3. Configuring a Solaris System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris_10"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</h3></div></div></div><div class="orderedlist"><ol><li class="listitem" id="st.sol1"><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_Microsoft_Windows.html" title="2.2. Configuring a Microsoft Windows System as a FreeIPA Client" /><link rel="next" href="Configuring_an_IPA_Client_on_HP_UX.html" title="2.4. Configuring an HP-UX System as a FreeIPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="p
revious"><a accesskey="p" href="Configuring_Microsoft_Windows.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Next</strong></a></li></ul><div class="section" id="Configuring_an_IPA_Client_on_Solaris"><div class="titlepage"><div><div><h2 class="title" id="Configuring_an_IPA_Client_on_Solaris">2.3. Configuring a Solaris System as a FreeIPA Client</h2></div></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris_10"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</h3></div></div></div><div class="orderedlist"><ol><li class="listitem" id="st.sol1"><div class="para">
As with Fedora systems, FreeIPA provides an automated method of configuring Solaris 10 to function as a FreeIPA client. On the Solaris client, run the <code class="command">ldapclient</code> with the name of the FreeIPA domain:
</div><pre class="programlisting"><span class="perl_Comment"># ldapclient init ipa.example.com -v</span></pre><div class="para">
When the command is run, it creates a configuration profile that will automatically set up the necessary PAM and <code class="filename">/etc/ldap.conf</code> configuration.
@@ -84,8 +84,8 @@ forwardable= true
ktutil: <span class="perl_BString">write</span>_kt /etc/krb5/krb5.keytab
ktutil: q</pre>
- </div></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
- Perform steps <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#st.sol1">1</a> through <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#st.sol3">3</a> in <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10">Section 3.3.1, “Configuring Solaris 10”</a> to set up the Solaris 9 client.
+ </div></li></ol></div></li></ol></div></div><div class="section" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9"><div class="titlepage"><div><div><h3 class="title" id="Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</h3></div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Perform steps <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#st.sol1">1</a> through <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#st.sol3">3</a> in <a class="xref" href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10">Section 2.3.1, “Configuring Solaris 10”</a> to set up the Solaris 9 client.
</div></li><li class="listitem"><div class="para">
Configure the <code class="filename">/etc/pam.conf</code> file to use PAM Kerberos. For example:
</div><pre class="programlisting">login auth requisite pam_authtok_get.so.1
@@ -94,4 +94,4 @@ login auth sufficient pam_unix.so.1 use_first_pass
login auth required pam_dhkeys.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
-</pre></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_Microsoft_Windows.html"><strong>Prev</strong>3.2. Configuring a Microsoft Windows System as a ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Next</strong>3.4. Configuring an HP-UX System as a FreeIPA</a></li></ul></body></html>
+</pre></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_Microsoft_Windows.html"><strong>Prev</strong>2.2. Configuring a Microsoft Windows System as a ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_an_IPA_Client_on_HP_UX.html"><strong>Next</strong>2.4. Configuring an HP-UX System as a FreeIPA</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/General_Troubleshooting_Tips-Client_Problems.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/General_Troubleshooting_Tips-Client_Problems.html
index 9195631..f19ab61 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/General_Troubleshooting_Tips-Client_Problems.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/General_Troubleshooting_Tips-Client_Problems.html
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.6. Client Problems</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.6. Client Problems</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="certs.html" title="5.5. Configuring Certificate-Based Machine Authentication" /><link rel="next" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="certs.html"><strong>P
rev</strong></a></li><li class="next"><a accesskey="n" href="users.html"><strong>Next</strong></a></li></ul><div class="section" id="General_Troubleshooting_Tips-Client_Problems"><div class="titlepage"><div><div><h2 class="title" id="General_Troubleshooting_Tips-Client_Problems">5.6. Client Problems</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="certs.html" title="4.5. Configuring Certificate-Based Machine Authentication" /><link rel="next" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="certs.html"><strong>P
rev</strong></a></li><li class="next"><a accesskey="n" href="users.html"><strong>Next</strong></a></li></ul><div class="section" id="General_Troubleshooting_Tips-Client_Problems"><div class="titlepage"><div><div><h2 class="title" id="General_Troubleshooting_Tips-Client_Problems">4.6. Client Problems</h2></div></div></div><div class="para">
If you are unable to log into a machine or the standard NSS tools fail to return user and group information (for example, <code class="command">getent passwd admin</code> fails), inspect the SSSD logs in <code class="filename">/var/log/sssd/</code>. You should start with the log file for your domain (<code class="filename">sssd_example.com.log</code>).
</div><div class="para">
To increase the log level, set <code class="varname">debug_level</code> = 9 in the <code class="literal">[domain/<em class="replaceable"><code>example.com</code></em>]</code> section of the <code class="filename">/etc/sssd/sssd.conf</code> file, and restart the <code class="systemitem">sssd</code> daemon for this change to take effect. Monitor the <code class="filename">/var/log/sssd/sssd_example.com.log</code> file for any relevant information.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="certs.html"><strong>Prev</strong>5.5. Configuring Certificate-Based Machine Authen...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="users.html"><strong>Next</strong>Chapter 6. Identity: Managing Users and User Grou...</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="certs.html"><strong>Prev</strong>4.5. Configuring Certificate-Based Machine Authen...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="users.html"><strong>Next</strong>Chapter 5. Identity: Managing Users and User Grou...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Glossary.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Glossary.html
index 08c4c28..a699f36 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Glossary.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Glossary.html
@@ -7,7 +7,7 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html" title="D.3. Performing a Client-based Migration" /><link rel="next" href="ix01.html" title="Index" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="s
ect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ix01.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="glossary" id="Glossary" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Glossary</h2></div></div></div><div class="glossdiv"><h3 class="title">A</h3><dl><dt>access control instruction</dt><dd><p>See <a class="glosssee" href="Glossary.html#aci">ACI</a>.</p></dd><dt>access control list</dt><dd><p>See <a class="glosssee" href="Glossary.html#ACL">ACL</a>.</p></dd><dt>access rights</dt><dd><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html" title="C.3. Performing a Client-based Migration" /><link rel="next" href="ix01.html" title="Index" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="s
ect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ix01.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="glossary" id="Glossary" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Glossary</h2></div></div></div><div class="glossdiv"><h3 class="title">A</h3><dl><dt>access control instruction</dt><dd><p>See <a class="glosssee" href="Glossary.html#aci">ACI</a>.</p></dd><dt>access control list</dt><dd><p>See <a class="glosssee" href="Glossary.html#ACL">ACL</a>.</p></dd><dt>access rights</dt><dd><div class="para">
In the context of access control, specify the level of access granted or denied. Access rights are related to the type of operation that can be performed on the directory. The following rights can be granted or denied: read, write, add, delete, search, compare, selfwrite, proxy and all.
</div></dd><dt>account inactivation</dt><dd><div class="para">
Disables a user account, group of accounts, or an entire domain so that all authentication attempts are automatically rejected.
@@ -341,4 +341,4 @@
Speeds up the display of entries in the Directory Server Console. Virtual list view indexes can be created on any branch point in the directory tree to improve display performance.
</div><p>See Also <a class="glossseealso" href="Glossary.html#browsing-index">browsing index</a>.</p></dd></dl></div><div class="glossdiv"><h3 class="title">X</h3><dl><dt>X.500 standard</dt><dd><div class="para">
The set of ISO/ITU-T documents outlining the recommended information model, object classes and attributes used by directory server implementation.
-</div></dd></dl></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Prev</strong>D.3. Performing a Client-based Migration</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ix01.html"><strong>Next</strong>Index</a></li></ul></body></html>
+</div></dd></dl></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Prev</strong>C.3. Performing a Client-based Migration</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ix01.html"><strong>Next</strong>Index</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Installing_the_IPA_Server_Packages.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Installing_the_IPA_Server_Packages.html
index 0d10c6e..36bcb28 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Installing_the_IPA_Server_Packages.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Installing_the_IPA_Server_Packages.html
@@ -1,18 +1,18 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.2. Installing the FreeIPA Server Packages</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>1.2. Installing the FreeIPA Server Packages</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 2. Installing a FreeIPA Server" /><link rel="prev" href="installing-ipa.html" title="Chapter 2. Installing a FreeIPA Server" /><link rel="next" href="creating-server.html" title="2.3. Creating a FreeIPA Server Instance" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="installing-ipa.html"><strong>Prev</strong></a>
</li><li class="next"><a accesskey="n" href="creating-server.html"><strong>Next</strong></a></li></ul><div class="section" id="Installing_the_IPA_Server_Packages"><div class="titlepage"><div><div><h2 class="title" id="Installing_the_IPA_Server_Packages">2.2. Installing the FreeIPA Server Packages</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /><link rel="prev" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /><link rel="next" href="creating-server.html" title="1.3. Creating a FreeIPA Server Instance" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="installing-ipa.html"><strong>Prev</strong></a>
</li><li class="next"><a accesskey="n" href="creating-server.html"><strong>Next</strong></a></li></ul><div class="section" id="Installing_the_IPA_Server_Packages"><div class="titlepage"><div><div><h2 class="title" id="Installing_the_IPA_Server_Packages">1.2. Installing the FreeIPA Server Packages</h2></div></div></div><div class="para">
Installing only the FreeIPA server requires a single package, . If the FreeIPA server will also manage a DNS server, then it requires two additional packages to set up the DNS.
</div><div class="para">
All of these packages can be installed using the <code class="command">yum</code> command:
</div><pre class="programlisting"><span class="perl_Comment"># yum install freeipa-server bind bind-dyndb-ldap</span></pre><div class="para">
Installing the also installs a large number of dependencies, such as <span class="package">389-ds-base</span> for the LDAP service and <span class="package">krb5-server</span> for the Kerberos service, along with FreeIPA tools.
</div><div class="para">
- After the packages are installed, the server instance must be created using the <code class="command">ipa-server-install</code> command. The options for configuring the new server instance are described in <a class="xref" href="creating-server.html">Section 2.3, “Creating a FreeIPA Server Instance”</a>.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="installing-ipa.html"><strong>Prev</strong>Chapter 2. Installing a FreeIPA Server</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="creating-server.html"><strong>Next</strong>2.3. Creating a FreeIPA Server Instance</a></li></ul></body></html>
+ After the packages are installed, the server instance must be created using the <code class="command">ipa-server-install</code> command. The options for configuring the new server instance are described in <a class="xref" href="creating-server.html">Section 1.3, “Creating a FreeIPA Server Instance”</a>.
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="installing-ipa.html"><strong>Prev</strong>Chapter 1. Installing a FreeIPA Server</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="creating-server.html"><strong>Next</strong>1.3. Creating a FreeIPA Server Instance</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Managing-Unique_UID_and_GID_Attributes.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Managing-Unique_UID_and_GID_Attributes.html
index 85e0b1b..35465f6 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Managing-Unique_UID_and_GID_Attributes.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Managing-Unique_UID_and_GID_Attributes.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.3. Managing Unique UID and GID Number Assignments</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.3. Managing Unique UID and GID Number Assignments</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="disabling-anon-binds.html" title="13.2. Disabling Anonymous Binds" /><link rel="next" href="Configuring_Certificates_and_Certificate_Authorities.html" title="13.4. Configuring Certificates and Certificate Authorities" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey
="p" href="disabling-anon-binds.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Next</strong></a></li></ul><div class="section" id="Managing-Unique_UID_and_GID_Attributes"><div class="titlepage"><div><div><h2 class="title" id="Managing-Unique_UID_and_GID_Attributes">13.3. Managing Unique UID and GID Number Assignments</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="disabling-anon-binds.html" title="12.2. Disabling Anonymous Binds" /><link rel="next" href="Configuring_Certificates_and_Certificate_Authorities.html" title="12.4. Configuring Certificates and Certificate Authorities" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey
="p" href="disabling-anon-binds.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Next</strong></a></li></ul><div class="section" id="Managing-Unique_UID_and_GID_Attributes"><div class="titlepage"><div><div><h2 class="title" id="Managing-Unique_UID_and_GID_Attributes">12.3. Managing Unique UID and GID Number Assignments</h2></div></div></div><div class="para">
A FreeIPA server must generate random UID and GID values and simultaneously ensure that replicas never generate the same UID or GID value. The need for unique UID and GID numbers might even cross FreeIPA domains, if a single organization has multiple disparate domains.
</div><div class="para">
The UID and GID numbers are divided into <span class="emphasis"><em>ranges</em></span>. By keeping separate numeric ranges for individual servers and replicas, the chances are minimal that any numbers issued by one server or replica will duplicate those from another. Ranges are updated and shared intelligently between servers and replicas through the Dynamic Numeric Assignment (DNA) Plug-in, as part of the backend 389 Directory Server instance for the domain. The same range is used for user IDs (<em class="parameter"><code>uidNumber</code></em>) and group IDs (<em class="parameter"><code>gidNumber</code></em>). A user and a group may have the same ID, but since the ID is set in different attributes, there is no conflict. Using the same ID number for both a user and a group also allows an administrator to configure user private groups, where a unique system group is created for each user and the ID number is the same for both the user and the group.
@@ -17,7 +17,7 @@
If a number is <span class="emphasis"><em>manually</em></span> assigned to a user entry, the server does not validate that the <em class="parameter"><code>uidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries. The same is true for group entries: a duplicate <em class="parameter"><code>gidNumber</code></em> can be manually assigned to the entry.
</div><div class="para">
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with <code class="command">ipa user-find --all</code>.
- </div></div></div><div class="section" id="id-ranges-at-install"><div class="titlepage"><div><div><h3 class="title" id="id-ranges-at-install">13.3.1. About ID Range Assignments During Installation</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="id-ranges-at-install"><div class="titlepage"><div><div><h3 class="title" id="id-ranges-at-install">12.3.1. About ID Range Assignments During Installation</h3></div></div></div><div class="para">
The FreeIPA administrator can initially define a range during server installation, using the <code class="option">--idstart</code> and <code class="option">--idmax</code> options with <code class="command">ipa-server-install</code>. These options are not required, so the setup script can assign random ranges during installation.
</div><div class="para">
If no range is set manually when the first FreeIPA server is installed, a range of 200,000 IDs is randomly selected. There are 10,000 possible ranges. Selecting a random range from that number provides a high probability of non-conflicting IDs if two separate FreeIPA domains are ever merged in the future.
@@ -25,7 +25,7 @@
With a single FreeIPA server, IDs are assigned to entries in order through the range. With replicas, the initial server ID range is split and distributed.
</div><div class="para">
When a replica is installed, it is configured with an invalid range. It also has a directory entry (that is shared among replicas) that instructs the replica where it can request a valid range. When the replica starts, or as its current range is depleted so that less than 100 IDs are available, it can contact one of the available servers for a new range allotment. A special extended operation splits the range in two, so that the original server and the replica each have half of the available range.
- </div></div><div class="section" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges"><div class="titlepage"><div><div><h3 class="title" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges"><div class="titlepage"><div><div><h3 class="title" id="Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</h3></div></div></div><div class="para">
If the range for the entire domain is close to depletion, a new range can be manually selected and assigned to one of the master servers. All replicas then request ID ranges from the master as necessary.
</div><div class="para">
The changes to the range are done by editing the 389 Directory Server configuration to change the DNA Plug-in instance. The range is defined in the <em class="parameter"><code>dnaNextRange</code></em> parameter. For example:
@@ -36,4 +36,4 @@ changetype: modify
add: dnaNextRange
dnaNextRange: 123400000-123500000</pre><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
This command only adds the specified range of values; it does not check that the values in that range are actually available. This check is performed when an attempt is made to allocate those values. If a range is added that contains mostly values that were already allocated, the system will cycle through the entire range searching for unallocated values, and then the operation ultimately fails if none are available.
- </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="disabling-anon-binds.html"><strong>Prev</strong>13.2. Disabling Anonymous Binds</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Next</strong>13.4. Configuring Certificates and Certificate Au...</a></li></ul></body></html>
+ </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="disabling-anon-binds.html"><strong>Prev</strong>12.2. Disabling Anonymous Binds</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Next</strong>12.4. Configuring Certificates and Certificate Au...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html
index bcc363e..1efbd5f 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Migrating_from_a_Directory_Server_to_IPA.html
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Appendix D. Migrating from a Directory Server to IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Appendix C. Migrating from a Directory Server to IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html" title="C.4. Using certmonger with IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html" title="D.2. Performing a Server-based Migration" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/ima
ge_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="Migrating_from_a_Directory_Server_to_IPA" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Migrating from a Directory Server to IPA</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity
_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guid
e-Overview-Implementation_Details">D.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html">D.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</a></s
pan></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt
><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html">D.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_f
rom_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></div><div class="section" id
="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html" title="B.4. Using certmonger with IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html" title="C.2. Performing a Server-based Migration" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/ima
ge_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="Migrating_from_a_Directory_Server_to_IPA" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Migrating from a Directory Server to IPA</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity
_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guid
e-Overview-Implementation_Details">C.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html">C.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</a></s
pan></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt
><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html">C.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_f
rom_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></div><div class="section" id
="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</h2></div></div></div><div class="para">
This appendix addresses the situation where a customer has previously deployed an internal Directory Server (DS) and is planning to use IPA instead. The customer needs to transfer all user data from the DS to IPA so that IPA can function fully and correctly. The goal is to perform this migration without requiring that users change their passwords or perform some other specific action.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</h3></div></div></div><div class="para">
It is not practical to identify and address each of the scenarios in which a DS and IPA might be deployed, and where migration might be required. Consequently, the following assumptions are made:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
This is a one-to-one transition from one DS realm to one IPA realm. No consolidation is involved.
@@ -21,7 +21,7 @@
Some machines might be present that are managed by <code class="systemitem">NIS</code> or are not part of the DS deployment, but are planned to be part of the IPA domain
</div><div class="para">
Machines that cannot be moved from the <code class="systemitem">NIS</code> domain to LDAP or IPA because they are old and do not support <code class="systemitem">nss_ldap</code> are assumed to remain in and be served by the <code class="systemitem">NIS</code> domain. The migration of such machines to the IPA domain, while possible, is a challenging task and is out of the scope of the current use case.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</h3></div></div></div><div class="para">
A number of issues exist that need to be considered when planning the migration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
A generic DS uses a different schema and <em class="firstterm">Directory Information Tree (DIT)</em> when compared to IPA. No known DS uses the same flat DIT structure that IPA uses. IPA is optimized for performance, and attempts to avoid any architectural design flaws that have occurred in the past.
@@ -29,7 +29,7 @@
IPA uses Kerberos for authentication, and so each user requires that Kerberos keys be stored in the IPA DS, in addition to the standard LDAP hashes used by the DS
</div><div class="para">
In order to generate these keys, the password needs to be available in clear text to IPA's DS password plug-in. It is available when the user is created in IPA using IPA tools or LDAP, but this is not the case when the user is migrated from other external storage such as another DS. Consequently, the existing password hashes can be reloaded, but the Kerberos hashes cannot be generated. IPA provides a number of solutions to overcome this issue; these are described later in this appendix.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</h3></div></div></div><div class="para">
The following have been identified as typical migration scenarios:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Migrate an existing environment to IPA but do not use its Kerberos features for now
@@ -37,13 +37,13 @@
Migrate an existing environment to IPA and use its Kerberos features using only IPA v1 functionality. That is, do not use SSSD.
</div></li><li class="listitem"><div class="para">
Migrate an existing environment to IPA and use its Kerberos features on some machines, while some machines will use SSSD and some will not; this is the primary use case.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</h3></div></div></div><div class="para">
The following sections describe the initial, pre‐migration state, and the final, post‐migration state of a DS deployment when migrating to a single IPA domain.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State">D.1.4.1. Initial State</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Initial_State">C.1.4.1. Initial State</h4></div></div></div><div class="para">
In the initial state, there is a single data source (the Directory Server) and a single client machine configuration. This client configuration uses <code class="systemitem">LDAP</code> to connect to the Directory Server and retrieve information about users and groups. This configuration uses <code class="systemitem">PAM_LDAP</code> and <code class="systemitem">NSS_LDAP</code> for authentication and identity lookups. These modules enable the client systems to use data retrieved from the DS just as if it were stored in <code class="filename">/etc/passwd</code> or <code class="filename">/etc/shadow</code>. The following diagram illustrates this type of implementation, where <code class="systemitem">LDAP</code> is used to connect to the DS for both authentication and authorization. The case where <code class="systemitem">Kerberos</code> is used for authentication and <code class="systemitem">LDAP</code> for identity, and where these two data stores are synchronized, is not
described here. Consequently, the initial state may not be as simple or as straightforward as displayed here, however the approach and the final state will be similar.
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Initial_State-Initial_state_of_deployment_before_migrating_to_IPA."><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Initial_State.png" alt="Initial state of deployment before migrating to IPA." /></div></div><h6>Figure D.1. Initial state of deployment before migrating to IPA.</h6></div><br class="figure-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State">D.1.4.2. Final State</h4></div></div></div><div class="para">
- In the final state, even though only a single data source exists, multiple possible machine configurations are now possible. This is illustrated in <a class="xref" href="Migrating_from_a_Directory_Server_to_IPA.html#figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA">Figure D.2, “Final state of deployment after migrating to IPA”</a>
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA"><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Final_State.png" alt="Final state of deployment after migrating to IPA" /></div></div><h6>Figure D.2. Final state of deployment after migrating to IPA</h6></div><br class="figure-break" /><div class="section" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options">D.1.4.2.1. Configuration Options</h5></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Configuration_Options-Connected_to_IPA_via_SSSD_Using_SSSDs_LDAP_Back_End"><h5 class="formalpara">Connected to IPA via SSSD Using SSSD's LDAP Back End</h5>
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Initial_State-Initial_state_of_deployment_before_migrating_to_IPA."><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Initial_State.png" alt="Initial state of deployment before migrating to IPA." /></div></div><h6>Figure C.1. Initial state of deployment before migrating to IPA.</h6></div><br class="figure-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Initial_and_Final_States-Final_State">C.1.4.2. Final State</h4></div></div></div><div class="para">
+ In the final state, even though only a single data source exists, multiple possible machine configurations are now possible. This is illustrated in <a class="xref" href="Migrating_from_a_Directory_Server_to_IPA.html#figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA">Figure C.2, “Final state of deployment after migrating to IPA”</a>
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Final_State-Final_state_of_deployment_after_migrating_to_IPA"><div class="figure-contents"><div class="mediaobject"><img src="./images/IPA_Migration_Final_State.png" alt="Final state of deployment after migrating to IPA" /></div></div><h6>Figure C.2. Final state of deployment after migrating to IPA</h6></div><br class="figure-break" /><div class="section" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Final_State-Configuration_Options">C.1.4.2.1. Configuration Options</h5></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Configuration_Options-Connected_to_IPA_via_SSSD_Using_SSSDs_LDAP_Back_End"><h5 class="formalpara">Connected to IPA via SSSD Using SSSD's LDAP Back End</h5>
Clients connect to IPA via SSSD. SSSD is integrated into the PAM and NSS stacks by means of PAM_SSS and NSS_SSS, respectively. SSSD's LDAP back end is configured for both authentication and for identity lookups. In this use case, IPA functions like a normal DS.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Kerberos authentication can be configured instead of LDAP authentication. In this case, IPA acts as a normal DS for identity lookups and a normal KDC for Kerberos authentication.
@@ -55,7 +55,7 @@
Clients connect directly to IPA and use PAM_KRB5 and NSS_LDAP. This is the same configuration as that provided for IPA v1.x
</div><div class="para">
In the initial state, clients use LDAP to communicate with the Directory Server to retrieve information about users and groups. <code class="systemitem">PAM_LDAP</code> and <code class="systemitem">NSS_LDAP</code> are modules that enable the client systems to use data retrieved from the Directory Server as if it were stored in <code class="filename">/etc/passwd</code> or <code class="filename">/etc/shadow</code>. In the final state, IPA provides all of the same functionality and many more features besides.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</h3></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</h3></div></div></div><div class="para">
The migration from DS to IPA requires:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Installing IPA on a suitable machine
@@ -79,13 +79,13 @@
Deploy SSSD first
</div></li></ul></div><div class="para">
Each approach is valid and accomplishes the same goal, but using a different sequence of operations.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies">D.1.5.1. Comparison of Migration Strategies</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Recommended_Sequence_of_Steps-Comparison_of_Migration_Strategies">C.1.5.1. Comparison of Migration Strategies</h4></div></div></div><div class="para">
Each approach has a different impact on the IT team and the users. You need to select the approach that best suits your deployment. These scenarios can be modified to meet the needs of your enterprise. Provided you understand the implications and reasoning behind each step, there is no requirement to follow the steps in the given order. It is important to understand that until the Kerberos keys are generated in IPA, users will not be able to authenticate with Kerberos credentials using <code class="systemitem">PAM_KRB5</code> or <code class="command">kinit</code>.
</div><div class="para">
You should also consider an alternative migration scenario, where passwords are not migrated. In this scenario, users are not migrated into IPA but rather added as new users with new passwords. Users would then change their password the first time they authenticate. The initial password would be defined by IT and sent to users by email or communicated in some other way.
</div><div class="para">
Migrating users from an existing system provides a smoother transition but also requires parallel management of DS and IPA during the migration. If you do not preserve passwords, the migration can be performed more quickly and you can avoid the period of double management of IPA and DS.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">D.1.6. Implementation Details</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">C.1.6. Implementation Details</h3></div></div></div><div class="para">
The following sequence of operations occurs when users are migrated using SSSD:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
A user tries to log in to the machine.
@@ -111,4 +111,4 @@
If the bind operation fails for any reason, the IPA identity provider back end will fail authentication, otherwise it will continue.
</div></li><li class="listitem"><div class="para">
The IPA identity provider back end will unbind and try Kerberos authentication again. This time it is expected to succeed because the keys already exist in the entry.
- </div></li></ul></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Prev</strong>C.4. Using certmonger with IPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Next</strong>D.2. Performing a Server-based Migration</a></li></ul></body></html>
+ </div></li></ul></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Prev</strong>B.4. Using certmonger with IPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Next</strong>C.2. Performing a Server-based Migration</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Uninstalling_IPA_Servers.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Uninstalling_IPA_Servers.html
index 4e93659..f411fcf 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Uninstalling_IPA_Servers.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Uninstalling_IPA_Servers.html
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.5. Uninstalling FreeIPA Servers and Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>1.5. Uninstalling FreeIPA Servers and Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 2. Installing a FreeIPA Server" /><link rel="prev" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html" title="2.4. Setting up FreeIPA Replicas" /><link rel="next" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey
="p" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="setting-up-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="Uninstalling_IPA_Servers"><div class="titlepage"><div><div><h2 class="title" id="Uninstalling_IPA_Servers">2.5. Uninstalling FreeIPA Servers and Replicas</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /><link rel="prev" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html" title="1.4. Setting up FreeIPA Replicas" /><link rel="next" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey
="p" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="setting-up-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="Uninstalling_IPA_Servers"><div class="titlepage"><div><div><h2 class="title" id="Uninstalling_IPA_Servers">1.5. Uninstalling FreeIPA Servers and Replicas</h2></div></div></div><div class="para">
To uninstall both a FreeIPA server and a FreeIPA replica, pass the <code class="option">--uninstall</code> option to the <code class="command">ipa-server-install</code> command:
<pre class="programlisting"><span class="perl_Comment"># ipa-server-install --uninstall</span></pre>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Prev</strong>2.4. Setting up FreeIPA Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="setting-up-clients.html"><strong>Next</strong>Chapter 3. Setting up Systems as FreeIPA Clients</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Prev</strong>1.4. Setting up FreeIPA Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="setting-up-clients.html"><strong>Next</strong>Chapter 2. Setting up Systems as FreeIPA Clients</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html
index 3f10656..7aa8e20 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.7. Creating DNS Entries for FreeIPA Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.7. Creating DNS Entries for FreeIPA Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="ipa-cluster.html" title="13.6. Using FreeIPA in a Cluster" /><link rel="next" href="promoting-replica.html" title="13.8. Promoting a Read-Only Replica to a FreeIPA Server" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-cluster.html"><strong>Prev</str
ong></a></li><li class="next"><a accesskey="n" href="promoting-replica.html"><strong>Next</strong></a></li></ul><div class="section" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">13.7. Creating DNS Entries for FreeIPA Replicas</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="ipa-cluster.html" title="12.6. Using FreeIPA in a Cluster" /><link rel="next" href="promoting-replica.html" title="12.8. Promoting a Read-Only Replica to a FreeIPA Server" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-cluster.html"><strong>Prev</str
ong></a></li><li class="next"><a accesskey="n" href="promoting-replica.html"><strong>Next</strong></a></li></ul><div class="section" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas">12.7. Creating DNS Entries for FreeIPA Replicas</h2></div></div></div><div class="para">
You can use the <code class="option">--ip-address</code> option with the <code class="command">ipa-replica-prepare</code> command to pre-create DNS entries for a replica. If you include this option, FreeIPA will add the A and PTR records for the replica to the DNS. For example:
<pre class="screen">$ ipa-replica-prepare master2.example.com --ip-address 192.168.1.2</pre>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-cluster.html"><strong>Prev</strong>13.6. Using FreeIPA in a Cluster</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="promoting-replica.html"><strong>Next</strong>13.8. Promoting a Read-Only Replica to a FreeIPA ...</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-cluster.html"><strong>Prev</strong>12.6. Using FreeIPA in a Cluster</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="promoting-replica.html"><strong>Next</strong>12.8. Promoting a Read-Only Replica to a FreeIPA ...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/active-directory.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/active-directory.html
index 86fb94a..ffde894 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/active-directory.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/active-directory.html
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 9. Identity: Integrating with Microsoft Active Directory</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 8. Identity: Integrating with Microsoft Active Directory</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="configuring-automount.html" title="8.2. Configuring Automount" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html" title="9.2. Setting up Active Directory" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="confi
guring-automount.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="active-directory" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 9. Identity: Integrating with Microsoft Active Directory</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="active-directory.html#about-active-directory">9.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="active-directory.html#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html">9.2. Setting up Active Directory</a></span></dt><d
t><span class="section"><a href="configuring-active-directory.html">9.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">9.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html">9.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl>
</dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html">9.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html">9.7. Winsync Agreement Failures</a></span></dt></dl></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="configuring-automount.html" title="7.2. Configuring Automount" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html" title="8.2. Setting up Active Directory" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="confi
guring-automount.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="active-directory" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 8. Identity: Integrating with Microsoft Active Directory</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="active-directory.html#about-active-directory">8.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href="active-directory.html#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html">8.2. Setting up Active Directory</a></span></dt><d
t><span class="section"><a href="configuring-active-directory.html">8.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">8.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html">8.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl>
</dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html">8.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html">8.7. Winsync Agreement Failures</a></span></dt></dl></div><div class="para">
To synchronize user identity information between 389 Directory Server and Windows Active Directory, IPA employs a plug-in that extends the functionality of the 389 Directory Server Windows Sync utility. This plug-in allows IPA to perform the data manipulation necessary to achieve synchronization between 389 Directory Server and Windows Active Directory. The IPA Windows Sync plug-in uses the <em class="parameter"><code>ipaWinSyncUserAttr</code></em> parameter to specify which attributes and values to add to new users that are synchronized from Active Directory.
- </div><div class="section" id="about-active-directory"><div class="titlepage"><div><div><h2 class="title" id="about-active-directory">9.1. About Active Directory, IPA, and Identity Management</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</h3></div></div></div><div class="para">
+ </div><div class="section" id="about-active-directory"><div class="titlepage"><div><div><h2 class="title" id="about-active-directory">8.1. About Active Directory, IPA, and Identity Management</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</h3></div></div></div><div class="para">
IPA clients find, or discover, IPA servers using a process known as <em class="firstterm">Service Discovery</em>. This can occur automatically, using DNS, or manually, by entering the IPA server details during the client configuration phase. If your Active Directory installation is in the same domain as the IPA server, it is possible that when you install IPA clients they will not discover the IPA server, but rather the Active Directory DNS. This means that IPA commands run on the client will fail because the client cannot contact the IPA server.
</div><div class="para">
To avoid this situation, use a separate domain for your IPA and Active Directory servers. If this is not possible, use the <em class="parameter"><code>--force</code></em> parameter when you run the <code class="command">ipa-client-install</code> script.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-automount.html"><strong>Prev</strong>8.2. Configuring Automount</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Next</strong>9.2. Setting up Active Directory</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-automount.html"><strong>Prev</strong>7.2. Configuring Automount</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Next</strong>8.2. Setting up Active Directory</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html
index 20d5602..d5fc057 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/adding-users.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.2. Adding Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.2. Adding Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="next" href="editing-users.html" title="6.3. Editing Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="users.html"><strong>Prev</strong></a></li><li class="next"><a
accesskey="n" href="editing-users.html"><strong>Next</strong></a></li></ul><div class="section" id="adding-users"><div class="titlepage"><div><div><h2 class="title" id="adding-users">6.2. Adding Users</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="next" href="editing-users.html" title="5.3. Editing Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="users.html"><strong>Prev</strong></a></li><li class="next"><a
accesskey="n" href="editing-users.html"><strong>Next</strong></a></li></ul><div class="section" id="adding-users"><div class="titlepage"><div><div><h2 class="title" id="adding-users">5.2. Adding Users</h2></div></div></div><div class="para">
FreeIPA supports a wide range of <span class="property">username</span> formats, but you need to be aware of any restrictions that may apply to your particular environment. For example, a <span class="property">username</span> that starts with a digit may cause problems for some UNIX systems.
</div><div class="para">
The range of <span class="property">username</span> formats supported by FreeIPA can be described by the following regular expression:
@@ -15,7 +15,7 @@
The trailing $ symbol is permitted for Samba 3.x machine support.
</div><div class="para">
Use the <code class="command">ipa user-add</code> command to add users to FreeIPA. You can pass attributes directly on the command line, or run the command with no parameters to enter interactive mode. Interactive mode prompts you to enter the basic attributes required to add a new user. You can add further attributes using the <code class="command">ipa user-mod</code> command. Use the <code class="command">ipa user-mod --list</code> command to view a list of the attributes that you can modify using this command.
- </div><div class="procedure" id="Using_the_Command_Line-To_create_the_user_jlamb_using_the_command_line"><h6>Procedure 6.1. To create the user <code class="systemitem">jlamb</code> using the command line:</h6><ul><li class="step"><div class="para">
+ </div><div class="procedure" id="Using_the_Command_Line-To_create_the_user_jlamb_using_the_command_line"><h6>Procedure 5.1. To create the user <code class="systemitem">jlamb</code> using the command line:</h6><ul><li class="step"><div class="para">
Open a shell and run the following command:
</div><div class="para">
@@ -45,9 +45,9 @@ UID: 387115841
</div><div class="para">
Refer to the <code class="command">ipa user-add</code> help page for more information.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
- When a user is created without specifying a UID or GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="Managing-Unique_UID_and_GID_Attributes.html">Section 13.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
+ When a user is created without specifying a UID or GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="Managing-Unique_UID_and_GID_Attributes.html">Section 12.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
</div><div class="para">
If a number is <span class="emphasis"><em>manually</em></span> assigned to a user entry, the server does not validate that the <em class="parameter"><code>uidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries.
</div><div class="para">
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with <code class="command">ipa user-find --all</code>.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="users.html"><strong>Prev</strong>Chapter 6. Identity: Managing Users and User Grou...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="editing-users.html"><strong>Next</strong>6.3. Editing Users</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="users.html"><strong>Prev</strong>Chapter 5. Identity: Managing Users and User Grou...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="editing-users.html"><strong>Next</strong>5.3. Editing Users</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/authz.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/authz.html
index 389ac27..a91408b 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/authz.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/authz.html
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 11. Policy: Configuring Authorization</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 10. Policy: Configuring Authorization</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="migrintg-from-nis.html" title="10.3. Migrating from NIS to IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html" title="11.2. HBAC Service Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href
="migrintg-from-nis.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="authz" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 11. Policy: Configuring Authorization</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="authz.html#configuring-host-access">11.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html">11.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html">11.3. HBAC Services</a></span></dt></dl></div><div class="section" id="configuring-host-access"><div class="ti
tlepage"><div><div><h2 class="title" id="configuring-host-access">11.1. Configuring Host-Based Access Control</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="migrintg-from-nis.html" title="9.3. Migrating from NIS to IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html" title="10.2. HBAC Service Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href=
"migrintg-from-nis.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="authz" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 10. Policy: Configuring Authorization</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="authz.html#configuring-host-access">10.1. Configuring Host-Based Access Control</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html">10.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html">10.3. HBAC Services</a></span></dt></dl></div><div class="section" id="configuring-host-access"><div class="tit
lepage"><div><div><h2 class="title" id="configuring-host-access">10.1. Configuring Host-Based Access Control</h2></div></div></div><div class="para">
Host-based access control (HBAC) uses <em class="firstterm">rules</em> to determine who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
</div><div class="para">
You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future.
</div><div class="para">
The available services and groups of services are controlled by the <code class="systemitem">hbacsvc</code> and <code class="systemitem">hbacsvcgroup</code> plug-ins, respectively.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="migrintg-from-nis.html"><strong>Prev</strong>10.3. Migrating from NIS to IPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Next</strong>11.2. HBAC Service Groups</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="migrintg-from-nis.html"><strong>Prev</strong>9.3. Migrating from NIS to IPA</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Next</strong>10.2. HBAC Service Groups</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/automount.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/automount.html
index f78afe6..b4f3d02 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/automount.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/automount.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 8. Identity: Using Automount</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 7. Identity: Using Automount</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html" title="7.6. Kerberos Errors" /><link rel="next" href="configuring-automount.html" title="8.2. Configuring Automount" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterpris
e_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-automount.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="automount" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 8. Identity: Using Automount</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="automount.html#about-automount">8.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-automount.html">8.2. Configuring Automount</a></
span></dt><dd><dl><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</a></span></dt></dl></dd></dl></div><div class="section" id="about-automount"><div class="titlepage"><div><div><h2 class="title" id="about-automount">8.1. About Automount and IPA</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html" title="6.6. Kerberos Errors" /><link rel="next" href="configuring-automount.html" title="7.2. Configuring Automount" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterpris
e_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-automount.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="automount" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 7. Identity: Using Automount</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="automount.html#about-automount">7.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-automount.html">7.2. Configuring Automount</a></
span></dt><dd><dl><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</a></span></dt></dl></dd></dl></div><div class="section" id="about-automount"><div class="titlepage"><div><div><h2 class="title" id="about-automount">7.1. About Automount and IPA</h2></div></div></div><div class="para">
This chapter describes how to configure <code class="command">automount</code> on <code class="systemitem">Linux</code> and <code class="systemitem">Solaris</code> for use with IPA. It details the procedures and configuration changes necessary to set up <code class="command">automount</code>, the <code class="filename">auto.master</code> file and other map files used by <code class="command">autofs</code>.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Known_Issues_with_Automount-Additional_Schema_Required_for_Some_Systems"><h5 class="formalpara">Additional Schema Required for Some Systems</h5>
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Known_Issues_with_Automount-Additional_Schema_Required_for_Some_Systems"><h5 class="formalpara">Additional Schema Required for Some Systems</h5>
If you are supporting <code class="systemitem">Solaris</code> clients, you need to use the 2307bis-style <code class="command">automount</code> schema, although Sun's version is NOT identical to the one at <a href="http://people.redhat.com/nalin/schema/autofs.schema">http://people.redhat.com/nalin/schema/autofs.schema</a>.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</h3></div></div></div><div class="para">
In order to illustrate the <code class="command">automount</code> configuration procedures, this chapter assumes that:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The IPA server is correctly installed and operational.
@@ -36,4 +36,4 @@
</div><pre class="programlisting">/home 192.168.1.0/16 (rw,fsid=0,insecure,no_subtree_check,sync,anonuid=65534,anongid=65534)
</pre><div class="para">
You should test that you can mount the <code class="filename">/home</code> directory from the command line before proceeding with the <code class="command">automount</code> configuration. This makes troubleshooting easier if the configuration does not work.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Prev</strong>7.6. Kerberos Errors</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-automount.html"><strong>Next</strong>8.2. Configuring Automount</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Prev</strong>6.6. Kerberos Errors</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-automount.html"><strong>Next</strong>7.2. Configuring Automount</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/basic-usage.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/basic-usage.html
index ed6d27b..0c607ba 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/basic-usage.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/basic-usage.html
@@ -1,14 +1,140 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 4. Basic UI Usage</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 3. Basic UI Usage</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="uninstalling-clients.html" title="3.7. Uninstalling a FreeIPA Client" /><link rel="next" href="using-the-ui.html" title="4.2. Using the FreeIPA UI" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="uninstalling-clients.html"><strong>Prev</strong></a></li><li class="next"><a
accesskey="n" href="using-the-ui.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="basic-usage" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 4. Basic UI Usage</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="basic-usage.html#ipa-ui">4.1. Looking at the FreeIPA UI</a></span></dt><dt><span class="section"><a href="using-the-ui.html">4.2. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="using-the-ui.html#config-browser">4.2.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="using-the-ui.html#logging-in">4.2.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="using-the-ui.html#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">4.2.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="using-the-ui.html#Enabling_UsernamePassword_Authentication_in_Your_
Browser">4.2.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a href="switching-users.html">4.3. Switching Users</a></span></dt></dl></div><div class="para">
- XXXXX introXXXXXXXX
- </div><div class="section" id="ipa-ui"><div class="titlepage"><div><div><h2 class="title" id="ipa-ui">4.1. Looking at the FreeIPA UI</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="uninstalling-clients.html"><strong>Prev</strong>3.7. Uninstalling a FreeIPA Client</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="using-the-ui.html"><strong>Next</strong>4.2. Using the FreeIPA UI</a></li></ul></body></html>
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="uninstalling-clients.html" title="2.7. Uninstalling a FreeIPA Client" /><link rel="next" href="switching-users.html" title="3.2. Switching Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="uninstalling-clients.html"><strong>Prev</strong></a></li><li class="next"><a a
ccesskey="n" href="switching-users.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="basic-usage" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 3. Basic UI Usage</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="basic-usage.html#using-the-ui">3.1. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="basic-usage.html#config-browser">3.1.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="basic-usage.html#logging-in">3.1.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="section"><a href="basic-usage.html#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="basic-usage.html#Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></d
d><dt><span class="section"><a href="switching-users.html">3.2. Switching Users</a></span></dt></dl></div><div class="section" id="using-the-ui"><div class="titlepage"><div><div><h2 class="title" id="using-the-ui">3.1. Using the FreeIPA UI</h2></div></div></div><div class="section" id="config-browser"><div class="titlepage"><div><div><h3 class="title" id="config-browser">3.1.1. Configuring the Browser</h3></div></div></div><div class="para">
+ Firefox can use your Kerberos credentials for authentication, but you need to specify which domains to communicate with, and using which attributes.
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Open Firefox, and type "about:config" in the <span class="guilabel"><strong>Address Bar</strong></span>.
+ </div></li><li class="listitem"><div class="para">
+ In the <span class="guilabel"><strong>Search</strong></span> field, type "negotiate".
+ </div></li><li class="listitem"><div class="para">
+ Enter the domain names, including the preceding period (.):
+<pre class="programlisting">network.negotiate-auth.trusted-uris .example.com
+network.negotiate-auth.delegation-uris .example.com
+network.negotiate-auth.using-native-gsslib true
+</pre>
+
+ </div><div class="para">
+ If you are configuring Firefox on Microsoft Windows, make the following changes instead:
+<pre class="programlisting">network.negotiate-auth.trusted-uris .example.com
+network.auth.use-sspi false
+network.negotiate-auth.delegation-uris .example.com
+</pre>
+
+ </div></li><li class="listitem"><div class="para">
+ In Firefox, navigate to the FreeIPA server (use the fully-qualified domain name, for example, <code class="systemitem">http://ipaserver.example.com</code>). Ensure that there are no Kerberos authentication errors, and that you can see and interact with the Web interface.
+ </div></li></ol></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Navigate to <code class="uri">http://ipa.example.com/ipa/config/ca.crt</code>
+ </div></li><li class="listitem"><div class="para">
+ Select at least the first (<span class="guilabel"><strong>Trust this CA to identify web sites</strong></span>) and third (<span class="guilabel"><strong>Trust this CA to identify software developers</strong></span>) check boxes.
+ </div></li><li class="listitem"><div class="para">
+ Click <span class="guibutton"><strong>OK</strong></span>.
+ </div><div class="informalfigure"><div class="mediaobject"><img src="images/Accept_CA_No_Exception.png" width="600" /></div></div></li></ol></div><div class="para">
+ Rather than permanently adding an exception, you can leave all boxes unchecked and click <span class="guibutton"><strong>OK</strong></span> to proceed. At this point the Kerberos authentication will fail, so you need to click the associated link and then click <span class="guibutton"><strong>Import the FreeIPA Certificate Authority</strong></span>.
+ </div><div class="formalpara" id="Using_the_Browser_Interface-Configuring_Kerberos_Authentication"><h5 class="formalpara">Configuring Kerberos Authentication</h5>
+ Use the following procedure to configure your browser for Kerberos authentication against your newly-installed domain.
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Type "about:config" in the address bar. Accept that you will be careful.
+ </div></li><li class="listitem"><div class="para">
+ In the Search field, type "negotiate".
+ </div></li><li class="listitem"><div class="para">
+ Ensure the following lines reflect your setup. Replace "example.com" with your own FreeIPA server's domain, including the preceding period (.):
+ <div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ network.negotiate-auth.trusted-uris .example.com
+ </div></li><li class="listitem"><div class="para">
+ network.negotiate-auth.delegation-uris .example.com
+ </div></li><li class="listitem"><div class="para">
+ network.negotiate-auth.using-native-gsslib true
+ </div></li></ul></div>
+
+ </div></li></ol></div><div class="formalpara" id="Using_the_Browser_Interface-Displaying_the_IPA_Homepage"><h5 class="formalpara">Displaying the FreeIPA Homepage</h5>
+ Your browser should now be fully configured and ready to connect to the FreeIPA server. In the address bar, type “localhost” or the name of the host. The FreeIPA homepage should now display. Explore this page and the links it provides, familiarize yourself with the available options, and file a bug whenever you find something is not working.
+ </div><div class="section" id="Configuring_Your_Local_Browser-Troubleshooting"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Your_Local_Browser-Troubleshooting">3.1.1.1. Troubleshooting</h4></div></div></div><div class="para">
+ If you have followed the configuration steps and Negotiate authentication is not working, you can turn on verbose logging of the authentication process, and potentially find the cause of the problem.
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Exit the browser.
+ </div></li><li class="listitem"><div class="para">
+ Open a shell, and run the following commands:
+<pre class="screen">export NSPR_LOG_MODULES=negotiateauth:5
+export NSPR_LOG_FILE=/tmp/moz.log
+</pre>
+
+ </div><div class="para">
+ This will enable verbose logging, and all information will be logged to <code class="filename">/tmp/moz.log</code>, which may give a clue to the problem. Restart your browser from that shell, and visit the website you were unable to authenticate to earlier.
+ </div></li></ol></div><div class="formalpara" id="Troubleshooting-Analyzing_the_Symptoms"><h5 class="formalpara">Analyzing the Symptoms</h5>
+ Refer to the following symptoms and possible solutions to help resolve issues with Negotiate authentication.
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ If you receive output similar to the following:
+<pre class="screen">-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken()
+-1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure
+No credentials cache found
+</pre>
+ it means that you do not have any Kerberos tickets, and need to run <code class="command">kinit</code>.
+ </div></li><li class="listitem"><div class="para">
+ If you can run <code class="command">kinit</code> successfully but you are unable to authenticate, and the log file contains output similar to the following:
+<pre class="screen">-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken()
+-1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure
+Server not found in Kerberos database
+</pre>
+ it generally indicates a Kerberos configuration problem. Ensure you have the following in the [domain_realm] section of the <code class="filename">/etc/krb5.conf</code> file:
+<pre class="screen">.example.com = EXAMPLE.COM
+example.com = EXAMPLE.COM
+</pre>
+
+ </div></li><li class="listitem"><div class="para">
+ If nothing appears in the log file it is possible that you are behind a proxy, and that proxy is removing the HTTP headers required for Negotiate authentication. Try to connect to the server using HTTPS instead, which allows the request to pass through unmodified. Then proceed to debug using the log file, as described above.
+ </div></li></ol></div></div></div><div class="section" id="logging-in"><div class="titlepage"><div><div><h3 class="title" id="logging-in">3.1.2. Logging into the FreeIPA UI</h3></div></div></div><div class="para">
+ To be able to perform any administrative task you need to authenticate to the server. During the configuration step you were prompted to create two users. The first of these, Directory Manager, is the superuser, used to perform rare, low-level tasks. The second user, admin, is used to perform normal administrative activities.
+ </div><div class="para">
+ To authenticate as the admin user:
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Open a new terminal window. This is to ensure that all default aspects of the environment (especially paths) are set correctly.
+ </div></li><li class="listitem"><div class="para">
+ In this window, type <code class="command">kinit admin</code>.
+ </div></li><li class="listitem"><div class="para">
+ When you are prompted to enter a password, use the password that you specified during the configuration step for the admin user.
+ </div></li></ol></div><div class="para">
+ As a result of this operation you will acquire what is known as a Kerberos <span class="emphasis"><em>ticket</em></span>. You can use the <code class="command">klist</code> command to inspect the details of the ticket that you have acquired.
+ </div><div class="para">
+ You can now authenticate using the newly-created user and temporary password. Type <code class="command">kinit</code> <em class="replaceable"><code>userLogin</code></em> to log in to FreeIPA. This will prompt you for a password and then immediately request a password change.
+ </div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ The Kerberos client libraries used by the <code class="command">kinit</code> utility have some limitations. One of these limitations is the fact that the on-disc ticket storage is overwritten with any new invocation of <code class="command">kinit</code>. This means that if you authenticated as admin, then added aa new user, set the password and then tried to authenticate as that user, the administrator's ticket would be lost. To prevent this from happening, a special environment variable, <code class="varname">KRB5CCNAME</code>, can be used. This allows you to keep credential caches separate in different shells. Refer to the <code class="command">kinit</code> man page for more information.
+ </div></div></div><div class="para">
+ You can browse the FreeIPA man pages and help system to explore other FreeIPA commands. Please take some time to become familiar with the ways other FreeIPA objects can be created and modified.
+ </div></div><div class="section" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System"><div class="titlepage"><div><div><h3 class="title" id="Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</h3></div></div></div><div class="para">
+ If you are unable, or prefer not, to update <code class="filename">/etc/krb5.conf</code> with the FreeIPA realm information, you can create another copy and set an appropriate environment variable. You can then run <code class="command">kinit</code> as before and use your browser to connect to FreeIPA. This is especially useful if you need to manage multiple realms, and if you have overlapping domains.
+ </div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ This procedure is not necessary if you use <code class="command">ipa-client-install</code> to set up your client.
+ </div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Copy the <code class="filename">/etc/krb5.conf</code> file from the FreeIPA server to the client system. Do not overwrite the existing <code class="filename">krb5.conf</code> file. Run the following command on the FreeIPA server:
+ </div><div class="para">
+
+<pre class="screen"> # scp /etc/krb5.conf root at ipaclient:/etc/krb5_ipa.conf</pre>
+
+ </div></li><li class="listitem"><div class="para">
+ On the FreeIPA client, open a shell and run the following commands:
+<pre class="screen">$ export KRB5_CONFIG=/etc/krb5_ipa.conf
+$ kinit user at EXAMPLE.COM
+$ /usr/bin/firefox</pre>
+
+ </div></li><li class="listitem"><div class="para">
+ Configure and test Firefox.
+ </div></li></ol></div></div><div class="section" id="Enabling_UsernamePassword_Authentication_in_Your_Browser"><div class="titlepage"><div><div><h3 class="title" id="Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Password Authentication in Your Browser</h3></div></div></div><div class="para">
+ If Kerberos authentication fails, the browser login will also fail, preventing access to the FreeIPA web interface. You can configure FreeIPA to display a username/password authentication dialog box if this situation occurs.
+ </div><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ Edit the <code class="filename">/etc/httpd/conf.d/ipa.conf</code> file, and change the <em class="parameter"><code>KrbMethodK5Passwd</code></em> attribute from off to on.
+ </div></li><li class="listitem"><div class="para">
+ Restart the <code class="systemitem">httpd</code> service:
+<pre class="screen"># service httpd restart</pre>
+
+ </div></li></ol></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ You need to perform this procedure on all of the FreeIPA servers in your deployment.
+ </div></li><li class="listitem"><div class="para">
+ This change may not be preserved between FreeIPA updates.
+ </div></li></ul></div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="uninstalling-clients.html"><strong>Prev</strong>2.7. Uninstalling a FreeIPA Client</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="switching-users.html"><strong>Next</strong>3.2. Switching Users</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/certs.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/certs.html
index efce36e..defd385 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/certs.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/certs.html
@@ -1,15 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.5. Configuring Certificate-Based Machine Authentication</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.5. Configuring Certificate-Based Machine Authentication</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="config-virt-machines.html" title="5.4. Reconfiguring Virtual Machines" /><link rel="next" href="General_Troubleshooting_Tips-Client_Problems.html" title="5.6. Client Problems" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="config-virt-machines.
html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Next</strong></a></li></ul><div class="section" id="certs"><div class="titlepage"><div><div><h2 class="title" id="certs">5.5. Configuring Certificate-Based Machine Authentication</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX bz646240
- </div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="config-virt-machines.html" title="4.4. Reconfiguring Virtual Machines" /><link rel="next" href="General_Troubleshooting_Tips-Client_Problems.html" title="4.6. Client Problems" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="config-virt-machines.
html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Next</strong></a></li></ul><div class="section" id="certs"><div class="titlepage"><div><div><h2 class="title" id="certs">4.5. Configuring Certificate-Based Machine Authentication</h2></div></div></div><div class="para">
Authentication includes machines on the network. Machine authentication is required for the FreeIPA server to trust the machine and to accept FreeIPA connections from the client software installed on that machine. After authenticating the client, the FreeIPA server can respond to its requests.
</div><div class="para">
FreeIPA supports two different approaches to machine authentication: Key Tables (or <em class="firstterm">keytabs</em>, a symmetric key resembling to some extent a user password); and Machine Certificates. FreeIPA clients use XML-RPC calls to request keytabs and certificates. Keys and certificate requests are generated on machines applying for certificates. Certificates are generated by the CA, in response to certificate requests submitted to FreeIPA and stored in FreeIPA's DS, and at the same time delivered to the machine for use in PKI machine authentication.
@@ -29,4 +27,4 @@
Machine authentication * Machines coming on the network and requesting services within the IPA realm shall be authenticated against that realm * Machine authentication credentials shall be used to provide mutual authentication/trust, encryption, and SSO capabilities for the services and applications requesting resources and accessing other services within the same IPA realm
</div><div class="para">
Note: Term "Machine" below means is either a physical host or a guest image in virtual machine. * [1.1] Integrate DNS server into the IPA server (Planned) o [1.1.1] Store DNS information in the DS (Planned) o [1.1.2] Allow IPA clients to automatically discover IPA servers (using DNS configuration) (Planned) o [1.1.3] Allow management of the DNS entries through the central IPA management console (Planned) o [1.1.4] Continue to allow IPA to function with an external DNS server (Planned) * [1.2] Policy on an IPA server shall determine the rules of the enrollment for the new machines. Options include: o [1.2.1] The machine shall automatically be registered in IPA and configured with settings that were pre-initialized (Planned) o [1.2.2] An Administrator is required to manually authenticate to the IPA server and initialize the configuration settings (Planned) * [1.3] When machine joins IPA realm the following operations shall be performed: (Planned) o [1.3.1] A unique and perm
anent identifier (machine GUID) shall be set for each machine. (Planned) o [1.3.2] Assign a kerberos principal to the machine. (Planned) o [1.3.3] Kerberos machine principal name will be administrator assigned or automatically set (Planned) o [1.3.4] Kerberos machine principal will default to the hostname (Planned) o [1.3.5] Capture attributes about the machine (Planned to some extent) + [1.3.5.1] Hostname + [1.3.5.2] Identify operating system on the machine + [1.3.5.3] In the case of administrator enrollment, the ID of the administrator o [1.3.6] Generate and provision keytab for machine authentication (Planned) o [1.3.7] Generate and provision machine certificate for the machine/VM to be used by applications and services that require PKI authentication (Planned) * [1.6] Renewal o [1.6.1] Automatically renew kerberos credential according to the centrally managed renewal policies (Planned - do it yourself instructions) o [1.6.2] Automatically renew and provision certificates
before their expiration according to the centrally managed policy (Planned) * [1.7] Allow a machine to leave the realm, de-activating the identity from IPA and destroying/revoking any certificates/keytabs. (Planned) o [1.7.1] The task of de-activating a machine from a realm should not require access (physical or network) to that client machine (Planned) o [1.7.2] Allow machine to be de-activated from IPA realm through the IPA client software (Planned) o [1.7.3] Allow machine to be re-enrolled into the IPA realm. (Planned) * [1.8] Update LDAP schema to support machine identity and related policies (Planned - but only for identity part) * [1.9] Maintain the identity of the machine or virtual machine after an upgrade of the OS including a major upgrade for example from 4 to 5. (Planned)
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="config-virt-machines.html"><strong>Prev</strong>5.4. Reconfiguring Virtual Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Next</strong>5.6. Client Problems</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="config-virt-machines.html"><strong>Prev</strong>4.4. Reconfiguring Virtual Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Next</strong>4.6. Client Problems</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html
index d56570e..a5efa24 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html
@@ -7,42 +7,42 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="logging.html" title="13.9. FreeIPA Server Logging" /><link rel="next" href="tools-reference.html" title="Appendix B. FreeIPA Tools Reference" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="logging.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" hre
f="tools-reference.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Frequently Asked Questions</h1></div></div></div><div class="qandaset"><dl><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3338797">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="logging.html" title="12.9. FreeIPA Server Logging" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix B. Services: Working with certmonger" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="logging.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Frequently Asked Questions</h1></div></div></div><div class="qandaset"><dl><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3376011">
Is it possible to change the IP address of the master server?
- </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3332554">
+ </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3095358">
Why are there restrictions on the length of user and group names? How can I change this?
- </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3392362">
+ </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3399296">
What is the difference between a replica and a master server?
- </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3172238">
+ </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3116985">
Can I promote a replica to function as the master? How?
- </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3226783">
+ </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3403556">
Why does the ipa-client-install script fail to find the IPA server on a network that uses Active Directory DNS?
- </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3285411">
+ </a></dt><dt>Q: <a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html#id3346480">
Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
- </a></dt></dl><div class="qandaset"><div id="id3338797" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </a></dt></dl><div class="qandaset"><div id="id3376011" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Is it possible to change the IP address of the master server?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Yes. If you are only changing the IP address then it is sufficient to update the <code class="filename">/etc/hosts</code> file, the system configuration and the DNS entry.
- </div></div></div></div><div id="id3332554" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3095358" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Why are there restrictions on the length of user and group names? How can I change this?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
User and group name lengths are specified in the policy. The default maximum username length is 32 characters. The maximum configurable length for user or group names is 255 characters. This restriction was introduced because some non-Linux operating systems have limitations on the length of username that they can support.
</div><div class="para">
You can modify these settings either in the user interface or on the command line. For example, to specify the maximum username length, run the following command: <code class="command">ipa config-mod --maxusername=INT</code>
- </div></div></div></div><div id="id3392362" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3399296" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
What is the difference between a replica and a master server?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
The only difference between a replica and the initial IPA install (the "master") is that the first server owns the self-signed CA.
- </div></div></div></div><div id="id3172238" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3116985" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Can I promote a replica to function as the master? How?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
- Yes. Refer to <a class="xref" href="promoting-replica.html">Section 13.8, “Promoting a Read-Only Replica to a FreeIPA Server”</a>.
- </div></div></div></div><div id="id3226783" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ Yes. Refer to <a class="xref" href="promoting-replica.html">Section 12.8, “Promoting a Read-Only Replica to a FreeIPA Server”</a>.
+ </div></div></div></div><div id="id3403556" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Why does the <code class="command">ipa-client-install</code> script fail to find the IPA server on a network that uses Active Directory DNS?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
This is probably due to the fact that Active Directory has its own SRV records for Kerberos and LDAP, and so the <code class="command">ipa-client-install</code> script retrieves those records instead of any that you may have added for IPA.
- </div></div></div></div><div id="id3285411" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
+ </div></div></div></div><div id="id3346480" class="qandaentry"><div class="question"><label>Q:</label><div class="data"><div class="para">
Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
</div></div></div><div class="answer"><label>A:</label><div class="data"><div class="para">
Yes, assuming that Servers A and B contain non-cloned CAs whose portion of internal storage has been replicated to share revocation information only.
- </div></div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="logging.html"><strong>Prev</strong>13.9. FreeIPA Server Logging</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="tools-reference.html"><strong>Next</strong>Appendix B. FreeIPA Tools Reference</a></li></ul></body></html>
+ </div></div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="logging.html"><strong>Prev</strong>12.9. FreeIPA Server Logging</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Next</strong>Appendix B. Services: Working with certmonger</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html
index f01ffb5..1412d4d 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.4. Setting up FreeIPA Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>1.4. Setting up FreeIPA Replicas</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 2. Installing a FreeIPA Server" /><link rel="prev" href="creating-server.html" title="2.3. Creating a FreeIPA Server Instance" /><link rel="next" href="Uninstalling_IPA_Servers.html" title="2.5. Uninstalling FreeIPA Servers and Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="creating-server.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="Uninstalling_IPA_Servers.html"><strong>Next</strong></a></li></ul><div class="section" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">2.4. Setting up FreeIPA Replicas</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /><link rel="prev" href="creating-server.html" title="1.3. Creating a FreeIPA Server Instance" /><link rel="next" href="Uninstalling_IPA_Servers.html" title="1.5. Uninstalling FreeIPA Servers and Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="creating-server.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="Uninstalling_IPA_Servers.html"><strong>Next</strong></a></li></ul><div class="section" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas"><div class="titlepage"><div><div><h2 class="title" id="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas">1.4. Setting up FreeIPA Replicas</h2></div></div></div><div class="para">
In the FreeIPA domain, there are three types of machines:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Servers, which manage all of the services used by domain members
@@ -19,17 +19,17 @@
A replica is a clone of a specific FreeIPA server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called <span class="emphasis"><em>replication</em></span>. The two Directory Server instances used by an FreeIPA server — the Directory Server instance used by the FreeIPA server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the FreeIPA replica.
</div><div class="note"><div class="admonition_header"><h2>TIP</h2></div><div class="admonition"><div class="para">
If you are using the integrated Dogtag Certificate System instance as the CA for the FreeIPA domain, then it is possible to make a replica of a replica. It is <span class="emphasis"><em>not</em></span> possible to make a replica of a replica if you use the <code class="option">--selfsign</code> option for the original FreeIPA server.
- </div></div></div><div class="section" id="installing-replica"><div class="titlepage"><div><div><h3 class="title" id="installing-replica">2.4.1. Prepping and Installing the Replica Server</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="installing-replica"><div class="titlepage"><div><div><h3 class="title" id="installing-replica">1.4.1. Prepping and Installing the Replica Server</h3></div></div></div><div class="para">
Replicas are functionally the same as FreeIPA servers, so they have the same installation requirements and packages.
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
- Make sure that the machine meets all of the prerequisites listed in <a class="xref" href="installing-ipa.html#Preparing_for_an_IPA_Installation">Section 2.1, “Preparing to Install the FreeIPA Server”</a>.
+ Make sure that the machine meets all of the prerequisites listed in <a class="xref" href="installing-ipa.html#Preparing_for_an_IPA_Installation">Section 1.1, “Preparing to Install the FreeIPA Server”</a>.
</div></li><li class="listitem"><div class="para">
- Install the server packages as in <a class="xref" href="Installing_the_IPA_Server_Packages.html">Section 2.2, “Installing the FreeIPA Server Packages”</a>. However, do <span class="emphasis"><em>not</em></span> run the <code class="command">ipa-server-install</code> script.
+ Install the server packages as in <a class="xref" href="Installing_the_IPA_Server_Packages.html">Section 1.2, “Installing the FreeIPA Server Packages”</a>. However, do <span class="emphasis"><em>not</em></span> run the <code class="command">ipa-server-install</code> script.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
The replica and the master server must be running the same version of FreeIPA.
</div></div></div></li><li class="listitem"><div class="para">
If there is an existing Dogtag Certificate System or Red Hat Certificate System instance on the replica machine, make sure that port <code class="systemitem">7389</code> is free. This port is used by the master FreeIPA server to communicate with the replica.
- </div></li></ul></div></div><div class="section" id="creating-the-replica"><div class="titlepage"><div><div><h3 class="title" id="creating-the-replica">2.4.2. Creating the Replica</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </div></li></ul></div></div><div class="section" id="creating-the-replica"><div class="titlepage"><div><div><h3 class="title" id="creating-the-replica">1.4.2. Creating the Replica</h3></div></div></div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
Make sure that the replica machine exists in the server's DNS <span class="emphasis"><em>before</em></span> beginning to configure the replica. If the server cannot contact the replica machine during the configuration process, then the replica configuration fails.
</div></div></div><div class="orderedlist"><ol><li class="listitem"><div class="para">
C\On the master server, create a <span class="emphasis"><em>replica information file</em></span>. This contains realm and configuration information taken from the master server which will be used to configure the replica server.
@@ -83,7 +83,7 @@ $ ipa dnsrecord-add example.com @ --ns-rec ipareplica.example.com.</pre>
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
Use the fully-qualified domain name of the replica, including the final period (.), otherwise BIND will treat the hostname as relative to the domain.
- </div></div></div></li></ol></div></div><div class="section" id="troubleshooting-replica-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</h3></div></div></div><div class="para">
+ </div></div></div></li></ol></div></div><div class="section" id="troubleshooting-replica-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</h3></div></div></div><div class="para">
If the replica installation fails on step 3 (<span class="bold bold"><strong>[3/11]: configuring certificate server instance</strong></span>), that usually means that the required port is not available. This can be verified by checking the debug logs for the CA, <code class="filename">/var/log/pki-ca/debug</code>, which may show error messages about being unable to find certain entries. For example:
<pre class="screen">[04/Feb/2011:22:29:03][http-9445-Processor25]: DatabasePanel
comparetAndWaitEntries ou=people,o=ipaca not found, let's wait</pre>
@@ -94,4 +94,4 @@ comparetAndWaitEntries ou=people,o=ipaca not found, let's wait</pre>
</div><div class="para">
After uninstalling the replica, ensure that port 7389 on the replica is available, and retry the replica installation.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="creating-server.html"><strong>Prev</strong>2.3. Creating a FreeIPA Server Instance</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Uninstalling_IPA_Servers.html"><strong>Next</strong>2.5. Uninstalling FreeIPA Servers and Replicas</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="creating-server.html"><strong>Prev</strong>1.3. Creating a FreeIPA Server Instance</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Uninstalling_IPA_Servers.html"><strong>Next</strong>1.5. Uninstalling FreeIPA Servers and Replicas</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/config-virt-machines.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/config-virt-machines.html
index 29b7436..9c5c7cb 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/config-virt-machines.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/config-virt-machines.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.4. Reconfiguring Virtual Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.4. Reconfiguring Virtual Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="renaming-machines.html" title="5.3. Renaming Machines" /><link rel="next" href="certs.html" title="5.5. Configuring Certificate-Based Machine Authentication" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="renaming-machines.html"><strong>Prev</s
trong></a></li><li class="next"><a accesskey="n" href="certs.html"><strong>Next</strong></a></li></ul><div class="section" id="config-virt-machines"><div class="titlepage"><div><div><h2 class="title" id="config-virt-machines">5.4. Reconfiguring Virtual Machines</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="renaming-machines.html" title="4.3. Renaming Machines" /><link rel="next" href="certs.html" title="4.5. Configuring Certificate-Based Machine Authentication" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="renaming-machines.html"><strong>Prev</s
trong></a></li><li class="next"><a accesskey="n" href="certs.html"><strong>Next</strong></a></li></ul><div class="section" id="config-virt-machines"><div class="titlepage"><div><div><h2 class="title" id="config-virt-machines">4.4. Reconfiguring Virtual Machines</h2></div></div></div><div class="para">
There are two cases where it might be necessary to reconfigure a VM enrolled in a FreeIPA domain:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The VM is copied.
@@ -18,7 +18,7 @@
</div></li></ul></div>
</div><div class="para">
- In each case, the procedure is identical to that described for renaming a FreeIPA machine: <a class="xref" href="renaming-machines.html#proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine">Procedure 5.3, “To rename a FreeIPA machine:”</a>. Although it is possible to <span class="emphasis"><em>not</em></span> completely unconfigure the client, there is no real downside to doing this (that is, running the <code class="command">ipa-client-install --uninstall</code> command).
+ In each case, the procedure is identical to that described for renaming a FreeIPA machine: <a class="xref" href="renaming-machines.html#proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine">Procedure 4.3, “To rename a FreeIPA machine:”</a>. Although it is possible to <span class="emphasis"><em>not</em></span> completely unconfigure the client, there is no real downside to doing this (that is, running the <code class="command">ipa-client-install --uninstall</code> command).
</div><div class="para">
If you cannot use the <code class="command">ipa-client-install --uninstall</code> command, or it is failing for some reason, use the following manual procedure to remove the FreeIPA configuration from the client. Bear in mind, however, that this procedure cannot be undone:
</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
@@ -43,4 +43,4 @@
Add the new host to FreeIPA, or re-join using administrator privileges:
<pre class="programlisting"><code class="command">$ ipa-join</code></pre>
- </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="renaming-machines.html"><strong>Prev</strong>5.3. Renaming Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="certs.html"><strong>Next</strong>5.5. Configuring Certificate-Based Machine Authen...</a></li></ul></body></html>
+ </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="renaming-machines.html"><strong>Prev</strong>4.3. Renaming Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="certs.html"><strong>Next</strong>4.5. Configuring Certificate-Based Machine Authen...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-active-directory.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-active-directory.html
index 0a90ee2..5eb64cb 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-active-directory.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-active-directory.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.3. Configuring Active Directory Synchronization</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.3. Configuring Active Directory Synchronization</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html" title="9.2. Setting up Active Directory" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html" title="9.4. Creating Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs
.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-active-directory"><div class="titlepage"><div><div><h2 class="title" id="configuring-active-directory">9.3. Configuring Active Directory Synchronization</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html" title="8.2. Setting up Active Directory" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html" title="8.4. Creating Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs
.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-active-directory"><div class="titlepage"><div><div><h2 class="title" id="configuring-active-directory">8.3. Configuring Active Directory Synchronization</h2></div></div></div><div class="para">
The Windows Sync plug-in is installed on the IPA server, and enables one-way replication of users and groups from Windows to IPA. The <code class="command">ipa-server-install</code> script automatically installs the plug-in configuration entry and enables it by default. The Windows Sync plug-in is only ever called if Windows Sync is used.
</div><div class="para">
The passsync plug-in for Windows uses a standard <code class="command">ldapmodify</code> operation to change users' passwords. These operations take effect immediately, and are still normally subject to password policy settings. When the special user used by passsync sets the password, these password policies should be bypassed and the password should not be set to immediately expire, as is the case when a normal administrator resets a user password. To achieve this, you need to add a list of passSync Manager DNs to the password plug-in configuration. These users will be exempt from password policy enforcement in the same way that the Directory Manager is exempt. This currently requires a manual configuration, as follows:
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Windows_Sync_on_the_IPA_Server-To_add_a_list_of_passSync_Manager_DNs_to_the_password_plug_in_configuration"><h6>Procedure 9.2. To add a list of passSync Manager DNs to the password plug-in configuration:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Windows_Sync_on_the_IPA_Server-To_add_a_list_of_passSync_Manager_DNs_to_the_password_plug_in_configuration"><h6>Procedure 8.2. To add a list of passSync Manager DNs to the password plug-in configuration:</h6><ol class="1"><li class="step"><div class="para">
As Directory Manager, modify the entry <em class="parameter"><code>cn=ipa_pwd_extop,cn=plugins,cn=config</code></em>
</div></li><li class="step"><div class="para">
Add or update the <em class="parameter"><code>passSyncManagersDNs</code></em> attribute. This is a multi-valued list of DNs that bypass password policy.
@@ -25,4 +25,4 @@ add: passSyncManagersDNs
passSyncManagersDNs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The entry <em class="parameter"><code>cn=Directory Manager</code></em> always bypasses policy and does not need to be explicitly listed.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Prev</strong>9.2. Setting up Active Directory</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Next</strong>9.4. Creating Synchronization Agreements</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html"><strong>Prev</strong>8.2. Setting up Active Directory</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Next</strong>8.4. Creating Synchronization Agreements</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
index 7710b13..af8cfd0 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-automount.html
@@ -1,19 +1,19 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.2. Configuring Automount</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.2. Configuring Automount</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="automount.html" title="Chapter 8. Identity: Using Automount" /><link rel="prev" href="automount.html" title="Chapter 8. Identity: Using Automount" /><link rel="next" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="automount.html"><strong>Prev</str
ong></a></li><li class="next"><a accesskey="n" href="active-directory.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-automount"><div class="titlepage"><div><div><h2 class="title" id="configuring-automount">8.2. Configuring Automount</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="automount.html" title="Chapter 7. Identity: Using Automount" /><link rel="prev" href="automount.html" title="Chapter 7. Identity: Using Automount" /><link rel="next" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="automount.html"><strong>Prev</str
ong></a></li><li class="next"><a accesskey="n" href="active-directory.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-automount"><div class="titlepage"><div><div><h2 class="title" id="configuring-automount">7.2. Configuring Automount</h2></div></div></div><div class="para">
IPA natively supports automount and so only minimal configuration is required. IPA 2.0 also introduces the concept of a <em class="firstterm">location</em>, which allows for different sets of maps for different purposes, or locations.
<div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You can direct different clients to use different map sets. These map sets use a tree structure, which means that you cannot share maps between locations.
</div></div></div>
Any extra steps required for configuring automount on Linux or Solaris are described below. Refer to the <code class="command">ipa help automount</code> help page for more information and a list of available commands.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-To_configure_autofs_on_Linux"><h6>Procedure 8.1. To configure autofs on Linux:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-To_configure_autofs_on_Linux"><h6>Procedure 7.1. To configure autofs on Linux:</h6><ol class="1"><li class="step"><div class="para">
Edit the <code class="filename">/etc/sysconfig/autofs</code> file as follows. This specifies the attributes that <code class="command">autofs</code> searches for:
</div><pre class="programlisting">#
# Other common LDAP naming
@@ -35,7 +35,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
<pre class="screen"><code class="command"># service autofs restart</code></pre>
- </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration">8.2.1.1. Testing the Configuration</h4></div></div></div><div class="para">
+ </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_autofs_on_Linux-Testing_the_Configuration">7.2.1.1. Testing the Configuration</h4></div></div></div><div class="para">
Test the configuration by attempting to list a user's <code class="filename">/home</code> directory:
</div><div class="para">
@@ -43,7 +43,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
</div><div class="para">
If this does not mount the remote file system, check the <code class="filename">/var/log/messages</code> file for errors or other indications of what the problem might be. You can also increase the debug level in the <code class="filename">/etc/sysconfig/autofs</code> file by setting the <em class="parameter"><code>LOGGING</code></em> parameter to <code class="literal">debug</code>.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</h3></div></div></div><div class="para">
The following procedure describes the steps required to configure <code class="command">automount</code> for <code class="systemitem">Solaris</code>.
</div><div class="procedure"><ol class="1"><li class="step"><div class="para">
If the <code class="systemitem">NFS</code> server is running on <code class="systemitem">Linux</code>, you need to specify on the <code class="systemitem">Solaris</code> machine that NFSv3 is the maximum supported version. Edit the <code class="filename">/etc/default/nfs</code> file and set the following parameter:
@@ -68,7 +68,7 @@ SEARCH_BASE="cn=<location>,cn=automount,dc=example,dc=com"
<pre class="screen"><code class="command"># svcadm enable svc:/system/filesystem/autofs</code></pre>
- </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration">8.2.2.1. Testing the Configuration</h4></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Testing_the_Configuration-_To_test_the_automount_configuration_run_the_following_commands_"><h6>Procedure 8.2. To test the <code class="command">automount</code> configuration, run the following commands: </h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Solaris_automount-Testing_the_Configuration">7.2.2.1. Testing the Configuration</h4></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Testing_the_Configuration-_To_test_the_automount_configuration_run_the_following_commands_"><h6>Procedure 7.2. To test the <code class="command">automount</code> configuration, run the following commands: </h6><ol class="1"><li class="step"><div class="para">
<pre class="screen"><code class="command"># ldapclient -l auto_master</code>
dn: automountkey=/home,automountmapname=auto.master,cn=<location>,cn=automount,dc=example,dc=com
@@ -84,7 +84,7 @@ automountInformation: auto.home
<pre class="screen"><code class="command"># ls /home/<username></code></pre>
- </div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</h3></div></div></div><div class="para">
+ </div></li></ol></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</h3></div></div></div><div class="para">
An indirect map defines a container for mount points. For example, if you create an indirect map <code class="filename">/share</code>, then all automount keys are relative to that map. If you define an automount key <code class="systemitem">ipauser</code>, the map would appear as <code class="filename">/share/ipauser</code>. In other words, indirect maps specify relative paths. Compare this to the absolute paths specified by direct maps.
</div><div class="para">
The following example creates an indirect map for <code class="filename">/usr/man</code> using the built-in IPA commands. This creates a single indirect map, <code class="filename">/usr/man/man1</code>, which:
@@ -94,7 +94,7 @@ automountInformation: auto.home
Adds <code class="filename">auto.man</code> to <code class="filename">auto.master</code> on the mount point <code class="filename">/usr/man</code>
</div></li><li class="listitem"><div class="para">
Adds an indirect mount of <code class="filename">man1</code> to <code class="filename">auto.man</code>
- </div></li></ul></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-How_to_create_an_indirect_map"><h6>Procedure 8.3. How to create an indirect map:</h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ul></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-How_to_create_an_indirect_map"><h6>Procedure 7.3. How to create an indirect map:</h6><ol class="1"><li class="step"><div class="para">
Create a new location:
</div><pre class="screen"><code class="command">$ ipa automountlocation-add baltimore</code>
Location: baltimore</pre></li><li class="step"><div class="para">
@@ -117,7 +117,7 @@ automountInformation: auto.home
On <code class="systemitem">Solaris</code>, use the following arguments with the <code class="command">ldapclient</code> command:
</div><pre class="programlisting">-a serviceSearchDescriptor=auto_man:automountMapName=auto.man, \
cn=<location>,cn=automount,dc=example,dc=com?one \
-</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps">8.2.3.1. Configuring Direct Maps</h4></div></div></div><div class="para">
+</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Indirect_Maps-Configuring_Direct_Maps">7.2.3.1. Configuring Direct Maps</h4></div></div></div><div class="para">
Direct maps list exact locations to mount specified maps, for example <code class="filename">/usr/local/bin</code> or <code class="filename">/mnt</code>. That is, they specify absolute paths as mount points. Compare this to the relative paths specified by indirect maps.
</div><div class="para">
To add a direct map configuration, IPA requires a number of modifications to the <code class="filename">auto.direct</code> file. The following two entries are created during the installation process:
@@ -130,7 +130,7 @@ automountInformation: auto.home
automountMapName: auto.direct
</pre><div class="para">
Use the following procedure to add a mount to this direct map for the <code class="filename">/share</code> directory:
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Direct_Maps-How_to_create_a_direct_map"><h6>Procedure 8.4. How to create a direct map:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_Direct_Maps-How_to_create_a_direct_map"><h6>Procedure 7.4. How to create a direct map:</h6><ol class="1"><li class="step"><div class="para">
Create a new location:
</div><pre class="screen"><code class="command">$ ipa automountlocation-add brisbane</code>
Location: brisbane</pre></li><li class="step"><div class="para">
@@ -142,7 +142,7 @@ automountInformation: auto.home
On <code class="systemitem">Solaris</code>, use the following arguments with the <code class="command">ldapclient</code> command:
</div><pre class="programlisting">-a serviceSearchDescriptor=auto_direct:automountMapName=auto.direct, \
cn=<location>,cn=automount,dc=example,dc=com?one \
-</pre></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</h3></div></div></div><div class="para">
+</pre></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</h3></div></div></div><div class="para">
The following pages were used as references for this work:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<a href="http://efod.se/blog/archive/2006/06/27/autofs-and-ldap">http://efod.se/blog/archive/2006/06/27/autofs-and-ldap</a>
@@ -154,4 +154,4 @@ automountInformation: auto.home
<a href="http://forums.fedoraforum.org/forum/showthread.php?t=135635&highlight=autofs+ldap">http://forums.fedoraforum.org/forum/showthread.php?t=135635&highlight=autofs+ldap</a>
</div></li><li class="listitem"><div class="para">
<a href="http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide">http://blogs.sun.com/rohanpinto/entry/nis_to_ldap_migration_guide</a>
- </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="automount.html"><strong>Prev</strong>Chapter 8. Identity: Using Automount</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="active-directory.html"><strong>Next</strong>Chapter 9. Identity: Integrating with Microsoft A...</a></li></ul></body></html>
+ </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="automount.html"><strong>Prev</strong>Chapter 7. Identity: Using Automount</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="active-directory.html"><strong>Next</strong>Chapter 8. Identity: Integrating with Microsoft A...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-sudo.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-sudo.html
index e91bb7d..2ff9ab3 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-sudo.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/configuring-sudo.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.2. Configuring sudo</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>11.2. Configuring sudo</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sudo.html" title="Chapter 12. Policy: Using sudo" /><link rel="prev" href="sudo.html" title="Chapter 12. Policy: Using sudo" /><link rel="next" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sudo.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href=
"server-config.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-sudo"><div class="titlepage"><div><div><h2 class="title" id="configuring-sudo">12.2. Configuring sudo</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sudo.html" title="Chapter 11. Policy: Using sudo" /><link rel="prev" href="sudo.html" title="Chapter 11. Policy: Using sudo" /><link rel="next" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sudo.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href=
"server-config.html"><strong>Next</strong></a></li></ul><div class="section" id="configuring-sudo"><div class="titlepage"><div><div><h2 class="title" id="configuring-sudo">11.2. Configuring sudo</h2></div></div></div><div class="para">
To fully implement Sudo rules, you need to perform various configuration steps on both the IPA server and client. You should first create a <em class="firstterm">Sudo command object</em>, and optionally create any <em class="firstterm">Sudo command groups</em>. Finally, create a <em class="firstterm">Sudo rule</em>, which should contain at least the following components:
<div class="itemizedlist"><div class="para">
One or more:
@@ -21,7 +21,7 @@
</div><div class="para">
These steps are described in detail in the following sections.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules"><h6>Procedure 12.1. How to configure your server to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules"><h6>Procedure 11.1. How to configure your server to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
Set up a host group, and add the client to the host group:
</div><ol class="a"><li class="step"><pre class="screen"><code class="command">$ ipa hostgroup-add bne_doc</code>
Description: BNE Documentation hosts
@@ -138,7 +138,7 @@ Number of members added 1
-------------------------
</pre>
- </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-How_to_configure_your_client_to_use_Sudo_rules"><h6>Procedure 12.2. How to configure your client to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
+ </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2.2. Client Configuration for Sudo Rules</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-How_to_configure_your_client_to_use_Sudo_rules"><h6>Procedure 11.2. How to configure your client to use Sudo rules:</h6><ol class="1"><li class="step"><div class="para">
Configure <code class="command">sudo</code> to look to LDAP for the <code class="filename">sudoers</code> file. Add the following line to <code class="filename">/etc/nsswitch.conf</code>:
<pre class="programlisting">sudoers: ldap</pre>
@@ -171,7 +171,7 @@ timelimit 15
uri ldap://ipaserver.ipadocs.org
</pre>
<div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
- The sudo user's password in this configuration is the same password you set up in <a class="xref" href="configuring-sudo.html#proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules">Procedure 12.1, “How to configure your server to use Sudo rules:”</a>.
+ The sudo user's password in this configuration is the same password you set up in <a class="xref" href="configuring-sudo.html#proc-Enterprise_Identity_Management_Guide-Server_Configuration_for_Sudo_Rules-How_to_configure_your_server_to_use_Sudo_rules">Procedure 11.1, “How to configure your server to use Sudo rules:”</a>.
</div></div></div>
</div><div class="para">
@@ -186,7 +186,7 @@ uri ldap://ipaserver.ipadocs.org
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
A bug has been filed in Fedora to have this configuration requirement addressed during the boot process.
- </div></div></div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes">12.2.2.1. NIS Configuration Notes</h4></div></div></div><div class="para">
+ </div></div></div></li></ol></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Client_Configuration_for_Sudo_Rules-NIS_Configuration_Notes">11.2.2.1. NIS Configuration Notes</h4></div></div></div><div class="para">
Originally called <em class="firstterm">Yellow Pages (YP)</em>, NIS was created by Sun Microsystems and stands for Network Information Service. It was primarily used by UNIX to centrally manage authentication and enumeration information such as user/password, host/IP address, POSIX groups, and netgroups. NIS (the service) does not actually need to be configured on either the client or the server. Not only is it unnecessary, but might be considered a security risk if it were running. NIS is an RPC service and is insecure by today's standards, partly because:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
It provides no host authentication mechanisms
@@ -200,4 +200,4 @@ uri ldap://ipaserver.ipadocs.org
The IPA LDAP implementation provides the schema to support NIS as defined in <a href="http://tools.ietf.org/html/rfc2307">RFC 2307</a>. NIS objects are automatically created inside of LDAP and NSS_LDAP, or SSSD fetches them using an encrypted LDAP connection.
</div><div class="para">
Utilizing SSSD or NSS_LDAP, a client system can enumerate the necessary NIS information using authenticated and encrypted queries to the back end LDAP service provided by the IPA Server. This eliminates the need for NIS client configuration for systems that can support NIS using LDAP when utilizing IPA.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sudo.html"><strong>Prev</strong>Chapter 12. Policy: Using sudo</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="server-config.html"><strong>Next</strong>Chapter 13. Configuring the FreeIPA Server</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sudo.html"><strong>Prev</strong>Chapter 11. Policy: Using sudo</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="server-config.html"><strong>Next</strong>Chapter 12. Configuring the FreeIPA Server</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
index c867009..4a5c05b 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/creating-server.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.3. Creating a FreeIPA Server Instance</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>1.3. Creating a FreeIPA Server Instance</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 2. Installing a FreeIPA Server" /><link rel="prev" href="Installing_the_IPA_Server_Packages.html" title="2.2. Installing the FreeIPA Server Packages" /><link rel="next" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html" title="2.4. Setting up FreeIPA Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a
accesskey="p" href="Installing_the_IPA_Server_Packages.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Next</strong></a></li></ul><div class="section" id="creating-server"><div class="titlepage"><div><div><h2 class="title" id="creating-server">2.3. Creating a FreeIPA Server Instance</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /><link rel="prev" href="Installing_the_IPA_Server_Packages.html" title="1.2. Installing the FreeIPA Server Packages" /><link rel="next" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html" title="1.4. Setting up FreeIPA Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a
accesskey="p" href="Installing_the_IPA_Server_Packages.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Next</strong></a></li></ul><div class="section" id="creating-server"><div class="titlepage"><div><div><h2 class="title" id="creating-server">1.3. Creating a FreeIPA Server Instance</h2></div></div></div><div class="para">
The FreeIPA setup script creates a server instance, which includes configuring all of the required services for the FreeIPA domain:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
The network time daemon (ntpd)
@@ -28,21 +28,21 @@
</div></li></ul></div><div class="para">
The FreeIPA setup process can be minimal, where the administrator only supplies some required information, or it can be very specific, with user-defined settings for many parts of the FreeIPA services. The configuration is passed using arguments with the <code class="command">ipa-install-server</code> script.
</div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
- The port numbers and directory locations used by FreeIPA are all defined automatically, as defined in <a class="xref" href="installing-ipa.html#prereq-ports">Section 2.1.3.3, “System Ports”</a> and . These ports and directories <span class="emphasis"><em>cannot</em></span> be changed or customized.
- </div></div></div><div class="section" id="install-command"><div class="titlepage"><div><div><h3 class="title" id="install-command">2.3.1. About ipa-server-install</h3></div></div></div><div class="para">
+ The port numbers and directory locations used by FreeIPA are all defined automatically, as defined in <a class="xref" href="installing-ipa.html#prereq-ports">Section 1.1.3.3, “System Ports”</a> and . These ports and directories <span class="emphasis"><em>cannot</em></span> be changed or customized.
+ </div></div></div><div class="section" id="install-command"><div class="titlepage"><div><div><h3 class="title" id="install-command">1.3.1. About ipa-server-install</h3></div></div></div><div class="para">
A FreeIPA server instance is created by running the <code class="command">ipa-server-install</code> script. This script can accept user-defined settings for services, like DNS nad Kerberos, that are used by the FreeIPA instance, or it can supply predefined values for minimal input from the administrator.
</div><div class="para">
While <code class="command">ipa-server-install</code> can be run without any options, so that it prompts for the required information, it has numerous arguments which allow the configuration process to be easily scripted or to supply additional information which is not requested during an interactive installation.
</div><div class="para">
- <a class="xref" href="creating-server.html#tab.ipa-server-install-param">Table 2.3, “ipa-server-install Options”</a> lists the possible arguments with <code class="command">ipa-server-install</code>, while <a class="xref" href="creating-server.html#install-examples">Section 2.3.3, “Examples of Creating the FreeIPA Server”</a> has examples of some common installation scenarios. In real life, the <code class="command">ipa-server-install</code> options are versatile enough to be customized to the specific deployment environment.
- </div><div class="table" id="tab.ipa-server-install-param"><h6>Table 2.3. ipa-server-install Options</h6><div class="table-contents"><table summary="ipa-server-install Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
+ <a class="xref" href="creating-server.html#tab.ipa-server-install-param">Table 1.3, “ipa-server-install Options”</a> lists the possible arguments with <code class="command">ipa-server-install</code>, while <a class="xref" href="creating-server.html#install-examples">Section 1.3.3, “Examples of Creating the FreeIPA Server”</a> has examples of some common installation scenarios. In real life, the <code class="command">ipa-server-install</code> options are versatile enough to be customized to the specific deployment environment.
+ </div><div class="table" id="tab.ipa-server-install-param"><h6>Table 1.3. ipa-server-install Options</h6><div class="table-contents"><table summary="ipa-server-install Options" border="1"><colgroup><col width="33%" /><col width="33%" /><col width="33%" /></colgroup><thead><tr><th>
Argument
</th><th>
Alternate Argument
</th><th>
Description
</th></tr></thead><tbody><tr><td colspan="3">
- <span class="bold bold"><strong>Required Options</strong></span><sup>[<a id="id3430006" href="#ftn.id3430006" class="footnote">a</a>]</sup>
+ <span class="bold bold"><strong>Required Options</strong></span><sup>[<a id="id3384004" href="#ftn.id3384004" class="footnote">a</a>]</sup>
</td></tr><tr><td>
-a <span class="emphasis"><em>ipa_admin_password</em></span>
</td><td>
@@ -223,9 +223,9 @@
</td><td>
Prints the version number of the <code class="command">ipa-server-install</code> command.
- </td></tr></tbody><tbody class="footnotes"><tr><td colspan="3"><div class="footnote"><p><sup>[<a id="ftn.id3430006" href="#id3430006" class="para">a</a>] </sup>
+ </td></tr></tbody><tbody class="footnotes"><tr><td colspan="3"><div class="footnote"><p><sup>[<a id="ftn.id3384004" href="#id3384004" class="para">a</a>] </sup>
The installation script will prompt for these options if they are not passed with the script.
- </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="install-interactive"><div class="titlepage"><div><div><h3 class="title" id="install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</h3></div></div></div><div class="para">
+ </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="install-interactive"><div class="titlepage"><div><div><h3 class="title" id="install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</h3></div></div></div><div class="para">
All that is required to set up a FreeIPA server is to run the <code class="command">ipa-server-install</code> script. This launchs the script interactively, which prompts for the required information to set up a server, but without more advanced configuration like DNS and CA options.
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script.
@@ -311,10 +311,10 @@ Password <span class="perl_Keyword">for</span> admin at EXAMPLE.COM:</pre></li><li
Member of <span class="perl_BString">groups</span>: admins
----------------------------
Number of entries returned 1
- ----------------------------</pre></li></ol></div></div><div class="section" id="install-examples"><div class="titlepage"><div><div><h3 class="title" id="install-examples">2.3.3. Examples of Creating the FreeIPA Server</h3></div></div></div><div class="para">
+ ----------------------------</pre></li></ol></div></div><div class="section" id="install-examples"><div class="titlepage"><div><div><h3 class="title" id="install-examples">1.3.3. Examples of Creating the FreeIPA Server</h3></div></div></div><div class="para">
The way that a FreeIPA server is installed can be different depending on the network environment, security requirements within the organization, and the desired topology. These example illustrate some common options when installing the server. These examples are not mutually exclusive; it is entirely possible to use CA options, DNS options, and FreeIPA configuration options in the same server invocation. These are called out separately simply to make it more clear what each configuration area requires.
- </div><div class="section" id="install-normal"><div class="titlepage"><div><div><h4 class="title" id="install-normal">2.3.3.1. Non-Interactive Basic Installation</h4></div></div></div><div class="para">
- As shown in <a class="xref" href="creating-server.html#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>, only a few pieces of information are required to configured a FreeIPA server. While the setup script can prompt for this information in interactive mode, this information can also be passed with the setup command to allow automated and unattended configuration:
+ </div><div class="section" id="install-normal"><div class="titlepage"><div><div><h4 class="title" id="install-normal">1.3.3.1. Non-Interactive Basic Installation</h4></div></div></div><div class="para">
+ As shown in <a class="xref" href="creating-server.html#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>, only a few pieces of information are required to configured a FreeIPA server. While the setup script can prompt for this information in interactive mode, this information can also be passed with the setup command to allow automated and unattended configuration:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Passwords for the FreeIPA administrative user and the Directory Server super user (Directory Manager)
</div></li><li class="listitem"><div class="para">
@@ -325,7 +325,7 @@ Password <span class="perl_Keyword">for</span> admin at EXAMPLE.COM:</pre></li><li
The DNS domain name
</div></li></ul></div><div class="para">
This information can be passed with the <code class="command">ipa-server-install</code>, along with the <code class="option">-U</code> to force it to run without requiring user interaction.
- </div><div class="example" id="ex.basic-opts"><h6>Example 2.1. Basic Installation without Interaction</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U</span></pre><div class="para">
+ </div><div class="example" id="ex.basic-opts"><h6>Example 1.1. Basic Installation without Interaction</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U</span></pre><div class="para">
The script then prints the submitted values:
</div><pre class="programlisting">To accept the default shown in brackets, press the Enter key.
@@ -333,18 +333,18 @@ The IPA Master Server will be configured with
Hostname: ipa2.server.example.com
IP address: 1.2.3.4
Domain name: example.com</pre><div class="para">
- Then the script runs through the configuration progress for each FreeIPA service, as in <a class="xref" href="creating-server.html#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
- </div></div></div><br class="example-break" /></div><div class="section" id="install-ca-options"><div class="titlepage"><div><div><h4 class="title" id="install-ca-options">2.3.3.2. Using Different CAs</h4></div></div></div><div class="para">
+ Then the script runs through the configuration progress for each FreeIPA service, as in <a class="xref" href="creating-server.html#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ </div></div></div><br class="example-break" /></div><div class="section" id="install-ca-options"><div class="titlepage"><div><div><h4 class="title" id="install-ca-options">1.3.3.2. Using Different CAs</h4></div></div></div><div class="para">
The default installation of FreeIPA uses an integrated Dogtag Certificate System instance as a certificate authority to issue certificates. However, this configuration is not required. FreeIPA only requires <span class="emphasis"><em>a</em></span> certificate authority. This can be an external CA like Verisign or a corporate CA inconjunction with the internal Certificate System, or it can even be the FreeIPA server itself, using a self-signed certificate.
</div><div class="para">
For the FreeIPA server itself to work as a CA, it uses a self-signed certificate, meaning that it approved and issued its own certificate. This is done by using the <code class="option">--selfsign</code> option with the <code class="command">ipa-server-install</code> command. When the FreeIPA server uses a self-signed certificate, the setup process is exactly the same as a normal installation, except that no Dogtag Certificate System instance is created. There is still a <code class="filename">cacert.p12</code> file created that can be used by replicas and the domain functions exactly the same. The only difference is what CA issues the certificates.
- </div><div class="example" id="ex.selfsigned"><h6>Example 2.2. Using a Self-Signed Certificate</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U --selfsign</span></pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
+ </div><div class="example" id="ex.selfsigned"><h6>Example 1.2. Using a Self-Signed Certificate</h6><div class="example-contents"><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 --hostname=ipa2.server.example.com -r EXAMPLE.COM -p secret12 -n example.com -U --selfsign</span></pre></div></div><br class="example-break" /><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
A self-signed certificate should only be used for a testing or development environment. A production environment should use the Dogtag Certificate System instance or an external, public CA.
</div></div></div><div class="para">
Alternatively, the FreeIPA server can use a certificate issued by an external CA. This can be a corporate CA or a third-party CA like Verisign or Thawte. As with a normal setup process, using an external CA still uses a Dogtag Certificate System instance for the FreeIPA server for issuing all of its client and replica certificates; the initial CA certificate is simply issued by a different CA.
</div><div class="para">
When using an external CA, there are two additional steps that must be performed: submit the generated certificate request to the external CA and then load the CA certificate and issued server certificate to complete the setup.
- </div><div class="example" id="ex.externalca"><h6>Example 2.3. Using an External CA</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div><div class="example" id="ex.externalca"><h6>Example 1.3. Using an External CA</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script, using the <code class="option">--external-ca</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipa.server.example.com --external-ca</span></pre></li><li class="listitem"><div class="para">
The script sets up the NTP and Directory Server services as normal.
@@ -362,12 +362,12 @@ The next step is to get /root/ipa.csr signed by your CA and re-run ipa-server-in
</div></li><li class="listitem"><div class="para">
Rerun <code class="command">ipa-server-install</code>, specifying the locations and names of the certificate and CA chain files. For example:
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install --external_cert_file=/tmp/servercert20110601.p12 --external_ca_file=/tmp/cacert.p12</span></pre></li><li class="listitem"><div class="para">
- Complete the setup process and verify that everything is working as expected, as in <a class="xref" href="creating-server.html#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
- </div></li></ol></div></div></div><br class="example-break" /></div><div class="section" id="install-dns"><div class="titlepage"><div><div><h4 class="title" id="install-dns">2.3.3.3. Using DNS</h4></div></div></div><div class="para">
+ Complete the setup process and verify that everything is working as expected, as in <a class="xref" href="creating-server.html#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ </div></li></ol></div></div></div><br class="example-break" /></div><div class="section" id="install-dns"><div class="titlepage"><div><div><h4 class="title" id="install-dns">1.3.3.3. Using DNS</h4></div></div></div><div class="para">
FreeIPA can be configured to manage its own DNS, use an existing DNS, or not use DNS services at all (which is the default). Running the setup script alone does not configure DNS; this requires the <code class="option">--setup-dns</code> option.
</div><div class="para">
As with a basic setup, the DNS setup can either prompt for the required information or the DNS information can be passed with the script to allow an automatic or unattended setup process.
- </div><div class="example" id="ex.dns-w-prompts"><h6>Example 2.4. Interactive DNS Setup</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
+ </div><div class="example" id="ex.dns-w-prompts"><h6>Example 1.4. Interactive DNS Setup</h6><div class="example-contents"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Run the <code class="command">ipa-server-install</code> script, using the <code class="option">--setup-dns</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install -a secret12 -r EXAMPLE.COM -P password -p secret12 -n ipa.server.example.com --setup-dns</span></pre></li><li class="listitem"><div class="para">
The script configures the hostname and domain name as normal.
@@ -392,16 +392,16 @@ Configuring named:
<span class="perl_Keyword">done</span> configuring named.
==============================================================================
Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"><div class="para">
- Verify that everything is working as expected, as in <a class="xref" href="creating-server.html#install-interactive">Section 2.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
+ Verify that everything is working as expected, as in <a class="xref" href="creating-server.html#install-interactive">Section 1.3.2, “Setting up a FreeIPA Server: Basic Interactive Installation”</a>.
</div></li></ol></div></div></div><br class="example-break" /><div class="para">
If DNS is used with FreeIPA, then two pieces of information are required: any DNS forwarders that will be used and using (or not) reverse DNS. To perform a non-interactive setup, this information can be passed using the <code class="option">--forwarder | --no-forwarders</code> option and <code class="option">--no-reverse</code> option.
- </div><div class="example" id="ex.dns-script"><h6>Example 2.5. Setting up DNS Non-Interactively</h6><div class="example-contents"><div class="para">
+ </div><div class="example" id="ex.dns-script"><h6>Example 1.5. Setting up DNS Non-Interactively</h6><div class="example-contents"><div class="para">
To use DNS always requires the <code class="option">--setup-dns</code>. To user forwarders, use the <code class="option">--forwarder</code> with a comma-separated list of forwarders.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --forwarder=1.2.3.0,1.2.255.0</span></pre><div class="para">
Some kind of forwarder information is required. If no external forwarders will be used with the FreeIPA DNS service, then use the <code class="option">--no-forwarders</code> option to indicate that only root servers will be used.
</div><div class="para">
The script always assumes that reverse DNS is configured along with DNS, so it is not necessary to use any options to <span class="emphasis"><em>enable</em></span> reverse DNS. To disable reverse DNS, use the <code class="option">--no-reverse</code> option.
- </div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --no-reverse</span></pre></div></div><br class="example-break" /></div></div><div class="section" id="troubleshooting-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-install">2.3.4. Troubleshooting Installation Problems</h3></div></div></div><div class="formalpara"><h5 class="formalpara" id="id3404734">GSS Failures When Running IPA Commands</h5>
+ </div><pre class="programlisting"><span class="perl_Comment"># ipa-server-install ... --setup-dns --no-reverse</span></pre></div></div><br class="example-break" /></div></div><div class="section" id="troubleshooting-install"><div class="titlepage"><div><div><h3 class="title" id="troubleshooting-install">1.3.4. Troubleshooting Installation Problems</h3></div></div></div><div class="formalpara"><h5 class="formalpara" id="id3351450">GSS Failures When Running IPA Commands</h5>
Immediately after installation, there can be Kerberos problems when trying to run an <code class="command">ipa-*</code> command. For example:
</div><pre class="programlisting">ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('Decrypt integrity check failed', -1765328353)</pre><div class="para">
There are two potential causes for this:
@@ -409,7 +409,7 @@ Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"
DNS is not properly configured.
</div></li><li class="listitem"><div class="para">
Active Directory is in the same domain as the FreeIPA server.
- </div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id3404783">named Daemon Fails to Start</h5>
+ </div></li></ul></div><div class="formalpara"><h5 class="formalpara" id="id3033862">named Daemon Fails to Start</h5>
If a FreeIPA server is configured to manage DNS and is set up successfully, but the <code class="systemitem">named</code> service fails to start, this can indicate that there is a package conflict. Check the <code class="filename">/var/log/messages</code> file for error messages related to the <code class="command">named</code> service and the <code class="filename">ldap.so</code> library:
</div><pre class="screen">ipaserver named[6886]: failed to dynamically load driver 'ldap.so': libldap-2.4.so.2: cannot open shared object file: No such file or directory</pre><div class="para">
This usually means that the <span class="package">bind-chroot</span> package is installed and is preventing the <code class="systemitem">named</code> service from starting. To resolve this issue, remove the <span class="package">bind-chroot</span> package and then restart the FreeIPA server.
@@ -417,4 +417,4 @@ Setup <span class="perl_Reserved">complete</span></pre></li><li class="listitem"
<span class="perl_Comment"></span>
<span class="perl_Comment"># ipactl restart</span></pre>
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Installing_the_IPA_Server_Packages.html"><strong>Prev</strong>2.2. Installing the FreeIPA Server Packages</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Next</strong>2.4. Setting up FreeIPA Replicas</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Installing_the_IPA_Server_Packages.html"><strong>Prev</strong>1.2. Installing the FreeIPA Server Packages</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html"><strong>Next</strong>1.4. Setting up FreeIPA Replicas</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html
index 987326c..d4f32ab 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.2. Disabling Anonymous Binds</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.2. Disabling Anonymous Binds</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="next" href="Managing-Unique_UID_and_GID_Attributes.html" title="13.3. Managing Unique UID and GID Number Assignments" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="serv
er-config.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Next</strong></a></li></ul><div class="section" id="disabling-anon-binds"><div class="titlepage"><div><div><h2 class="title" id="disabling-anon-binds">13.2. Disabling Anonymous Binds</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="next" href="Managing-Unique_UID_and_GID_Attributes.html" title="12.3. Managing Unique UID and GID Number Assignments" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="serv
er-config.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Next</strong></a></li></ul><div class="section" id="disabling-anon-binds"><div class="titlepage"><div><div><h2 class="title" id="disabling-anon-binds">12.2. Disabling Anonymous Binds</h2></div></div></div><div class="para">
Even though the XML-RPC and WebUI always require authentication, the default FreeIPA configuration allows anonymous binds to the LDAP port by anyone in the same domain as the FreeIPA server, and consequent retrieval of a range of data, including user, group, netgroup, host, host group, and service records. This is generally considered insecure, and some RFC standards require that it be disabled to achieve compliance. With anonymous binds disabled, all connections to the directory server need to provide a valid identity.
</div><div class="para">
To disable anonymous binds, perform this LDAP modification:
@@ -20,4 +20,4 @@ nsslapd-allow-anonymous-access: off
# service dirsrv restart</pre>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="server-config.html"><strong>Prev</strong>Chapter 13. Configuring the FreeIPA Server</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Next</strong>13.3. Managing Unique UID and GID Number Assignme...</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="server-config.html"><strong>Prev</strong>Chapter 12. Configuring the FreeIPA Server</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Managing-Unique_UID_and_GID_Attributes.html"><strong>Next</strong>12.3. Managing Unique UID and GID Number Assignme...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/doc-history.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/doc-history.html
index 84c3518..2c663f7 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/doc-history.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/doc-history.html
@@ -7,10 +7,10 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Preface.html" title="Preface" /><link rel="prev" href="feedback.html" title="3. Giving Feedback" /><link rel="next" href="introduction.html" title="Chapter 1. Introduction to FreeIPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="feedback.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="introduction.html"><strong>Next</st
rong></a></li></ul><div xml:lang="en-US" class="section" id="doc-history" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="doc-history">4. Document Change History</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Preface.html" title="Preface" /><link rel="prev" href="feedback.html" title="3. Giving Feedback" /><link rel="next" href="installing-ipa.html" title="Chapter 1. Installing a FreeIPA Server" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="feedback.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="installing-ipa.html"><strong>
Next</strong></a></li></ul><div xml:lang="en-US" class="section" id="doc-history" lang="en-US"><div class="titlepage"><div><div><h2 class="title" id="doc-history">4. Document Change History</h2></div></div></div><div class="para">
<div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 2.1.0-1</td><td align="left">May 10, 2011</td><td align="left"><span class="author"><span class="firstname">Ella Deon</span> <span class="surname">Lackey</span></span></td></tr><tr><td align="left" colspan="3">
<table border="0" summary="Simple list" class="simplelist"><tr><td>Beginning draft for the Fedora docs project.</td></tr></table>
</td></tr></table></div>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="feedback.html"><strong>Prev</strong>3. Giving Feedback</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="introduction.html"><strong>Next</strong>Chapter 1. Introduction to FreeIPA</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="feedback.html"><strong>Prev</strong>3. Giving Feedback</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="installing-ipa.html"><strong>Next</strong>Chapter 1. Installing a FreeIPA Server</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/editing-users.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/editing-users.html
index a01e3f3..4618c9d 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/editing-users.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/editing-users.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.3. Editing Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.3. Editing Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="adding-users.html" title="6.2. Adding Users" /><link rel="next" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html" title="6.4. Activating and Deactivating User Accounts" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="adding-user
s.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Next</strong></a></li></ul><div class="section" id="editing-users"><div class="titlepage"><div><div><h2 class="title" id="editing-users">6.3. Editing Users</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="adding-users.html" title="5.2. Adding Users" /><link rel="next" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html" title="5.4. Activating and Deactivating User Accounts" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="adding-user
s.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Next</strong></a></li></ul><div class="section" id="editing-users"><div class="titlepage"><div><div><h2 class="title" id="editing-users">5.3. Editing Users</h2></div></div></div><div class="para">
Use the <code class="command">ipa user-mod</code> command to modify user account details, such as adding, removing or changing attributes. Refer to the following examples:
</div><div class="para">
To update attributes for the user <code class="systemitem">jsmith</code>:
@@ -15,4 +15,4 @@
To retrieve a list of attributes for a user:
</div><pre class="screen">$ ipa user-show --raw <em class="replaceable"><code>userName</code></em></pre><div class="para">
The list of attributes corresponds to those available in the web interface, not including any custom attributes that may have been defined.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="adding-users.html"><strong>Prev</strong>6.2. Adding Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Next</strong>6.4. Activating and Deactivating User Accounts</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="adding-users.html"><strong>Prev</strong>5.2. Adding Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html"><strong>Next</strong>5.4. Activating and Deactivating User Accounts</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/enrolling-machines.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/enrolling-machines.html
index 53f03dc..8ee82ab 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/enrolling-machines.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/enrolling-machines.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.2. Enrolling Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.2. Enrolling Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="next" href="renaming-machines.html" title="5.3. Renaming Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="managing-clients.html"><strong>Prev
</strong></a></li><li class="next"><a accesskey="n" href="renaming-machines.html"><strong>Next</strong></a></li></ul><div class="section" id="enrolling-machines"><div class="titlepage"><div><div><h2 class="title" id="enrolling-machines">5.2. Enrolling Machines</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="next" href="renaming-machines.html" title="4.3. Renaming Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="managing-clients.html"><strong>Prev
</strong></a></li><li class="next"><a accesskey="n" href="renaming-machines.html"><strong>Next</strong></a></li></ul><div class="section" id="enrolling-machines"><div class="titlepage"><div><div><h2 class="title" id="enrolling-machines">4.2. Enrolling Machines</h2></div></div></div><div class="para">
Enrollment is the process whereby a host entry is created and saved in the directory server, and a keytab for that host entry is generated on the server and provisioned to the client. This keytab is saved with specific ownership and permission properties in a specific directory on the client.
</div><div class="para">
With the host entry successfully created and the keytab in place, enrollment is complete and the client machine can now automatically connect to and communicate with the FreeIPA server.
@@ -25,7 +25,7 @@
</div><div class="para">
These are examined in more detail below.
- </div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Host Enrollment with Privileged Administrator</h3></div></div></div><div class="para">
+ </div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">4.2.1. Manual Host Enrollment with Privileged Administrator</h3></div></div></div><div class="para">
This scenario implements the following sequence of operations:
<div class="orderedlist"><ol><li class="listitem"><div class="para">
The Administrator logs into the machine that they want to enroll with FreeIPA.
@@ -48,8 +48,8 @@
</div><div class="para">
At this stage the enrollment is complete and the machine can now automatically connect to and communicate with the FreeIPA server.
- </div></div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</h3></div></div></div><div class="para">
- This scenario assumes that there are different administrators with different levels of privileges regarding host-related operations. One administrator (A) can add and edit host entries, and thus enroll the hosts as described in <a class="xref" href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">Section 5.2.1, “Manual Host Enrollment with Privileged Administrator”</a>. The second administrator (B) has insufficient permissions to create host entries, but is allowed to enroll machines. The following sequence of operations is engaged:
+ </div></div><div class="section" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</h3></div></div></div><div class="para">
+ This scenario assumes that there are different administrators with different levels of privileges regarding host-related operations. One administrator (A) can add and edit host entries, and thus enroll the hosts as described in <a class="xref" href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">Section 4.2.1, “Manual Host Enrollment with Privileged Administrator”</a>. The second administrator (B) has insufficient permissions to create host entries, but is allowed to enroll machines. The following sequence of operations is engaged:
</div><div class="orderedlist"><ol><li class="listitem"><div class="para">
Administrator A authorizes enrollment of a host by creating the host entry in the back end using the webUI or command-line script.
</div></li><li class="listitem"><div class="para">
@@ -67,7 +67,7 @@
The keytab is saved with <code class="systemitem">root:root</code> ownership and 0600 permissions, and in a specific directory on the client machine.
</div></li></ol></div><div class="para">
At this stage the enrollment is complete and the machine can now automatically connect to and communicate with the FreeIPA server.
- </div></div><div class="section" id="Enrollment_Scenarios-Bulk_Host_Deployment"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Enrollment_Scenarios-Bulk_Host_Deployment"><div class="titlepage"><div><div><h3 class="title" id="Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</h3></div></div></div><div class="para">
This scenario is very useful for automatic provisioning of multiple hosts (or virtual machines). In this scenario you can pre-create a number of hosts on the FreeIPA server and set passwords on them. You can use your kickstart operation to perform the enrollment. For example, the <span class="application"><strong>cobbler</strong></span> utility makes this relatively easy because you can store variables in the <span class="application"><strong>cobbler</strong></span> system configuration.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
There are two ways to set the password. You can either supply your own or have FreeIPA generate a random one.
@@ -99,4 +99,4 @@
</div></li><li class="listitem"><div class="para">
Because the password is set to expire, the Kerberos keytab will be generated and the password attribute cleared.
- </div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="managing-clients.html"><strong>Prev</strong>Chapter 5. Managing Clients in the FreeIPA Domain</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="renaming-machines.html"><strong>Next</strong>5.3. Renaming Machines</a></li></ul></body></html>
+ </div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="managing-clients.html"><strong>Prev</strong>Chapter 4. Managing Clients in the FreeIPA Domain</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="renaming-machines.html"><strong>Next</strong>4.3. Renaming Machines</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/index.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/index.html
index 6369c7d..6d7e563 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/index.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/index.html
@@ -7,10 +7,10 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="next" href="Preface.html" title="Preface" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"></li><li class="next"><a accesskey="n" href="Preface.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="book" id="id4457317" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">15</span></div><div
><h1 id="id4457317" class="title">FreeIPA: Identity/Policy Management</h1></div><div><h2 class="subtitle">Managing Identity and Authorization Policies for Linux-Based Enterprise Networks</h2></div><p class="edition">Edition 0.1</p><div><h3 class="corpauthor">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="next" href="Preface.html" title="Preface" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"></li><li class="next"><a accesskey="n" href="Preface.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="book" id="id4397292" lang="en-US"><div class="titlepage"><div><div class="producttitle"><span class="productname">Fedora</span> <span class="productnumber">15</span></div><div
><h1 id="id4397292" class="title">FreeIPA: Identity/Policy Management</h1></div><div><h2 class="subtitle">Managing Identity and Authorization Policies for Linux-Based Enterprise Networks</h2></div><p class="edition">Edition 0.1</p><div><h3 class="corpauthor">
<span class="inlinemediaobject"><object data="Common_Content/images/title_logo.svg" type="image/svg+xml"> </object></span>
- </h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Ella Deon</span> <span class="surname">Lackey</span></h3><code class="email"><a class="email" href="mailto:dlackey at redhat.com">dlackey at redhat.com</a></code></div></div></div><hr /><div><div id="id3117807" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
+ </h3></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Ella Deon</span> <span class="surname">Lackey</span></h3><code class="email"><a class="email" href="mailto:dlackey at redhat.com">dlackey at redhat.com</a></code></div></div></div><hr /><div><div id="id3269629" class="legalnotice"><h1 class="legalnotice">Legal Notice</h1><div class="para">
Copyright <span class="trademark"></span>© 2011 Red Hat.
</div><div class="para">
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at <a href="http://creativecommons.org/licenses/by-sa/3.0/">http://creativecommons.org/licenses/by-sa/3.0/</a>. The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
@@ -26,4 +26,4 @@
All other trademarks are the property of their respective owners.
</div></div></div><div><div class="abstract"><h6>Abstract</h6><div class="para">
Identity and policy management — for both users and machines — is a core function for almost any enterprise environment. IPA provides a way to create an identity domain that allows machines to enroll to a domain and immediately access identity information reuqired for single sign-on and authentication services, as well as policy settings that govern authorization and access. This manual covers all aspects of installing, configuring, and managing IPA domains, including both servers and clients. This guide is intended for IT and systems administrators.
- </div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="Preface.html">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="Preface.html#audience">1. Audience and Purpose</a></span></dt><dt><span class="section"><a href="Document_Conventions.html">2. Examples and Formatting</a></span></dt><dd><dl><dt><span class="section"><a href="Document_Conventions.html#bracketsexamples">2.1. Brackets</a></span></dt><dt><span class="section"><a href="Document_Conventions.html#tool-locations">2.2. Client Tool Information</a></span></dt><dt><span class="section"><a href="Document_Conventions.html#guide-formatting">2.3. Text Formatting and Styles</a></span></dt></dl></dd><dt><span class="section"><a href="feedback.html">3. Giving Feedback</a></span></dt><dt><span class="section"><a href="doc-history.html">4. Document Change History</a></span></dt></dl></dd><dt><span class="chapter"><a href="introduction.html">1. Introduction to FreeIPA</a></s
pan></dt><dd><dl><dt><span class="section"><a href="introduction.html#ipa-v-ldap">1.1. FreeIPA v. LDAP: A More Focused Type of Service</a></span></dt><dt><span class="section"><a href="ipa-domains.html">1.2. About FreeIPA Domains</a></span></dt><dd><dl><dt><span class="section"><a href="ipa-domains.html#The_IPA_Core">1.2.1. The FreeIPA Server</a></span></dt><dt><span class="section"><a href="ipa-domains.html#IPA_Managed_Hosts">1.2.2. FreeIPA Managed Hosts</a></span></dt><dt><span class="section"><a href="ipa-domains.html#external-work">1.2.3. Integration with Non-Fedora Services</a></span></dt></dl></dd><dt><span class="section"><a href="ipa-components.html">1.3. Identity Management: Authentication</a></span></dt><dt><span class="section"><a href="policy.html">1.4. Defining Policies: Authorization</a></span></dt></dl></dd><dt><span class="chapter"><a href="installing-ipa.html">2. Installing a FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="installing
-ipa.html#Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#prerequisites">2.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="Installing_the_IPA_Server_Packages.html">2.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="creating-server.html">2.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="creating-server.html#install-command">2.3.1. About ipa-server-insta
ll</a></span></dt><dt><span class="section"><a href="creating-server.html#install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="creating-server.html#install-examples">2.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="creating-server.html#troubleshooting-install">2.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html">2.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#installing-replica">2.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#creating-the-replica">2.4.2. Creating the Replica</a></span></dt>
<dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#troubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="Uninstalling_IPA_Servers.html">2.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></dd><dt><span class="chapter"><a href="setting-up-clients.html">3. Setting up Systems as FreeIPA Clients</a></span></dt><dd><dl><dt><span class="section"><a href="setting-up-clients.html#what-happens-clients">3.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="Configuring_Microsoft_Windows.html">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html">3.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configu
ring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html">3.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</a></span></dt><dt><span class="section">
<a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_PAM">3.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#hp-test">3.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html">3.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Cli
ent_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">3.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt>
<span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#testing-config-on-mac">3.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="uninstalling-clients.html">3.7. Uninstalling a FreeIPA Client</a></span></dt></dl></dd><dt><span class="chapter"><a href="basic-usage.html">4. Basic UI Usage</a></span></dt><dd><dl><dt><span class="section"><a href="basic-usage.html#ipa-ui">4.1. Looking at the FreeIPA UI</a></span></dt><dt><span class="section"><a href="using-the-ui.html">4.2. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="using-the-ui.html#config-browser">4.2.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="using-the-ui.html#logging-in">4.2.2. Logging into the FreeIPA UI</a></
span></dt><dt><span class="section"><a href="using-the-ui.html#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">4.2.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="using-the-ui.html#Enabling_UsernamePassword_Authentication_in_Your_Browser">4.2.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a href="switching-users.html">4.3. Switching Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="managing-clients.html">5. Managing Clients in the FreeIPA Domain</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#IPA_Command_Line_Tools-Working_with_DNS">5.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DN
S-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="enrolling-machines.html">5.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Host Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="renaming-machines.html">5.3. Renaming Machines<
/a></span></dt><dt><span class="section"><a href="config-virt-machines.html">5.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="certs.html">5.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="General_Troubleshooting_Tips-Client_Problems.html">5.6. Client Problems</a></span></dt></dl></dd><dt><span class="chapter"><a href="users.html">6. Identity: Managing Users and User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="users.html#home-directories">6.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="adding-users.html">6.2. Adding Users</a></span></dt><dt><span class="section"><a href="editing-users.html">6.3. Editing Users</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html">6.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a
href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_IPA_Users-Specifying_Default_User_Settings.html">6.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="search-limits.html">6.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html">6.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html#Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="user-groups.html">6.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Group
s</a></span></dt><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="user-pwdpolicy.html">6.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</a></span></d
t><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_Loca
l_Logins">6.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="searching.html">6.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="kerberos.html">7. Identity: Using FreeIPA for a Kerberos Domain</a></span></dt><dd><dl><dt><span class="section"><a href="kerberos.html#about-kerberos">7.1. About Kerberos</a></span></dt><dt><span class="section"><a href="kerb-policies.html">7.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html">7.3. Creating and Using
Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">7.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html">7.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="rotating-keys.html">7.5.
Rotating Keys</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html">7.6. Kerberos Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="automount.html">8. Identity: Using Automount</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#about-automount">8.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">8.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">8.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-automount.html">8.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_
Management_Guide-Configuring_Automount-Configuring_autofs_on_Linux">8.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">8.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">8.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">8.2.4. Links</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="active-directory.html">9. Identity: Integrating with Microsoft Active Directory</a></span></dt><dd><dl><dt><span class="section"><a href="active-directory.html#about-active-directory">9.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt>
<span class="section"><a href="active-directory.html#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">9.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html">9.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="configuring-active-directory.html">9.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">9.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html">9.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><
span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html">9.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html">9.7. Winsync Agreement Failures</a></span></dt></dl></dd><dt><span class="chapter"><a href="nis.html">10. Identity: Integrating with NIS Domains and Netgroups</a></span></dt><dd><dl><dt><span class="section"><a href="nis.html#about-nis">10.
1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#adding-netgroups">10.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html">10.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Confi
guring_the_Network_Information_Service_NIS.html#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="migrintg-from-nis.html">10.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="authz.html">11. Policy: Configuring Authorization</a></span></dt><dd><dl><dt><span class="section"><a href="authz.html#configuring-host-access">11.1. Configuring Host-Based A
ccess Control</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html">11.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html">11.3. HBAC Services</a></span></dt></dl></dd><dt><span class="chapter"><a href="sudo.html">12. Policy: Using sudo</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#about-sudo">12.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="sudo
.html#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">12.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">12.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-sudo.html">12.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></dd><dt><span class="chapter">
<a href="server-config.html">13. Configuring the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#Server_side_Access_Control">13.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="server-config.html#creating-roles">13.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="server-config.html#self-service">13.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="disabling-anon-binds.html">13.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html">13.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#id-ranges-at-install">13.3.1. About ID
Range Assignments During Installation</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html">13.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Using_OCSP
">13.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="ipa-apache.html">13.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="ipa-cluster.html">13.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html">13.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="promoting-replica.html">13.8. Prom
oting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="logging.html">13.9. FreeIPA Server Logging</a></span></dt></dl></dd><dt><span class="appendix"><a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html">A. Frequently Asked Questions</a></span></dt><dt><span class="appendix"><a href="tools-reference.html">B. FreeIPA Tools Reference</a></span></dt><dd><dl><dt><span class="section"><a href="tools-reference.html#ipa">B.1. ipa</a></span></dt><dd><dl><dt><span class="section"><a href="tools-reference.html#ipa-location">B.1.1. Location</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-syntax">B.1.2. Syntax</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-commands">B.1.3. Commands</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-options">B.1.4. Options</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-command-au
tomount">B.1.5. ipa automountlocation*</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-command-automountmap">B.1.6. ipa automountmap*</a></span></dt><dt><span class="section"><a href="tools-reference.html#ipa-command-automountkey">B.1.7. ipa automountkey*</a></span></dt></dl></dd><dt><span class="section"><a href="server-tools.html">B.2. Server Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="server-tools.html#ipa-compat-manage">B.2.1. ipa-compat-manage</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-compliance">B.2.2. ipa-compliance</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-dns-install">B.2.3. ipa-dns-install</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-host-net-manage">B.2.4. ipa-host-net-manage</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa_kpasswd">B.2.5. ipa_kpasswd</a></span></dt><dt><span class="section"><a href="server-
tools.html#ipa-ldap-updater">B.2.6. ipa-ldap-updater</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-nis-manage">B.2.7. ipa-nis-manage</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-replica-install">B.2.8. ipa-replica-install</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-replica-manage">B.2.9. ipa-replica-manage</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-replica-prepare">B.2.10. ipa-replica-prepare</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-server-certinstall">B.2.11. ipa-server-certinstall</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-server-install">B.2.12. ipa-server-install</a></span></dt><dt><span class="section"><a href="server-tools.html#ipa-ugradeconfig">B.2.13. ipa-upgradeconfig</a></span></dt><dt><span class="section"><a href="server-tools.html#ipactl">B.2.14. ipactl</a></span></dt></dl></dd><dt><span class="
section"><a href="client-tools.html">B.3. Client Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="client-tools.html#ipa-client-install">B.3.1. ipa-client-install</a></span></dt><dt><span class="section"><a href="client-tools.html#ipa-getkeytab">B.3.2. ipa-getkeytab</a></span></dt><dt><span class="section"><a href="client-tools.html#ipa-join">B.3.3. ipa-join</a></span></dt><dt><span class="section"><a href="client-tools.html#ipa-rmkeytab">B.3.4. ipa-rmkeytab</a></span></dt></dl></dd><dt><span class="section"><a href="certmonger-tools.html">B.4. Certmonger Scripts</a></span></dt><dd><dl><dt><span class="section"><a href="certmonger-tools.html#getcert">B.4.1. getcert</a></span></dt><dt><span class="section"><a href="certmonger-tools.html#ipa-getcert">B.4.2. ipa-getcert</a></span></dt></dl></dd></dl></dd><dt><span class="appendix"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html">C. Services: Working with certmonger</a></span></dt>
<dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html">C.2. Using certmonger</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html">C.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html">C.4. Using certmonger with IPA</a></span></dt></dl></dd><dt><span class="appendix"><a href="Migrating_from_a_Directory_Server_to_IPA.html">D. Migrating from a Directory Server to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_t
o_IPA.html#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">D.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">D.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">D.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">D.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">D.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Ente
rprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">D.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">D.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html">D.2. Performing a Server-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_fro
m_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrati
ng_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html">D.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identi
ty_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based
_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="Glossary.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div></div><ul class="docnav"><li class="previous"></li><li class="next"><a accesskey="n" href="Preface.html"><strong>Next</strong>Preface</a></li></ul></body></html>
+ </div></div></div></div><hr /></div><div class="toc"><dl><dt><span class="preface"><a href="Preface.html">Preface</a></span></dt><dd><dl><dt><span class="section"><a href="Preface.html#audience">1. Audience and Purpose</a></span></dt><dt><span class="section"><a href="Document_Conventions.html">2. Examples and Formatting</a></span></dt><dd><dl><dt><span class="section"><a href="Document_Conventions.html#bracketsexamples">2.1. Brackets</a></span></dt><dt><span class="section"><a href="Document_Conventions.html#tool-locations">2.2. Client Tool Information</a></span></dt><dt><span class="section"><a href="Document_Conventions.html#guide-formatting">2.3. Text Formatting and Styles</a></span></dt></dl></dd><dt><span class="section"><a href="feedback.html">3. Giving Feedback</a></span></dt><dt><span class="section"><a href="doc-history.html">4. Document Change History</a></span></dt></dl></dd><dt><span class="chapter"><a href="installing-ipa.html">1. Installing a FreeIPA Server<
/a></span></dt><dd><dl><dt><span class="section"><a href="installing-ipa.html#Preparing_for_an_IPA_Installation">1.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#prerequisites">1.1.3. System Prerequisites</a></span></dt></dl></dd><dt><span class="section"><a href="Installing_the_IPA_Server_Packages.html">1.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="creating-server.html">1.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href=
"creating-server.html#install-command">1.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="creating-server.html#install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="creating-server.html#install-examples">1.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="creating-server.html#troubleshooting-install">1.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html">1.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#installing-replica">1.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.ht
ml#creating-the-replica">1.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#troubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="Uninstalling_IPA_Servers.html">1.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></dd><dt><span class="chapter"><a href="setting-up-clients.html">2. Setting up Systems as FreeIPA Clients</a></span></dt><dd><dl><dt><span class="section"><a href="setting-up-clients.html#what-happens-clients">2.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="Configuring_Microsoft_Windows.html">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html">2.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class=
"section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html">2.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_Kerberos">2
.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_PAM">2.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#hp-test">2.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html">2.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</a><
/span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication">2.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2
.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#testing-config-on-mac">2.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="uninstalling-clients.html">2.7. Uninstalling a FreeIPA Client</a></span></dt></dl></dd><dt><span class="chapter"><a href="basic-usage.html">3. Basic UI Usage</a></span></dt><dd><dl><dt><span class="section"><a href="basic-usage.html#using-the-ui">3.1. Using the FreeIPA UI</a></span></dt><dd><dl><dt><span class="section"><a href="basic-usage.html#config-browser">3.1.1. Configuring the Browser</a></span></dt><dt><span class="section"><a href="basic-usage.html#logging-in">3.1.2. Logging into the FreeIPA UI</a></span></dt><dt><span class="s
ection"><a href="basic-usage.html#Configuring_a_Browser_to_Work_with_IPA-Using_a_Browser_on_Another_System">3.1.3. Using a Browser on Another System</a></span></dt><dt><span class="section"><a href="basic-usage.html#Enabling_UsernamePassword_Authentication_in_Your_Browser">3.1.4. Enabling Username/Password Authentication in Your Browser</a></span></dt></dl></dd><dt><span class="section"><a href="switching-users.html">3.2. Switching Users</a></span></dt></dl></dd><dt><span class="chapter"><a href="managing-clients.html">4. Managing Clients in the FreeIPA Domain</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#IPA_Command_Line_Tools-Working_with_DNS">4.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Removing_Hosts_from_an_IPA_D
NS">4.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="enrolling-machines.html">4.2. Enrolling Machines</a></span></dt><dd><dl><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">4.2.1. Manual Host Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="renaming-machines.html">4.3. Renaming Machines</a></span></dt><dt><span class
="section"><a href="config-virt-machines.html">4.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="certs.html">4.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="General_Troubleshooting_Tips-Client_Problems.html">4.6. Client Problems</a></span></dt></dl></dd><dt><span class="chapter"><a href="users.html">5. Identity: Managing Users and User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="users.html#home-directories">5.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="adding-users.html">5.2. Adding Users</a></span></dt><dt><span class="section"><a href="editing-users.html">5.3. Editing Users</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html">5.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Ac
tivating_and_Deactivating_User_Accounts.html#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_IPA_Users-Specifying_Default_User_Settings.html">5.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="search-limits.html">5.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html">5.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html#Deleting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="user-groups.html">5.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</a></span></dt><dt><span cla
ss="section"><a href="user-groups.html#Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="user-pwdpolicy.html">5.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a
href="user-pwdpolicy.html#The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local L
ogins</a></span></dt></dl></dd><dt><span class="section"><a href="searching.html">5.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="kerberos.html">6. Identity: Using FreeIPA for a Kerberos Domain</a></span></dt><dd><dl><dt><span class="section"><a href="kerberos.html#about-kerberos">6.1. About Kerberos</a></span></dt><dt><span class="section"><a href="kerb-policies.html">6.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html">6.3. Creating and Using Service Principals</a></span>
</dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">6.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html">6.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="rotating-keys.html">6.5. Rotating Keys</a></span></dt><
dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html">6.6. Kerberos Errors</a></span></dt></dl></dd><dt><span class="chapter"><a href="automount.html">7. Identity: Using Automount</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#about-automount">7.1. About Automount and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Known_Issues_with_Automount">7.1.1. Known Issues with Automount</a></span></dt><dt><span class="section"><a href="automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Assumptions">7.1.2. Assumptions</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-automount.html">7.2. Configuring Automount</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_A
utomount-Configuring_autofs_on_Linux">7.2.1. Configuring autofs on Linux</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Solaris_automount">7.2.2. Solaris automount</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Configuring_Indirect_Maps">7.2.3. Configuring Indirect Maps</a></span></dt><dt><span class="section"><a href="configuring-automount.html#sect-Enterprise_Identity_Management_Guide-Configuring_Automount-Links">7.2.4. Links</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="active-directory.html">8. Identity: Integrating with Microsoft Active Directory</a></span></dt><dd><dl><dt><span class="section"><a href="active-directory.html#about-active-directory">8.1. About Active Directory, IPA, and Identity Management</a></span></dt><dd><dl><dt><span class="section"><a href=
"active-directory.html#sect-Enterprise_Identity_Management_Guide-Prerequisites-Domain_Name_Considerations">8.1.1. Domain Name Considerations</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html">8.2. Setting up Active Directory</a></span></dt><dt><span class="section"><a href="configuring-active-directory.html">8.3. Configuring Active Directory Synchronization</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">8.4. Creating Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html">8.5. Modifying Synchronization Agreements</a></span></dt><dd><dl><dt><span class="section"><a href="
sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html#sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html">8.6. Deleting Synchronization Agreements</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html">8.7. Winsync Agreement Failures</a></span></dt></dl></dd><dt><span class="chapter"><a href="nis.html">9. Identity: Integrating with NIS Domains and Netgroups</a></span></dt><dd><dl><dt><span class="section"><a href="nis.html#about-nis">9.1. About NIS and IPA</a></span><
/dt><dd><dl><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#adding-netgroups">9.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html">9.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Servic
e_NIS.html#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="migrintg-from-nis.html">9.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="authz.html">10. Policy: Configuring Authorization</a></span></dt><dd><dl><dt><span class="section"><a href="authz.html#configuring-host-access">10.1. Configuring Host-Based Access Control</a></span></dt><dt><span cl
ass="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html">10.2. HBAC Service Groups</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html">10.3. HBAC Services</a></span></dt></dl></dd><dt><span class="chapter"><a href="sudo.html">11. Policy: Using sudo</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#about-sudo">11.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management
_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">11.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">11.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-sudo.html">11.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></dd><dt><span class="chapter"><a href="server-config.html">12. Configur
ing the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#Server_side_Access_Control">12.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="server-config.html#creating-roles">12.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="server-config.html#self-service">12.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="disabling-anon-binds.html">12.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html">12.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#id-ranges-at-install">12.3.1. About ID Range Assignments During Installation</a>
</span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html">12.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Using_Your_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Using_OCSP">12.4.3. Using OCSP</a></span></dt></dl>
</dd><dt><span class="section"><a href="ipa-apache.html">12.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="ipa-cluster.html">12.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html">12.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="promoting-replica.html">12.8. Promoting a Read-Only Replica to a FreeIPA Se
rver</a></span></dt><dt><span class="section"><a href="logging.html">12.9. FreeIPA Server Logging</a></span></dt></dl></dd><dt><span class="appendix"><a href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html">A. Frequently Asked Questions</a></span></dt><dt><span class="appendix"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html">B. Services: Working with certmonger</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html">B.2. Using certmonger</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html">B.3. Using certm
onger with NSS</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html">B.4. Using certmonger with IPA</a></span></dt></dl></dd><dt><span class="appendix"><a href="Migrating_from_a_Directory_Server_to_IPA.html">C. Migrating from a Directory Server to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Overview">C.1. Overview</a></span></dt><dd><dl><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Assumptions">C.1.1. Assumptions</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Known_Issues">C.1.2. Known Issues</a></span></dt><dt><span class="section"><a href="Migrating_from
_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Possible_Scenarios">C.1.3. Possible Scenarios</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Initial_and_Final_States">C.1.4. Initial and Final States</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Recommended_Sequence_of_Steps">C.1.5. Recommended Sequence of Steps</a></span></dt><dt><span class="section"><a href="Migrating_from_a_Directory_Server_to_IPA.html#sect-Enterprise_Identity_Management_Guide-Overview-Implementation_Details">C.1.6. Implementation Details</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html">C.2. Performing a Server-based Migration</a></span></d
t><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: I
nstalling and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html">C.3. Performing a Client-based Migration</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrat
ing_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Phase 2: Migrating Existing Data to IPA</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</a></span></dt><dt><span class="section"><a href="sect
-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</a></span></dt></dl></dd></dl></dd><dt><span class="glossary"><a href="Glossary.html">Glossary</a></span></dt><dt><span class="index"><a href="ix01.html">Index</a></span></dt></dl></div></div><ul class="docnav"><li class="previous"></li><li class="next"><a accesskey="n" href="Preface.html"><strong>Next</strong>Preface</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html
index 1d316b0..7f73414 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/installing-ipa.html
@@ -1,25 +1,25 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 2. Installing a FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 1. Installing a FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="policy.html" title="1.4. Defining Policies: Authorization" /><link rel="next" href="Installing_the_IPA_Server_Packages.html" title="2.2. Installing the FreeIPA Server Packages" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="policy.html"><strong>Prev</strong></a></li><li
class="next"><a accesskey="n" href="Installing_the_IPA_Server_Packages.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="installing-ipa" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 2. Installing a FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="installing-ipa.html#Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#prerequisites">2.1.3. System Prerequisites</a></span></dt></dl
></dd><dt><span class="section"><a href="Installing_the_IPA_Server_Packages.html">2.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="creating-server.html">2.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="creating-server.html#install-command">2.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="creating-server.html#install-interactive">2.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="creating-server.html#install-examples">2.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="creating-server.html#troubleshooting-install">2.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html">2.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl
><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#installing-replica">2.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#creating-the-replica">2.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#troubleshooting-replica-install">2.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="Uninstalling_IPA_Servers.html">2.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="doc-history.html" title="4. Document Change History" /><link rel="next" href="Installing_the_IPA_Server_Packages.html" title="1.2. Installing the FreeIPA Server Packages" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="doc-history.html"><strong>Prev</strong></a></li><li c
lass="next"><a accesskey="n" href="Installing_the_IPA_Server_Packages.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="installing-ipa" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 1. Installing a FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="installing-ipa.html#Preparing_for_an_IPA_Installation">1.1. Preparing to Install the FreeIPA Server</a></span></dt><dd><dl><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</a></span></dt><dt><span class="section"><a href="installing-ipa.html#prerequisites">1.1.3. System Prerequisites</a></span></dt></dl>
</dd><dt><span class="section"><a href="Installing_the_IPA_Server_Packages.html">1.2. Installing the FreeIPA Server Packages</a></span></dt><dt><span class="section"><a href="creating-server.html">1.3. Creating a FreeIPA Server Instance</a></span></dt><dd><dl><dt><span class="section"><a href="creating-server.html#install-command">1.3.1. About ipa-server-install</a></span></dt><dt><span class="section"><a href="creating-server.html#install-interactive">1.3.2. Setting up a FreeIPA Server: Basic Interactive Installation</a></span></dt><dt><span class="section"><a href="creating-server.html#install-examples">1.3.3. Examples of Creating the FreeIPA Server</a></span></dt><dt><span class="section"><a href="creating-server.html#troubleshooting-install">1.3.4. Troubleshooting Installation Problems</a></span></dt></dl></dd><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html">1.4. Setting up FreeIPA Replicas</a></span></dt><dd><dl>
<dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#installing-replica">1.4.1. Prepping and Installing the Replica Server</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#creating-the-replica">1.4.2. Creating the Replica</a></span></dt><dt><span class="section"><a href="chap-Enterprise_Identity_Management_Guide-Setting_up_IPA_Replicas.html#troubleshooting-replica-install">1.4.3. Troubleshooting Replica Installation</a></span></dt></dl></dd><dt><span class="section"><a href="Uninstalling_IPA_Servers.html">1.5. Uninstalling FreeIPA Servers and Replicas</a></span></dt></dl></div><div class="para">
The FreeIPA domain is defined and managed by a FreeIPA <span class="emphasis"><em>server</em></span> which is essentially a domain controller. There can be multiple domain controllers within a domain for load-balancing and failover tolerance. These additional servers are called <span class="emphasis"><em>replicas</em></span> of the master FreeIPA server.
</div><div class="para">
Both FreeIPA servers and replicas only run on Fedora systems. For both servers and replicas, the necessary packages must be installed and then the FreeIPA server or replica itself is configured through setup scripts, which configure all of the requisite services.
- </div><div class="section" id="Preparing_for_an_IPA_Installation"><div class="titlepage"><div><div><h2 class="title" id="Preparing_for_an_IPA_Installation">2.1. Preparing to Install the FreeIPA Server</h2></div></div></div><div class="para">
+ </div><div class="section" id="Preparing_for_an_IPA_Installation"><div class="titlepage"><div><div><h2 class="title" id="Preparing_for_an_IPA_Installation">1.1. Preparing to Install the FreeIPA Server</h2></div></div></div><div class="para">
Before you install FreeIPA, ensure that the installation environment is suitably configured. You also need to provide certain information during the installation and configuration procedures, including realm names and certain usernames and passwords. This section describes the information that you need to provide.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">2.1.1. Hardware Requirements</h3></div></div></div><div class="para">
- A basic user entry is about 1 KB in size, as is a simple host entry with a certificate. The structure of the directory tree and the number of indexes in the Directory Server instance can impact the hardware required for the best performance. <a class="xref" href="installing-ipa.html#tab.Minimum_hardware_requirements_for_IPA">Table 2.1, “Minimum Hardware Requirements”</a> lists the recommended minimums. For customized systems, additional indexes, or larger user entries, it is more effective to increase the RAM than to increase the disk space because the Directory Server stores much of its data in cache. Add info for disk layout/size recommendations, from https://www.redhat.com/archives/freeipa-users/2011-May/msg00012.html
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Hardware_Requirements">1.1.1. Hardware Requirements</h3></div></div></div><div class="para">
+ A basic user entry is about 1 KB in size, as is a simple host entry with a certificate. The structure of the directory tree and the number of indexes in the Directory Server instance can impact the hardware required for the best performance. <a class="xref" href="installing-ipa.html#tab.Minimum_hardware_requirements_for_IPA">Table 1.1, “Minimum Hardware Requirements”</a> lists the recommended minimums. For customized systems, additional indexes, or larger user entries, it is more effective to increase the RAM than to increase the disk space because the Directory Server stores much of its data in cache. Add info for disk layout/size recommendations, from https://www.redhat.com/archives/freeipa-users/2011-May/msg00012.html
</div><div class="note"><div class="admonition_header"><h2>TIP</h2></div><div class="admonition"><div class="para">
The Directory Server instance used by the FreeIPA server can be tuned to increase performance. For tuning information, see the Directory Server documentation at <a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Performance_Tuning_Guide/system-tuning.html</a>.
</div></div></div><div class="para">
The system requirements for both 32-bit and 64-bit platforms are the same.
- </div><div class="table" id="tab.Minimum_hardware_requirements_for_IPA"><h6>Table 2.1. Minimum Hardware Requirements</h6><div class="table-contents"><table summary="Minimum Hardware Requirements" border="1"><colgroup><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /></colgroup><thead><tr><th align="center">
+ </div><div class="table" id="tab.Minimum_hardware_requirements_for_IPA"><h6>Table 1.1. Minimum Hardware Requirements</h6><div class="table-contents"><table summary="Minimum Hardware Requirements" border="1"><colgroup><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /><col width="25%" align="center" /></colgroup><thead><tr><th align="center">
Minimum Hardware Requirements
</th><th align="center">
10,000 - 250,000 Entries
@@ -47,21 +47,21 @@
4 GB
</td><td align="center">
8 GB
- </td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">2.1.2. Software Requirements</h3></div></div></div><div class="para">
+ </td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Software_Requirements">1.1.2. Software Requirements</h3></div></div></div><div class="para">
Most of the packages that a FreeIPA server depends on are installed as dependencies when the FreeIPA packages are installed. There are some packages, however, which are required before installing the FreeIPA packages:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Kerberos 1.9
</div></li><li class="listitem"><div class="para">
The <span class="package">named</span> and <span class="package">bind-dyndb-ldap</span> packages for DNS
- </div></li></ul></div></div><div class="section" id="prerequisites"><div class="titlepage"><div><div><h3 class="title" id="prerequisites">2.1.3. System Prerequisites</h3></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="prerequisites"><div class="titlepage"><div><div><h3 class="title" id="prerequisites">1.1.3. System Prerequisites</h3></div></div></div><div class="para">
The FreeIPA server is set up using a configuration script, and this script makes certain assumption about the host system. If the system does not meet these prerequisites, then server configuration may fail.
- </div><div class="section" id="prereq-ds"><div class="titlepage"><div><div><h4 class="title" id="prereq-ds">2.1.3.1. Directory Server</h4></div></div></div><div class="para">
+ </div><div class="section" id="prereq-ds"><div class="titlepage"><div><div><h4 class="title" id="prereq-ds">1.1.3.1. Directory Server</h4></div></div></div><div class="para">
There must not be any instances of 389 Directory Server installed on the host machine.
- </div></div><div class="section" id="prereq-system"><div class="titlepage"><div><div><h4 class="title" id="prereq-system">2.1.3.2. System Files </h4></div></div></div><div class="para">
+ </div></div><div class="section" id="prereq-system"><div class="titlepage"><div><div><h4 class="title" id="prereq-system">1.1.3.2. System Files </h4></div></div></div><div class="para">
The server script overwrites system files to set up the FreeIPA domain. The system should be clean, without custom configuration for services like DNS and Kerberos, before configuring the FreeIPA server.
- </div></div><div class="section" id="prereq-ports"><div class="titlepage"><div><div><h4 class="title" id="prereq-ports">2.1.3.3. System Ports</h4></div></div></div><div class="para">
- FreeIPA uses a number of ports to communicate with its services. These ports, listed in <a class="xref" href="installing-ipa.html#tab.ipa-ports">Table 2.2, “FreeIPA Ports”</a>, must be open and available for FreeIPA to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <code class="command">iptables</code> to list the available ports or <code class="command">nc</code>, <code class="command">telnet</code>, or <code class="command">nmap</code> to connect to a port or run a port scan.
- </div><div class="table" id="tab.ipa-ports"><h6>Table 2.2. FreeIPA Ports</h6><div class="table-contents"><table summary="FreeIPA Ports" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
+ </div></div><div class="section" id="prereq-ports"><div class="titlepage"><div><div><h4 class="title" id="prereq-ports">1.1.3.3. System Ports</h4></div></div></div><div class="para">
+ FreeIPA uses a number of ports to communicate with its services. These ports, listed in <a class="xref" href="installing-ipa.html#tab.ipa-ports">Table 1.2, “FreeIPA Ports”</a>, must be open and available for FreeIPA to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <code class="command">iptables</code> to list the available ports or <code class="command">nc</code>, <code class="command">telnet</code>, or <code class="command">nmap</code> to connect to a port or run a port scan.
+ </div><div class="table" id="tab.ipa-ports"><h6>Table 1.2. FreeIPA Ports</h6><div class="table-contents"><table summary="FreeIPA Ports" border="1"><colgroup><col width="50%" /><col width="50%" /></colgroup><thead><tr><th>
Service
</th><th>
Ports
@@ -89,16 +89,16 @@
</td><td>
53
</td></tr><tr><td>
- NTP<sup>[<a id="id3109200" href="#ftn.id3109200" class="footnote">b</a>]</sup>
+ NTP<sup>[<a id="id3368328" href="#ftn.id3368328" class="footnote">b</a>]</sup>
</td><td>
123
</td></tr></tbody><tbody class="footnotes"><tr><td colspan="2"><div class="footnote" id="ft.udp-tcp"><p><sup>[<a id="ftn.ft.udp-tcp" href="#ft.udp-tcp" class="para">a</a>] </sup>
This service uses both TCP adn UDP ports.
- </p></div><div class="footnote"><p><sup>[<a id="ftn.id3109200" href="#id3109200" class="para">b</a>] </sup>
+ </p></div><div class="footnote"><p><sup>[<a id="ftn.id3368328" href="#id3368328" class="para">b</a>] </sup>
This service uses UDP ports only.
- </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS">2.1.3.4. DNS</h4></div></div></div><div class="para">
+ </p></div></td></tr></tbody></table></div></div><br class="table-break" /></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-DNS">1.1.3.4. DNS</h4></div></div></div><div class="para">
FreeIPA uses DNS for the FreeIPA clients to find (<span class="emphasis"><em>discover</em></span>) the FreeIPA servers. The DNS service can be managed by FreeIPA itself, or FreeIPA can use an existing DNS server. Without a properly configured and working DNS, server discovery for clients and FreeIPA services like, LDAP, Kerberos, and SSL may fail to work.
- </div><div class="section" id="dns-requirements"><div class="titlepage"><div><div><h5 class="title" id="dns-requirements">2.1.3.4.1. DNS Requirements</h5></div></div></div><div class="para">
+ </div><div class="section" id="dns-requirements"><div class="titlepage"><div><div><h5 class="title" id="dns-requirements">1.1.3.4.1. DNS Requirements</h5></div></div></div><div class="para">
Regardless of whether the DNS is within the FreeIPA server or external, the server host must have DNS properly configured:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
The server's machine name must be set and resolve to its public IP address. The fully-qualified domain name cannot resolve to the loopback address. It must resolve to the machine's public IP address, not to <code class="systemitem">127.0.0.1</code>. The output of the <code class="command">hostname</code> command cannot be <code class="systemitem">localhost</code> or <code class="systemitem">localhost6</code>.
@@ -110,12 +110,12 @@
The DNS must be correctly configured to resolve forward and reverse addresses. The DNS does not need to be on the same machine as the FreeIPA server, but it does need to be fully functional.
</div><div class="para">
If you do not have a functional DNS, you can use the <code class="option">--setup-dns</code> option when you install FreeIPA to automatically configure a suitable DNS.
- </div></li></ul></div></div><div class="section" id="dns-file"><div class="titlepage"><div><div><h5 class="title" id="dns-file">2.1.3.4.2. FreeIPA-Generated DNS File</h5></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="dns-file"><div class="titlepage"><div><div><h5 class="title" id="dns-file">1.1.3.4.2. FreeIPA-Generated DNS File</h5></div></div></div><div class="para">
To help create and configure a suitable DNS setup, the FreeIPA installation script creates a sample zone file. During the installation, FreeIPA displays a message similar to the following:
</div><pre class="screen">Sample zone file for bind has been created in /tmp/sample.zone.F_uMf4.db
</pre><div class="para">
You should use this file in your DNS zone file.
- </div></div><div class="section" id="DNS-IPA_DNS_and_NSCD"><div class="titlepage"><div><div><h5 class="title" id="DNS-IPA_DNS_and_NSCD">2.1.3.4.3. IPA, DNS, and NSCD</h5></div></div></div><div class="para">
+ </div></div><div class="section" id="DNS-IPA_DNS_and_NSCD"><div class="titlepage"><div><div><h5 class="title" id="DNS-IPA_DNS_and_NSCD">1.1.3.4.3. IPA, DNS, and NSCD</h5></div></div></div><div class="para">
<span class="emphasis"><em>It is strongly recommended</em></span> that you avoid or restrict the use of <code class="systemitem">nscd</code> (Name Service Caching Daemon) in a FreeIPA deployment. The <code class="systemitem">nscd</code> service is extremely useful for reducing the load on the server, and for making clients more responsive, but drawbacks also exist. This is especially true in deployments that take advantage of SSSD, which performs its own caching.
</div><div class="para">
<code class="systemitem">nscd</code> performs caching operations for all services that perform queries via the nsswitch interface, including <code class="command">getent</code>. Because <code class="systemitem">nscd</code> performs both positive and negative caching, if a request determines that a specific FreeIPA user does not exist, it marks this as a negative cache. Values stored in the cache remain until the cache expires, regardless of any changes that may occur on the server. The results of such caching is that new users and memberships may not be visible, and users and memberships that have been removed may still be visible.
@@ -125,7 +125,7 @@
negative-time-to-live group 60
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
-</pre></div><div class="section" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos"><div class="titlepage"><div><div><h5 class="title" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos">2.1.3.4.4. DNS and Kerberos</h5></div></div></div><div class="para">
+</pre></div><div class="section" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos"><div class="titlepage"><div><div><h5 class="title" id="form-Enterprise_Identity_Management_Guide-DNS-DNS_and_Kerberos">1.1.3.4.4. DNS and Kerberos</h5></div></div></div><div class="para">
The Kerberos server requires a valid DNS A record, and reverse DNS needs to work correctly. It is safe to use CNAMEs if they point to the A name that corresponds to the principal name used to create SPNs (Service Principal Names) for the host. You should avoid the use of DDNS names, however, as this can cause major problems later on.
</div><div class="para">
If necessary, add the hostname to the <code class="filename">/etc/hosts</code> file, as long as the fully qualified hostname must be listed first. For example:
@@ -141,7 +141,7 @@ negative-time-to-live hosts 20
DNS forwarders must be specified as IP addresses, not as hostnames.
</div></div></div>
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking">2.1.3.5. Configuring Networking</h4></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services">2.1.3.5.1. Configuring Networking Services</h5></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Preparing_for_an_IPA_Installation-Configuring_Networking">1.1.3.5. Configuring Networking</h4></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_Networking_Services">1.1.3.5.1. Configuring Networking Services</h5></div></div></div><div class="para">
The default networking service used by Fedora is NetworkManager, and due to the way this service works, it can cause problems with FreeIPA and the KDC. Consequently, it is highly recommended that you use the <code class="systemitem">network</code> service to manage the networking requirements in a FreeIPA environment and disable the NetworkManager service.
</div><div class="orderedlist" id="proc-Enterprise_Identity_Management_Guide-Configuring_Networking_Services-To_configure_networking_services_for_IPA"><ol><li class="listitem"><div class="para">
Boot the machine into single-user mode and run the following commands:
@@ -155,7 +155,7 @@ negative-time-to-live hosts 20
Ensure that static networking is correctly configured.
</div></li><li class="listitem"><div class="para">
Restart the system.
- </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File">2.1.3.5.2. Configuring the /etc/hosts File</h5></div></div></div><div class="para">
+ </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File"><div class="titlepage"><div><div><h5 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Networking-Configuring_the_etchosts_File">1.1.3.5.2. Configuring the /etc/hosts File</h5></div></div></div><div class="para">
You need to ensure that your <code class="filename">/etc/hosts</code> file is configured correctly. A misconfigured file can prevent the FreeIPA command-line tools from functioning correctly and can prevent the FreeIPA web interface from connecting to the FreeIPA server.
</div><div class="para">
Configure the <code class="filename">/etc/hosts</code> file to list the FQDN for the FreeIPA server <span class="emphasis"><em>before</em></span> any aliases. Also ensure that the hostname is not part of the <code class="literal">localhost</code> entry. The following is an example of a valid hosts file:
@@ -164,4 +164,4 @@ negative-time-to-live hosts 20
192.168.1.1 ipaserver.example.com ipaserver
</pre><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Do not omit the <code class="systemitem">IPv4</code> entry in the <code class="filename">/etc/hosts</code> file. This entry is required by the FreeIPA web service.
- </div></div></div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="policy.html"><strong>Prev</strong>1.4. Defining Policies: Authorization</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Installing_the_IPA_Server_Packages.html"><strong>Next</strong>2.2. Installing the FreeIPA Server Packages</a></li></ul></body></html>
+ </div></div></div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="doc-history.html"><strong>Prev</strong>4. Document Change History</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Installing_the_IPA_Server_Packages.html"><strong>Next</strong>1.2. Installing the FreeIPA Server Packages</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-apache.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-apache.html
index 7b618f6..6e7850c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-apache.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-apache.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.5. Setting a FreeIPA Server as an Apache Virtual Host</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.5. Setting a FreeIPA Server as an Apache Virtual Host</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="Configuring_Certificates_and_Certificate_Authorities.html" title="13.4. Configuring Certificates and Certificate Authorities" /><link rel="next" href="ipa-cluster.html" title="13.6. Using FreeIPA in a Cluster" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" hre
f="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ipa-cluster.html"><strong>Next</strong></a></li></ul><div class="section" id="ipa-apache"><div class="titlepage"><div><div><h2 class="title" id="ipa-apache">13.5. Setting a FreeIPA Server as an Apache Virtual Host</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="Configuring_Certificates_and_Certificate_Authorities.html" title="12.4. Configuring Certificates and Certificate Authorities" /><link rel="next" href="ipa-cluster.html" title="12.6. Using FreeIPA in a Cluster" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" hre
f="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="ipa-cluster.html"><strong>Next</strong></a></li></ul><div class="section" id="ipa-apache"><div class="titlepage"><div><div><h2 class="title" id="ipa-apache">12.5. Setting a FreeIPA Server as an Apache Virtual Host</h2></div></div></div><div class="para">
If you have a standard Apache instance running on port 80, you can configure FreeIPA to run on a secondary port, for example, on port 8089. You should be aware, however, that in this configuration, FreeIPA does not use <code class="systemitem">SSL</code>; all requests will use standard <code class="systemitem">HTTP</code>.
</div><div class="para">
The following procedure assumes that FreeIPA is configured to run on port 80, and that you want to move it to port 8089.
@@ -47,4 +47,4 @@ RewriteRule ^/(.*) https://host.foo.com/$1 [L,R=301,NC]
</div></li></ol></div><div class="para">
This configures FreeIPA to run on port 8089, leaving port 80 free for your normal web site.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Prev</strong>13.4. Configuring Certificates and Certificate Au...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ipa-cluster.html"><strong>Next</strong>13.6. Using FreeIPA in a Cluster</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_Certificates_and_Certificate_Authorities.html"><strong>Prev</strong>12.4. Configuring Certificates and Certificate Au...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="ipa-cluster.html"><strong>Next</strong>12.6. Using FreeIPA in a Cluster</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-cluster.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-cluster.html
index 824a348..a383802 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-cluster.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ipa-cluster.html
@@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.6. Using FreeIPA in a Cluster</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.6. Using FreeIPA in a Cluster</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="ipa-apache.html" title="13.5. Setting a FreeIPA Server as an Apache Virtual Host" /><link rel="next" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html" title="13.7. Creating DNS Entries for FreeIPA Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a acc
esskey="p" href="ipa-apache.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Next</strong></a></li></ul><div class="section" id="ipa-cluster"><div class="titlepage"><div><div><h2 class="title" id="ipa-cluster">13.6. Using FreeIPA in a Cluster</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="ipa-apache.html" title="12.5. Setting a FreeIPA Server as an Apache Virtual Host" /><link rel="next" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html" title="12.7. Creating DNS Entries for FreeIPA Replicas" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a acc
esskey="p" href="ipa-apache.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Next</strong></a></li></ul><div class="section" id="ipa-cluster"><div class="titlepage"><div><div><h2 class="title" id="ipa-cluster">12.6. Using FreeIPA in a Cluster</h2></div></div></div><div class="para">
The FreeIPA server currently does not specifically handle the case of a service running in a cluster. That is, the FreeIPA server is not <em class="firstterm">cluster aware</em>. It is possible to configure a clustered service to be part of FreeIPA, although a certain amount of manual configuration is required. This involves sharing and synchronizing Kerberos keys across all of the participating hosts, and also configuring services running on the hosts to respond to whatever names the clients want to use.
- </div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</h3></div></div></div><div class="para">
+ </div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</h3></div></div></div><div class="para">
Use the following procedure to set up the Kerberos credentials for an environment where your managed host is a cluster of nodes.
</div><div class="orderedlist"><h6>Configuring Kerberos Credentials for a Clustered Environment</h6><ol><li class="listitem"><div class="para">
Enroll all of the hosts in the FreeIPA domain, and collect any keytabs that have been set up. At a minimum, this is <code class="filename">/etc/krb5.keytab</code>, although additional services may have their keys in other files.
@@ -23,7 +23,7 @@
Replace the keytab files on each host with the newly-created keytab file.
</div></li></ol></div><div class="para">
Each host in this cluster should now be able to impersonate any other host.
- </div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration">13.6.1.1. Service-specific Configuration</h4></div></div></div><div class="para">
+ </div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-Service_specific_Configuration">12.6.1.1. Service-specific Configuration</h4></div></div></div><div class="para">
Additional service-specific configuration may be required if cluster members do not reset their hostnames when they take over for a failed service.
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
For <code class="systemitem">sshd</code>, set <em class="parameter"><code>GSSAPIStrictAcceptorCheck no</code></em> in <code class="filename">/etc/ssh/sshd_config</code>
@@ -31,9 +31,9 @@
For <code class="systemitem">mod_auth_kerb</code>, set <em class="parameter"><code>KrbServiceName Any</code></em> in <code class="filename">/etc/httpd/conf.d/auth_kerb.conf</code>
</div></li></ul></div>
- </div></div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration">13.6.1.2. SSL Server Configuration</h4></div></div></div><div class="para">
+ </div></div><div class="section" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration"><div class="titlepage"><div><div><h4 class="title" id="Configuring_Kerberos_Credentials_for_a_Clustered_Environment-SSL_Server_Configuration">12.6.1.2. SSL Server Configuration</h4></div></div></div><div class="para">
For SSL servers, it is important that the subject name or a <em class="parameter"><code>subjectAlternativeName</code></em> value for the server's certificate look correct when a client connects to the clustered item. The simplest way to do this is to keep the private key and certificate synchronized across all of the hosts, but it is better to share the private key if possible. Ensuring that certificates issued to each cluster member contain <em class="parameter"><code>subjectAlternativeName</code></em> values naming all of the cluster members should satisfy any client connection requirements.
- </div></div></div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services"><div class="titlepage"><div><div><h3 class="title" id="Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</h3></div></div></div><div class="para">
One aspect of applying FreeIPA in a cluster use case is using the same service principal for multiple services, spread across different machines. This is a simple procedure and could be implemented as follows:
<div class="orderedlist"><ol><li class="listitem"><div class="para">
Retrieve a service principal in the normal way, using the <code class="command">ipa-getkeytab</code> command, or use the keytab that is set up when the host joins the realm. That is, by using <code class="command">ipa-join</code>, which creates or updates the <code class="filename">/etc/krb5.keytab</code> file with a host/principal.
@@ -41,4 +41,4 @@
When you have the principal in a keytab on the system, you can direct multiple servers or services to use the same file, or you can copy the file to discrete locations as required.
</div></li></ol></div>
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-apache.html"><strong>Prev</strong>13.5. Setting a FreeIPA Server as an Apache Virtu...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Next</strong>13.7. Creating DNS Entries for FreeIPA Replicas</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="ipa-apache.html"><strong>Prev</strong>12.5. Setting a FreeIPA Server as an Apache Virtu...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Next</strong>12.7. Creating DNS Entries for FreeIPA Replicas</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ix01.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ix01.html
index 6b83b27..964292e 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ix01.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/ix01.html
@@ -7,4 +7,4 @@
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="Glossary.html" title="Glossary" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Glossary.html"><strong>Prev</strong></a></li><li class="next"></li></ul><div class="index" id="id3303543"><div class="titlepage"><div><div><h2 class="title">Index</h2></div></div></div><div clas
s="index"></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Glossary.html"><strong>Prev</strong>Glossary</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li></ul></body></html>
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="Glossary.html" title="Glossary" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Glossary.html"><strong>Prev</strong></a></li><li class="next"></li></ul><div class="index" id="id3346218"><div class="titlepage"><div><div><h2 class="title">Index</h2></div></div></div><div clas
s="index"></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Glossary.html"><strong>Prev</strong>Glossary</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerb-policies.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerb-policies.html
index 421cbfe..8af6867 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerb-policies.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerb-policies.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.2. Setting Kerberos Ticket Policies</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.2. Setting Kerberos Ticket Policies</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html" title="7.3. Creating and Using Service Principals" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Sit
e" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="kerberos.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Next</strong></a></li></ul><div class="section" id="kerb-policies"><div class="titlepage"><div><div><h2 class="title" id="kerb-policies">7.2. Setting Kerberos Ticket Policies</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html" title="6.3. Creating and Using Service Principals" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Sit
e" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="kerberos.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Next</strong></a></li></ul><div class="section" id="kerb-policies"><div class="titlepage"><div><div><h2 class="title" id="kerb-policies">6.2. Setting Kerberos Ticket Policies</h2></div></div></div><div class="para">
Kerberos tickets are issued subject to the restraints of the <em class="firstterm">Kerberos ticket policy</em>. This policy defines the maximum ticket lifetime and also the maximum renewal age, the period during which the ticket is renewable. You can use the <code class="command">ipa krbtpolicy-mod</code> command to modify the policy to suit your environment. You can also use the <code class="command">ipa krbtpolicy-reset</code> command to reset the policy to the default values.
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Any change to the global Kerberos ticket policy requires a restart of the KDC for the changes to take effect. Use the following command to restart the KDC:
@@ -23,4 +23,4 @@
</div><div class="para">
Changes to per-user policies take effect immediately for newly-requested tickets, for example, when the user next runs <code class="command">kinit</code>.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="kerberos.html"><strong>Prev</strong>Chapter 7. Identity: Using FreeIPA for a Kerberos...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Next</strong>7.3. Creating and Using Service Principals</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="kerberos.html"><strong>Prev</strong>Chapter 6. Identity: Using FreeIPA for a Kerberos...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Next</strong>6.3. Creating and Using Service Principals</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerberos.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerberos.html
index 1d4b07b..ec5beec 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerberos.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/kerberos.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 7. Identity: Using FreeIPA for a Kerberos Domain</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 6. Identity: Using FreeIPA for a Kerberos Domain</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="searching.html" title="6.10. Searching for Users and Groups" /><link rel="next" href="kerb-policies.html" title="7.2. Setting Kerberos Ticket Policies" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="searching.html"><strong>Prev</strong></a></li><li class="next"><a access
key="n" href="kerb-policies.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 7. Identity: Using FreeIPA for a Kerberos Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="kerberos.html#about-kerberos">7.1. About Kerberos</a></span></dt><dt><span class="section"><a href="kerb-policies.html">7.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html">7.3. Creating and Using Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Servi
ce">7.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html">7.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="rotating-keys.html">7.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html">7.6. Kerberos Errors</a></span></dt></dl></div><div class="section" id="about-kerberos"><div class="titlepage"><div><div><h2 class="title" id="about-kerberos">7.1
. About Kerberos</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="searching.html" title="5.10. Searching for Users and Groups" /><link rel="next" href="kerb-policies.html" title="6.2. Setting Kerberos Ticket Policies" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="searching.html"><strong>Prev</strong></a></li><li class="next"><a access
key="n" href="kerb-policies.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="kerberos" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 6. Identity: Using FreeIPA for a Kerberos Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="kerberos.html#about-kerberos">6.1. About Kerberos</a></span></dt><dt><span class="section"><a href="kerb-policies.html">6.2. Setting Kerberos Ticket Policies</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html">6.3. Creating and Using Service Principals</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Servi
ce">6.3.1. Creating a FreeIPA Service</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html#sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html">6.4. Refreshing Kerberos Tickets</a></span></dt><dt><span class="section"><a href="rotating-keys.html">6.5. Rotating Keys</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html">6.6. Kerberos Errors</a></span></dt></dl></div><div class="section" id="about-kerberos"><div class="titlepage"><div><div><h2 class="title" id="about-kerberos">6.1
. About Kerberos</h2></div></div></div><div class="para">
The Kerberos server is a part of FreeIPA. When you run the <code class="command">kinit</code> command you invoke a client that connects to the Kerberos server. As a result of the authentication the client receives a <em class="firstterm">ticket</em>. This ticket is a temporary pass; or a better description might be a pass-book. The best example from real life might be a pass to a movie festival. A single pass to such a festival would allow someone to attend different movies at their discretion. Kerberos is very similar. When a user tries to access any resource that is protected by Kerberos, that resource requires the user to present a valid ticket, the same as in the movies.
</div><div class="para">
To obtain such a ticket the user needs to prove their identity; that they are who they claim to be. Asking the user to constantly authenticate with their password would soon prove to be too annoying and hard to manage. This is why a multi-tier process exists, where the user first authenticates and obtains a so-called <em class="firstterm">ticket-granting ticket</em> (TGT). This ticket can then be presented to the Kerberos server at any time and a new ticket specific to the resource that the user wants to access can be acquired. All of these tickets have a configurable expiration time, so the user occasionally needs to re-authenticate, but it is much less of a burden.
@@ -51,4 +51,4 @@
Failure to export an updated keytab can cause problems that are difficult to isolate. For example, existing service connections may continue to function, but no new connections may be possible.
</div><div class="para">
Due to the critical role that keytabs play in authenticating users and services, and the issues that can arise if they are compromised, ensure that all keytab files are appropriately secured, and have suitable file ownership and permissions established.
- </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="searching.html"><strong>Prev</strong>6.10. Searching for Users and Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="kerb-policies.html"><strong>Next</strong>7.2. Setting Kerberos Ticket Policies</a></li></ul></body></html>
+ </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="searching.html"><strong>Prev</strong>5.10. Searching for Users and Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="kerb-policies.html"><strong>Next</strong>6.2. Setting Kerberos Ticket Policies</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/logging.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/logging.html
index 0dc9fa1..ad03535 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/logging.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/logging.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.9. FreeIPA Server Logging</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.9. FreeIPA Server Logging</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="promoting-replica.html" title="13.8. Promoting a Read-Only Replica to a FreeIPA Server" /><link rel="next" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html" title="Appendix A. Frequently Asked Questions" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="prev
ious"><a accesskey="p" href="promoting-replica.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Next</strong></a></li></ul><div class="section" id="logging"><div class="titlepage"><div><div><h2 class="title" id="logging">13.9. FreeIPA Server Logging</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="promoting-replica.html" title="12.8. Promoting a Read-Only Replica to a FreeIPA Server" /><link rel="next" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html" title="Appendix A. Frequently Asked Questions" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="prev
ious"><a accesskey="p" href="promoting-replica.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Next</strong></a></li></ul><div class="section" id="logging"><div class="titlepage"><div><div><h2 class="title" id="logging">12.9. FreeIPA Server Logging</h2></div></div></div><div class="para">
If you are using the FreeIPA command-line tools or the WebUI to manage FreeIPA data then you should refer to the following sections to help troubleshoot any problems.
</div><div class="para">
You should first check the <code class="filename">/var/log/httpd/error_log</code> file. This may contain more information on the error and/or a python stacktrace.
@@ -24,4 +24,4 @@ debug=True</pre>
You can use the <code class="option">-v</code> option twice to display the XML-RPC exchange:
<pre class="screen">$ ipa -vv user-show admin</pre>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="promoting-replica.html"><strong>Prev</strong>13.8. Promoting a Read-Only Replica to a FreeIPA ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Next</strong>Appendix A. Frequently Asked Questions</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="promoting-replica.html"><strong>Prev</strong>12.8. Promoting a Read-Only Replica to a FreeIPA ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Next</strong>Appendix A. Frequently Asked Questions</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/managing-clients.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/managing-clients.html
index 746cbde..be89944 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/managing-clients.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/managing-clients.html
@@ -1,33 +1,33 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 5. Managing Clients in the FreeIPA Domain</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 4. Managing Clients in the FreeIPA Domain</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="switching-users.html" title="4.3. Switching Users" /><link rel="next" href="enrolling-machines.html" title="5.2. Enrolling Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="switching-users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href=
"enrolling-machines.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="managing-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 5. Managing Clients in the FreeIPA Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="managing-clients.html#IPA_Command_Line_Tools-Working_with_DNS">5.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="enrolling-machines.html">5.2. Enrolling Machines</a></span></dt><dd><d
l><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">5.2.1. Manual Host Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">5.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Bulk_Host_Deployment">5.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="renaming-machines.html">5.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="config-virt-machines.html">5.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="certs.html">5.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="General_Troubleshooting_Tips-Client_Problems.html">5.6. C
lient Problems</a></span></dt></dl></div><div class="section" id="IPA_Command_Line_Tools-Working_with_DNS"><div class="titlepage"><div><div><h2 class="title" id="IPA_Command_Line_Tools-Working_with_DNS">5.1. Working with DNS</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="switching-users.html" title="3.2. Switching Users" /><link rel="next" href="enrolling-machines.html" title="4.2. Enrolling Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="switching-users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href=
"enrolling-machines.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="managing-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 4. Managing Clients in the FreeIPA Domain</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="managing-clients.html#IPA_Command_Line_Tools-Working_with_DNS">4.1. Working with DNS</a></span></dt><dd><dl><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">4.1.2. Removing Hosts from a FreeIPA DNS</a></span></dt><dt><span class="section"><a href="managing-clients.html#Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</a></span></dt></dl></dd><dt><span class="section"><a href="enrolling-machines.html">4.2. Enrolling Machines</a></span></dt><dd><d
l><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Privileged_Administrator">4.2.1. Manual Host Enrollment with Privileged Administrator</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Manual_Host_Enrollment_with_Separation_of_Duties">4.2.2. Manual Host Enrollment with Separation of Duties</a></span></dt><dt><span class="section"><a href="enrolling-machines.html#Enrollment_Scenarios-Bulk_Host_Deployment">4.2.3. Bulk Host Deployment</a></span></dt></dl></dd><dt><span class="section"><a href="renaming-machines.html">4.3. Renaming Machines</a></span></dt><dt><span class="section"><a href="config-virt-machines.html">4.4. Reconfiguring Virtual Machines</a></span></dt><dt><span class="section"><a href="certs.html">4.5. Configuring Certificate-Based Machine Authentication</a></span></dt><dt><span class="section"><a href="General_Troubleshooting_Tips-Client_Problems.html">4.6. C
lient Problems</a></span></dt></dl></div><div class="section" id="IPA_Command_Line_Tools-Working_with_DNS"><div class="titlepage"><div><div><h2 class="title" id="IPA_Command_Line_Tools-Working_with_DNS">4.1. Working with DNS</h2></div></div></div><div class="para">
A number of benefits exist if you take advantage of FreeIPA's ability to automatically install and configure a DNS, in particular the ability to ease the modification of DNS records when adding hosts to FreeIPA. For example, options exist to add and remove IP addresses, A entries, PTR entries, etc. These options are not available if you are not using a FreeIPA-based DNS.
</div><div class="para">
IPA stores all DNS information as discrete records in LDAP, and communicates with LDAP using the <span class="package">bind-dyndb-ldap</span> plug-in and the <code class="filename">install/share/60basev2.ldif</code> schema. You can install and configure the DNS as part of the FreeIPA server installation, using the <code class="option">--setup-dns</code> option, or you can add it later using the <code class="command">ipa-dns-install</code> command.
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
The following options are currently only available with IPv4 addresses.
- </div></div></div><div class="section" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">5.1.1. Adding Hosts to a FreeIPA DNS</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Adding_Hosts_to_an_IPA_DNS">4.1.1. Adding Hosts to a FreeIPA DNS</h3></div></div></div><div class="para">
If you are using a FreeIPA-based DNS system, you can use the <code class="option">--ip-address</code> and <code class="option">--force</code> options to the <code class="command">ipa host-add</code> command to provide the IP address and hostname of the FreeIPA machine to the DNS. For example,
<pre class="screen"><code class="command">$ ipa host-add --force --ip-address=192.168.166.31 puma.example.com </code></pre>
- </div></div><div class="section" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">5.1.2. Removing Hosts from a FreeIPA DNS</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Removing_Hosts_from_an_IPA_DNS">4.1.2. Removing Hosts from a FreeIPA DNS</h3></div></div></div><div class="para">
IPA provides the <code class="command">ipa host-del</code> command to delete FreeIPA hosts. You can pass the <code class="option">--updatedns</code> option to this command to remove the associated records from the DNS. It will attempt to remove any record, A, AAAA, PTR, NS, SRV, and other entries that reference this host. For example,
<pre class="screen"><code class="command">$ ipa host-del --updatedns puma</code></pre>
- </div></div><div class="section" id="Working_with_DNS-Managing_DNS_Zones"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Managing_DNS_Zones">5.1.3. Managing DNS Zones</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="Working_with_DNS-Managing_DNS_Zones"><div class="titlepage"><div><div><h3 class="title" id="Working_with_DNS-Managing_DNS_Zones">4.1.3. Managing DNS Zones</h3></div></div></div><div class="para">
IPA provides all the necessary commands to create and manage zones in a FreeIPA-managed DNS server. You can create and delete zones and add entries to any of these zones using the appropriate FreeIPA commands.
- </div><div class="section" id="Managing_DNS_Zones-Adding_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_DNS_Zones">5.1.3.1. Adding DNS Zones</h4></div></div></div><div class="para">
+ </div><div class="section" id="Managing_DNS_Zones-Adding_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_DNS_Zones">4.1.3.1. Adding DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnszone-add</code> command to add a new zone to your DNS server. You can pass optional attributes on the command line, and you will be prompted for any required information. The following example demonstrates adding a new zone to your top-level domain.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You need to restart the <code class="systemitem">named</code> service whenever you create a new zone, otherwise the DNS server will not reply successfully to queries asking for records in the new zone. This is a one-time operation; any subsequent changes to the zone do not require any further action to be effective.
- </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_add_the_sub_domain_translation_to_the_ipadocs.org_domain"><h6>Procedure 5.1. To add the sub-domain "translation" to the ipadocs.org domain</h6><ol class="1"><li class="step"><div class="para">
+ </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_add_the_sub_domain_translation_to_the_ipadocs.org_domain"><h6>Procedure 4.1. To add the sub-domain "translation" to the ipadocs.org domain</h6><ol class="1"><li class="step"><div class="para">
Ensure you have a valid Kerberos ticket:
<pre class="screen"><code class="command">$ kinit admin</code>
Password for admin at IPADOCS.ORG:</pre>
@@ -55,12 +55,12 @@ Password for admin at IPADOCS.ORG:</pre>
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-Using_Dynamic_DNS_Updates"><h5 class="formalpara">Using Dynamic DNS Updates</h5>
Dynamic DNS updates are not enabled by default for new DNS zones served by FreeIPA; that is, zones added by the <code class="command">ipa dnszone-add</code> command. This may lead to errors in the <code class="command">ipa-client-install</code> script when it joins this domain and tries to add a DNS record pointing to this new client.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_enable_dynamic_DNS_updates"><h6>Procedure 5.2. To enable dynamic DNS updates</h6><ul><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Adding_DNS_Zones-To_enable_dynamic_DNS_updates"><h6>Procedure 4.2. To enable dynamic DNS updates</h6><ul><li class="step"><div class="para">
Use the following command to enable dynamic updates:
</div><pre class="screen"><code class="command">$ ipa dnszone-mod clients.example.com --allow-dynupdate \ </code>
<code class="command">--update-policy="grant TESTRELM krb5-self * A; grant TESTRELM krb5-self * AAAA;"</code></pre><div class="para">
In this example, <code class="systemitem">clients.example.com</code> is the custom DNS domain managed by the FreeIPA server and TESTRELM is the Kerberos realm.
- </div></li></ul></div></div><div class="section" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones">5.1.3.2. Adding Records to DNS Zones</h4></div></div></div><div class="para">
+ </div></li></ul></div></div><div class="section" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Adding_Records_to_DNS_Zones">4.1.3.2. Adding Records to DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnsrecord-add</code> command to add various types of records to DNS zones. The following examples demonstrate adding some of these types of records.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Adding_Records_to_DNS_Zones-Adding_IPv4_Type_A_Resource_Records"><h5 class="formalpara">Adding IPv4 (Type A) Resource Records</h5>
Type A resource records map hostnames to IPv4 addresses. To add a type A resource record, run the following command:
@@ -86,7 +86,7 @@ Password for admin at IPADOCS.ORG:</pre>
<pre class="programlisting">A, AAAA, A6, AFSDB, APL, CERT, CNAME, DHCID, DLV, DNAME, DNSKEY, DS, HIP, IPSECKEY, KX, LOC,
MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA, TXT</pre>
- </div></div><div class="section" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones">5.1.3.3. Deleting Records from DNS Zones</h4></div></div></div><div class="para">
+ </div></div><div class="section" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones"><div class="titlepage"><div><div><h4 class="title" id="Managing_DNS_Zones-Deleting_Records_from_DNS_Zones">4.1.3.3. Deleting Records from DNS Zones</h4></div></div></div><div class="para">
Use the <code class="command">ipa dnsrecord-del</code> command to remove records from DNS zones. The following examples demonstrate how to remove the records added in the preceding examples.
</div><div class="para">
To remove the A type record from the "www" record, run the following command:
@@ -102,4 +102,4 @@ MX, NAPTR, NS, NSEC, NSEC3, NSEC3PARAM, PTR, RRSIG, RP, SIG, SPF, SRV, SSHFP, TA
You can also delegate zones if you want to allow other areas of your company intranet to reach your DNS server, or if you want to allow access from outside your firewalls. Refer to the <a href="http://www.isc.org/software/bind/documentation">ISC BIND documentation</a> for further information.
</div><div class="para">
Refer to the <code class="command">ipa help dns</code> help page for more information about working with DNS and FreeIPA.
- </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="switching-users.html"><strong>Prev</strong>4.3. Switching Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="enrolling-machines.html"><strong>Next</strong>5.2. Enrolling Machines</a></li></ul></body></html>
+ </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="switching-users.html"><strong>Prev</strong>3.2. Switching Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="enrolling-machines.html"><strong>Next</strong>4.2. Enrolling Machines</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/migrintg-from-nis.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/migrintg-from-nis.html
index a401b7a..4bc0e13 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/migrintg-from-nis.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/migrintg-from-nis.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>10.3. Migrating from NIS to IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.3. Migrating from NIS to IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="nis.html" title="Chapter 10. Identity: Integrating with NIS Domains and Netgroups" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html" title="10.2. Configuring the Network Information Service (NIS)" /><link rel="next" href="authz.html" title="Chapter 11. Policy: Configuring Authorization" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul cl
ass="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="authz.html"><strong>Next</strong></a></li></ul><div class="section" id="migrintg-from-nis"><div class="titlepage"><div><div><h2 class="title" id="migrintg-from-nis">10.3. Migrating from NIS to IPA</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="nis.html" title="Chapter 9. Identity: Integrating with NIS Domains and Netgroups" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html" title="9.2. Configuring the Network Information Service (NIS)" /><link rel="next" href="authz.html" title="Chapter 10. Policy: Configuring Authorization" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul clas
s="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="authz.html"><strong>Next</strong></a></li></ul><div class="section" id="migrintg-from-nis"><div class="titlepage"><div><div><h2 class="title" id="migrintg-from-nis">9.3. Migrating from NIS to IPA</h2></div></div></div><div class="para">
The IPA development team researched the topic of how netgroups are typically used in order to better determine an optimal migration design solution. This research shows that the main use cases for netgroups are the aggregation of users and the aggregation of hosts, but not both at the same time. IPA does not provide a special script or command to facilitate the migration of customers' existing netgroups to IPA. This operation must be performed by the system administrator himself or with the help of professional services. This chapter provides some guidelines to ease the process of migrating netgroups to IPA.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</h3></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</h3></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
These procedures are guidelines only, and are provided to help clean your environment and make it more manageable. It is not a definitive set of instructions, and administrators need to be creative and factor in the real constraints present in their environment. If any steps described below are not possible due to independent conditions, we recommend migrating netgroups on a one-to-one basis. This is described later in this chapter.
- </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment"><h6>Procedure 10.1. To prepare your environment</h6><ol class="1"><li class="step"><div class="para">
+ </div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment"><h6>Procedure 9.1. To prepare your environment</h6><ol class="1"><li class="step"><div class="para">
Inspect your client applications and determine which kind of grouping information they need from the central server. For example, if netgroups exist that contain only users, and any applications that rely on these netgroups can be converted to use UNIX groups instead of netgroups, then we recommend doing so. If this is not possible, we still recommend creating UNIX groups out of the netgroups. If no applications use them, we recommend deleting these netgroups altogether. Refer to the following example:
</div><ol class="a"><li class="step"><div class="para">
Given the following netgroup: <code class="systemitem">(host1, user1, )(host2, user2,)(host3, user3, )...</code>, create a group consisting of the users <code class="systemitem">user1</code>, <code class="systemitem">user2</code>, and <code class="systemitem">user3</code> (assuming it does not already exist).
@@ -41,12 +41,12 @@
Add users and hosts as direct members of the netgroup, or, alternatively, put them into groups and then add those groups as members to the netgroup.
</div><div class="para">
For IPA clients, both methods result in the same thing — having the users and hosts managed in the netgroup — but from an administrative perspective, it may be simpler in some environments to use one option instead of the other.
- </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</h3></div></div></div><div class="para">
+ </div></li></ol></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</h3></div></div></div><div class="para">
There are three main approaches that can be taken to the actual migration procedure:
</div><div class="orderedlist"><ol><li class="listitem"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Dump the netgroups from the source into an LDIF file.
</div></li><li class="listitem"><div class="para">
- Create a script that follows the instructions in <a class="xref" href="migrintg-from-nis.html#proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment">Procedure 10.1, “To prepare your environment”</a> to convert the LDIF format into an LDIF file that contains IPA native objects.
+ Create a script that follows the instructions in <a class="xref" href="migrintg-from-nis.html#proc-Enterprise_Identity_Management_Guide-Preparing_Your_Environment-To_prepare_your_environment">Procedure 9.1, “To prepare your environment”</a> to convert the LDIF format into an LDIF file that contains IPA native objects.
</div></li><li class="listitem"><div class="para">
Run the conversion script and load the resulting LDIF file into IPA using the <code class="command">ldapmodify</code> command.
</div><div class="para">
@@ -59,4 +59,4 @@
Refer to the IPA CLI help system for more details. Use the <code class="command">ipa help</code> command to display a list of available topics.
</div></li></ol></div></li><li class="listitem"><div class="orderedlist"><ol><li class="listitem"><div class="para">
Use the UI to manually create a new structure of netgroups.
- </div></li></ol></div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Prev</strong>10.2. Configuring the Network Information Service...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="authz.html"><strong>Next</strong>Chapter 11. Policy: Configuring Authorization</a></li></ul></body></html>
+ </div></li></ol></div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Prev</strong>9.2. Configuring the Network Information Service ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="authz.html"><strong>Next</strong>Chapter 10. Policy: Configuring Authorization</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/nis.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/nis.html
index 93c5c69..79c36db 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/nis.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/nis.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 10. Identity: Integrating with NIS Domains and Netgroups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 9. Identity: Integrating with NIS Domains and Netgroups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html" title="9.7. Winsync Agreement Failures" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html" title="10.2. Configuring the Network Information Service (NIS)" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right
.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="nis" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 10. Identity: Integrating with NIS Domains and Netgroups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="nis.html#about-nis">10.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-
How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#adding-netgroups">10.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html">10.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="migrintg-from-nis
.html">10.3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">10.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">10.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></div><div class="section" id="about-nis"><div class="titlepage"><div><div><h2 class="title" id="about-nis">10.1. About NIS and IPA</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">10.1.1. What are Netgroups?</h3></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html" title="8.7. Winsync Agreement Failures" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html" title="9.2. Configuring the Network Information Service (NIS)" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.
png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="nis" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 9. Identity: Integrating with NIS Domains and Netgroups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="nis.html#about-nis">9.1. About NIS and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-How_
IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#adding-netgroups">9.1.3. Adding Netgroups</a></span></dt><dt><span class="section"><a href="nis.html#sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</a></span></dt></dl></dd><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html">9.2. Configuring the Network Information Service (NIS)</a></span></dt><dd><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html#sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</a></span></dt></dl></dd><dt><span class="section"><a href="migrintg-from-nis.html">9.
3. Migrating from NIS to IPA</a></span></dt><dd><dl><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Preparing_Your_Environment">9.3.1. Preparing Your Environment</a></span></dt><dt><span class="section"><a href="migrintg-from-nis.html#sect-Enterprise_Identity_Management_Guide-Migrating_Netgroups_to_IPA-Migrating_Netgroups">9.3.2. Migrating Netgroups</a></span></dt></dl></dd></dl></div><div class="section" id="about-nis"><div class="titlepage"><div><div><h2 class="title" id="about-nis">9.1. About NIS and IPA</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-What_are_Netgroups">9.1.1. What are Netgroups?</h3></div></div></div><div class="para">
Netgroups are a concept introduced in the directory service NIS. They were designed to contain users, hosts (machines) and other netgroups. A netgroup is a user-host-domain triplet. Refer to the following for more details about netgroups and their uses:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<a href="http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?netgroup+4">http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?netgroup+4</a>
@@ -19,11 +19,11 @@
Despite this difference, it is important to underline that there are two plug-ins in IPA that make the data in the new format available via NIS or the old standard RFC2307 and RFC2307bis LDAP schema. For details, refer to the documentation and examples at: <a href="https://fedorahosted.org/slapi-nis/">https://fedorahosted.org/slapi-nis</a>. The entries stored using the new schema are converted into the standard NIS netgroup map and served via the NIS protocol by the first plug-in described on the slapi-nis project page and the compatibility plug-in can be used to create a virtual LDAP view that matches the standard 2307 or 2307bis schema for netgroups using the IPA-specific schema.
</div><div class="para">
Historically, netgroups have been used to define groups of hosts or users. The advantage of netgroups for user aggregation has been that netgroups allow nesting while normal UNIX user groups do not. Netgroups also provide the only way to aggregate hosts. There is no notion of host groups in NIS, although for effective centralized system management they are definitely needed. It is important to understand that netgroups are collections of entities, be they users, hosts, or both, but there is no relation between particular user-host pairs defined in the netgroup triplet.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">10.1.2. The IPA Approach to Netgroups</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-How_IPA_Uses_Netgroups-The_IPA_Approach_to_Netgroups">9.1.2. The IPA Approach to Netgroups</h3></div></div></div><div class="para">
IPA defines both user groups and host groups, each of which allow nesting. This is a much cleaner way of aggregation and allows better separation of duties and access control. In an IPA deployment, netgroups are a much less attractive approach to grouping than with other LDAP-based systems compliant with RFC 2307 (this defines the LDAP schema for users, groups, netgroups and other maps).
</div><div class="para">
Client-side applications, for example, SUDO, need netgroups because there is no alternative to host grouping on the client side. Consequently, netgroups are far from obsolete on the client side. A lot of effort is still required within SSSD and IPA to provide clean interfaces to reliably (both online and offline) relay centrally-managed information to applications running on a client machine. IPA therefore provides a way to define and store netgroups, but they are viewed as secondary to user groups and host groups.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups">10.1.2.1. How IPA Stores Netgroups</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-The_IPA_Approach_to_Netgroups-How_IPA_Stores_Netgroups">9.1.2.1. How IPA Stores Netgroups</h4></div></div></div><div class="para">
IPA stores netgroups in a different format from that specified in RFC2307 and RFC2307bis. The netgroup entries defined by the IPA schema allow relating different objects (users, groups, hosts, host groups) to each other. IPA also provides what is known as a <em class="firstterm">compat (compatibility)</em> plug-in. This plug-in creates a virtual view of the data stored in native IPA entries in the format expected by the RFC-compliant clients. This means that even though the internal data representation of netgroups is different from the RFC, this deviation does not affect clients due to the presence of the <code class="systemitem">compat</code> plug-in.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-How_IPA_Stores_Netgroups-Comparison_of_Schema"><h5 class="formalpara">Comparison of Schema</h5>
To realize the differences, we can compare the standard RFC schema for netgroups and the schema used by IPA. IPA defines the following object class:
@@ -57,7 +57,7 @@
<a href="http://www.freeipa.org/page/DS_Design_Summary#Netgroups">http://www.freeipa.org/page/DS_Design_Summary#Netgroups</a>
</div></li></ul></div>
- </div></div></div><div class="section" id="adding-netgroups"><div class="titlepage"><div><div><h3 class="title" id="adding-netgroups">10.1.3. Adding Netgroups</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="adding-netgroups"><div class="titlepage"><div><div><h3 class="title" id="adding-netgroups">9.1.3. Adding Netgroups</h3></div></div></div><div class="para">
NIS groups traditionally contain a so-called netgroup triple of the format: (machine, user, domain)
</div><pre class="screen">machine - machine name, a host name
user - user name
@@ -73,7 +73,7 @@ NIS domain name: panda
Member User: admin
Member Host: icefloat.panda</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
There is no necessary relationship between the machine and the user. Only one of those fields is usually used at a time to avoid confusion.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">10.1.4. IPA Netgroup Commands</h3></div></div></div><div class="para">
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Netgroups-IPA_Netgroup_Commands">9.1.4. IPA Netgroup Commands</h3></div></div></div><div class="para">
The IPA netgroup management plug-in conforms to the Create, Read, Update, Delete (CRUD) command-naming conventions used in all other plug-ins that ship with the default IPA installation. You can use the following command to display a list of the IPA commands available for working with netgroups:
</div><div class="para">
@@ -121,7 +121,7 @@ Member Host: icefloat.panda</pre><div class="note"><div class="admonition_header
--netgroups=NETGROUPS
]</p></div></pre><div class="para">
USERS, GROUPS, HOSTS, HOSTGROUPS, and NETGROUPS are comma-separated lists of names of the appropriate objects.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples">10.1.4.1. Examples</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-IPA_Netgroup_Commands-Examples">9.1.4.1. Examples</h4></div></div></div><div class="para">
The following examples provide an introduction to using the <code class="command">ipa netgroup-*</code> commands:
</div><pre class="screen">
<code class="command"># ipa netgroup-add net0 --desc="test netgroup"</code>
@@ -158,4 +158,4 @@ Number of members removed 1
<code class="command"># ipa netgroup-show net0</code>
ipa: ERROR: no such entry
-</pre></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Prev</strong>9.7. Winsync Agreement Failures</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Next</strong>10.2. Configuring the Network Information Service...</a></li></ul></body></html>
+</pre></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Prev</strong>8.7. Winsync Agreement Failures</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html"><strong>Next</strong>9.2. Configuring the Network Information Service ...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
index 2687b9a..ece7cdd 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/promoting-replica.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>13.8. Promoting a Read-Only Replica to a FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>12.8. Promoting a Read-Only Replica to a FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 13. Configuring the FreeIPA Server" /><link rel="prev" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html" title="13.7. Creating DNS Entries for FreeIPA Replicas" /><link rel="next" href="logging.html" title="13.9. FreeIPA Server Logging" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Working_with_D
NS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="logging.html"><strong>Next</strong></a></li></ul><div class="section" id="promoting-replica"><div class="titlepage"><div><div><h2 class="title" id="promoting-replica">13.8. Promoting a Read-Only Replica to a FreeIPA Server</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="server-config.html" title="Chapter 12. Configuring the FreeIPA Server" /><link rel="prev" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html" title="12.7. Creating DNS Entries for FreeIPA Replicas" /><link rel="next" href="logging.html" title="12.9. FreeIPA Server Logging" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Working_with_D
NS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="logging.html"><strong>Next</strong></a></li></ul><div class="section" id="promoting-replica"><div class="titlepage"><div><div><h2 class="title" id="promoting-replica">12.8. Promoting a Read-Only Replica to a FreeIPA Server</h2></div></div></div><div class="para">
The only difference between a replica and the master server is that the master owns the self-signed CA. If you copy the appropriate files from the master to the replica, import the CA into the replica directory server, and delete the existing replication agreements, that replica will then appear as a master server.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
If you install with the <code class="option">--selfsign</code> option, follow this procedure if you want to promote a replica to a master. This is because the private key for the self-signed CA is stored in the Apache database (<code class="filename">/etc/httpd/alias</code>). The private key for a Dogtag Certificate System CA is stored in its own security database.
@@ -28,4 +28,4 @@
</div></li></ol></div><div class="para">
You now have two identical FreeIPA servers, neither of which know about the other. You can shut down the old master and bring up the new machine (if you are introducing a new replica into your network). Create a replica file on the new master and install it on the new machine.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Prev</strong>13.7. Creating DNS Entries for FreeIPA Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="logging.html"><strong>Next</strong>13.9. FreeIPA Server Logging</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html"><strong>Prev</strong>12.7. Creating DNS Entries for FreeIPA Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="logging.html"><strong>Next</strong>12.9. FreeIPA Server Logging</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html
index 509e330..ea71ef6 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/renaming-machines.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.3. Renaming Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.3. Renaming Machines</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="enrolling-machines.html" title="5.2. Enrolling Machines" /><link rel="next" href="config-virt-machines.html" title="5.4. Reconfiguring Virtual Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="enrolling-machines.html"><strong>Prev</stron
g></a></li><li class="next"><a accesskey="n" href="config-virt-machines.html"><strong>Next</strong></a></li></ul><div class="section" id="renaming-machines"><div class="titlepage"><div><div><h2 class="title" id="renaming-machines">5.3. Renaming Machines</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /><link rel="prev" href="enrolling-machines.html" title="4.2. Enrolling Machines" /><link rel="next" href="config-virt-machines.html" title="4.4. Reconfiguring Virtual Machines" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="enrolling-machines.html"><strong>Prev</stron
g></a></li><li class="next"><a accesskey="n" href="config-virt-machines.html"><strong>Next</strong></a></li></ul><div class="section" id="renaming-machines"><div class="titlepage"><div><div><h2 class="title" id="renaming-machines">4.3. Renaming Machines</h2></div></div></div><div class="para">
The hostname of a system is critical for the correct operation of Kerberos and SSL. Both of these security mechanisms rely on the hostname to ensure that communication is occurring between the specified hosts, and that no "man-in-the-middle" or other attacks are affecting the system.
</div><div class="para">
In an environment where virtual machines are commonplace, or perhaps in a clustered environment, copying, moving, and renaming hosts could be quite common, resulting in frequent demands for renames of machines.
@@ -17,7 +17,7 @@
Due to the nature of service principals, renaming hosts also requires the regeneration of service principals. Each service has a Kerberos principal in the form of <code class="systemitem"><service name>/<hostname>@<REALM></code>, for example, <code class="systemitem">ldap/server.example.com at EXAMPLE.COM</code>. This principal can be referred to as a "service principal". In some cases the <code class="systemitem">@<REALM></code> is omitted, leaving only <code class="systemitem"><service name>/<hostname></code>. (The "/" is a "slash" separator, not an "or" operator.)
</div><div class="para">
The following procedure renames the host <code class="systemitem">server.example.com</code> in the Kerberos realm <code class="systemitem">EXAMPLE.COM</code>, to the new hostname <code class="systemitem">master.example.com</code>. This procedure uses example file names, hostnames and domain names throughout; you need to update these examples to suit your own environment.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine"><h6>Procedure 5.3. To rename a FreeIPA machine:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Renaming_IPA_Machines-To_rename_an_IPA_machine"><h6>Procedure 4.3. To rename a FreeIPA machine:</h6><ol class="1"><li class="step"><div class="para">
Identify which services are running on the machine. These need to be re-created when the machine is re-enrolled:
<pre class="screen"><code class="command"># ipa service-find server.example.com</code></pre>
@@ -61,4 +61,4 @@
If you need certificates for services, use either <code class="command">certmonger</code> or the FreeIPA administration tools.
</div></li><li class="step"><div class="para">
Re-add the host to any applicable host groups.
- </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="enrolling-machines.html"><strong>Prev</strong>5.2. Enrolling Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="config-virt-machines.html"><strong>Next</strong>5.4. Reconfiguring Virtual Machines</a></li></ul></body></html>
+ </div></li></ol></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="enrolling-machines.html"><strong>Prev</strong>4.2. Enrolling Machines</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="config-virt-machines.html"><strong>Next</strong>4.4. Reconfiguring Virtual Machines</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/rotating-keys.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/rotating-keys.html
index 0468080..349ac65 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/rotating-keys.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/rotating-keys.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.5. Rotating Keys</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.5. Rotating Keys</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html" title="7.4. Refreshing Kerberos Tickets" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html" title="7.6. Kerberos Errors" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="
Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Next</strong></a></li></ul><div class="section" id="rotating-keys"><div class="titlepage"><div><div><h2 class="title" id="rotating-keys">7.5. Rotating Keys</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html" title="6.4. Refreshing Kerberos Tickets" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html" title="6.6. Kerberos Errors" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="
Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Next</strong></a></li></ul><div class="section" id="rotating-keys"><div class="titlepage"><div><div><h2 class="title" id="rotating-keys">6.5. Rotating Keys</h2></div></div></div><div class="para">
Kerberos keys are similar to passwords, and in the interests of security they should occasionally be changed. The frequency of these changes may be determined by company or other policies. Each key has an associated version number, which are stored in the <em class="parameter"><code>KVNO</code></em> parameter.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Rotating_Kerberos_Keys-Obtaining_a_new_service_principal_Kerberos_key"><h5 class="formalpara">Obtaining a new service principal Kerberos key</h5>
Use the <code class="command">ipa-getkeytab</code> command to create a new Kerberos key. For example, use the following command to refresh your FreeIPA keytab:
@@ -42,4 +42,4 @@ Valid starting Expires Service principal
</div><div class="para">
This will display service and host keytab information. It is not possible to determine if it has a key directly, but you can infer that a keytab was issued by looking at the last change date.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Prev</strong>7.4. Refreshing Kerberos Tickets</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Next</strong>7.6. Kerberos Errors</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Prev</strong>6.4. Refreshing Kerberos Tickets</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html"><strong>Next</strong>6.6. Kerberos Errors</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/search-limits.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/search-limits.html
index 77afe52..b47bb9c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/search-limits.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/search-limits.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.6. Setting Default Search Limits</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.6. Setting Default Search Limits</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html" title="6.5. Specifying Default User Settings" /><link rel="next" href="Configuring_IPA_Users-Deleting_IPA_Users.html" title="6.7. Deleting FreeIPA Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="
p" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Next</strong></a></li></ul><div class="section" id="search-limits"><div class="titlepage"><div><div><h2 class="title" id="search-limits">6.6. Setting Default Search Limits</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html" title="5.5. Specifying Default User Settings" /><link rel="next" href="Configuring_IPA_Users-Deleting_IPA_Users.html" title="5.7. Deleting FreeIPA Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="
p" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Next</strong></a></li></ul><div class="section" id="search-limits"><div class="titlepage"><div><div><h2 class="title" id="search-limits">5.6. Setting Default Search Limits</h2></div></div></div><div class="para">
You can set limits on the number of records returned when performing various queries, for example when you run the <code class="command">ipa user-find</code> command. These limits are specified by the <em class="parameter"><code>Search size limit</code></em> attribute in the default FreeIPA configuration. The default value for this attribute is 100.
</div><div class="para">
To view the current configuration, run the <code class="command"># ipa config-show</code> command. Refer to the <code class="command">ipa help config</code> help page for more information.
@@ -52,4 +52,4 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
If you add attributes to the user or group search fields, you should also create a new <code class="systemitem">LDAP</code> index for those attributes to avoid performance degradation. Conversely, the existence of too many indexes can impact write performance, so you need to balance one against the other.
</div><div class="para">
Refer to <a href="http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Indexes-Creating_Indexes.html">Creating Indexes</a> in the <em class="citetitle">389 Directory Server Administration Guide</em> for information on creating indexes.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Prev</strong>6.5. Specifying Default User Settings</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Next</strong>6.7. Deleting FreeIPA Users</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Specifying_Default_User_Settings.html"><strong>Prev</strong>5.5. Specifying Default User Settings</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Next</strong>5.7. Deleting FreeIPA Users</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/searching.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/searching.html
index 439a813..7732da1 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/searching.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/searching.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.10. Searching for Users and Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.10. Searching for Users and Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="user-pwdpolicy.html" title="6.9. Setting an Individual Password Policy" /><link rel="next" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="user-pwdpolicy.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="kerberos.html"><strong>Next</strong></a></li></ul><div class="section" id="searching"><div class="titlepage"><div><div><h2 class="title" id="searching">6.10. Searching for Users and Groups</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="user-pwdpolicy.html" title="5.9. Setting an Individual Password Policy" /><link rel="next" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="user-pwdpolicy.html"><strong
>Prev</strong></a></li><li class="next"><a accesskey="n" href="kerberos.html"><strong>Next</strong></a></li></ul><div class="section" id="searching"><div class="titlepage"><div><div><h2 class="title" id="searching">5.10. Searching for Users and Groups</h2></div></div></div><div class="para">
FreeIPA provides extensive search capabilities, which enable you to perform simple and partial-match searches on a range of attributes, including:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
First Name (givenname)
@@ -41,7 +41,7 @@
Home Page
</div></li></ul></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You cannot use wildcards to search for users or groups. The search string must include at least one character that appears in one of the indexed search fields.
- </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Users"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</h3></div></div></div><div class="section" id="Searching_for_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Users-Using_the_Command_Line">6.10.1.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Users"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</h3></div></div></div><div class="section" id="Searching_for_Users-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Users-Using_the_Command_Line">5.10.1.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa user-find</code> command to search for users from the command line. The basic syntax of this command is as follows:
<div class="cmdsynopsis"><p><code class="command">ipa user-find</code> [
options
@@ -78,7 +78,7 @@ Member of groups: ipausers
Number of entries returned 2
----------------------------</pre><div class="para">
If you do not see the entry that you are looking for, you may need to adjust the <code class="option">--searchrecordslimit</code> option in the default FreeIPA configuration.
- </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Groups"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</h3></div></div></div><div class="section" id="Searching_for_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Groups-Using_the_Command_Line">6.10.2.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Searching_for_Users_and_Groups-Searching_for_Groups"><div class="titlepage"><div><div><h3 class="title" id="Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</h3></div></div></div><div class="section" id="Searching_for_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Searching_for_Groups-Using_the_Command_Line">5.10.2.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-find</code> command to search for groups from the command line. The basic syntax of this command is as follows:
<div class="cmdsynopsis"><p><code class="command">ipa group-find</code> {
string
@@ -102,4 +102,4 @@ Member users: dkim, mkang, lming, klim
Number of entries returned 1
----------------------------</pre><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
The <code class="command">ipa group-find</code> command searches both group names and group descriptions. If your search results are too extensive, use a more specific search string.
- </div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="user-pwdpolicy.html"><strong>Prev</strong>6.9. Setting an Individual Password Policy</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="kerberos.html"><strong>Next</strong>Chapter 7. Identity: Using FreeIPA for a Kerberos...</a></li></ul></body></html>
+ </div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="user-pwdpolicy.html"><strong>Prev</strong>5.9. Setting an Individual Password Policy</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="kerberos.html"><strong>Next</strong>Chapter 6. Identity: Using FreeIPA for a Kerberos...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html
index fa64434..1043ec1 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.4. Refreshing Kerberos Tickets</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.4. Refreshing Kerberos Tickets</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html" title="7.3. Creating and Using Service Principals" /><link rel="next" href="rotating-keys.html" title="7.5. Rotating Keys" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><l
i class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="rotating-keys.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">7.4. Refreshing Kerberos Tickets</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html" title="6.3. Creating and Using Service Principals" /><link rel="next" href="rotating-keys.html" title="6.5. Rotating Keys" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><l
i class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="rotating-keys.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets">6.4. Refreshing Kerberos Tickets</h2></div></div></div><div class="para">
Some compliance or company security policies may require that system administrators manually refresh Kerberos tickets, perhaps annually or more frequently. The current version of FreeIPA does not provide automatic renewal of Kerberos tickets.
</div><div class="para">
Manually refreshing Kerberos tickets is a two step process: you first need to find all of the keytabs that are older than a certain date, and then obtain a new keytab for the host or service in question. This process is described in detail below.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Refreshing_Kerberos_Tickets-How_to_manually_refresh_Kerberos_keytabs"><h6>Procedure 7.2. How to manually refresh Kerberos keytabs</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Refreshing_Kerberos_Tickets-How_to_manually_refresh_Kerberos_keytabs"><h6>Procedure 6.2. How to manually refresh Kerberos keytabs</h6><ol class="1"><li class="step"><div class="para">
Find all keytabs, both for host services and for any other services, issued before today. Use the following queries (update the dates as necessary):
<pre class="screen"><code class="command"># ldapsearch -x -b "cn=computers,cn=accounts,dc=example,dc=com"</code> <code class="command">"(&(krblastpwdchange<=20110110000000)(krblastpwdchange>=19710101000000))" dn krbprincipalname</code></pre>
@@ -38,4 +38,4 @@
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
Some services, such as NFSv4, only support a limited set of encryption types. Ensure that you pass the appropriate arguments to the <code class="command">ipa-getkeytab</code> command.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Prev</strong>7.3. Creating and Using Service Principals</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="rotating-keys.html"><strong>Next</strong>7.5. Rotating Keys</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html"><strong>Prev</strong>6.3. Creating and Using Service Principals</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="rotating-keys.html"><strong>Next</strong>6.5. Rotating Keys</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html
index d0521ae..9433217 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.3. Creating and Using Service Principals</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.3. Creating and Using Service Principals</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="kerb-policies.html" title="7.2. Setting Kerberos Ticket Policies" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html" title="7.4. Refreshing Kerberos Tickets" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li cla
ss="previous"><a accesskey="p" href="kerb-policies.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">7.3. Creating and Using Service Principals</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="kerb-policies.html" title="6.2. Setting Kerberos Ticket Policies" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html" title="6.4. Refreshing Kerberos Tickets" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li cla
ss="previous"><a accesskey="p" href="kerb-policies.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Creating_and_Using_Service_Principals">6.3. Creating and Using Service Principals</h2></div></div></div><div class="para">
You can use the web interface to create service principals and also to search for existing service principals. For security and other reasons, however, it is not possible to retrieve a keytab using the web interface. This has to be done either on the command line on the system where the service is accessed, or on the FreeIPA server itself, and the keytab then exported to the client host.
</div><div class="para">
The following example demonstrates creating a service principal and keytab on a client host for the <code class="systemitem">HTTP</code> service. In this example, the client host is <code class="systemitem">ipaclient.example.com</code> and the FreeIPA server is <code class="systemitem">ipaserver.example.com</code>:
@@ -33,7 +33,7 @@
The <code class="command">ipa-getkeytab</code> command resets the secret for the specified principal. This means that all other keytabs for that principal are rendered invalid.
</div></div></div><div class="para">
FreeIPA provides a range of tools and commands to facilitate the creation and administration of services and the service principals and certificates required to use them. Some of this can be automated, but there will always be a certain amount of manual intervention required to create services and certificates after the initial joining of a host to a realm. These requirements and procedures are discussed in the following sections.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">7.3.1. Creating a FreeIPA Service</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Prerequisites"><h5 class="formalpara">Prerequisites</h5>
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_Service_Principals_and_Certificates_for_New_Services-Creating_an_IPA_Service">6.3.1. Creating a FreeIPA Service</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Prerequisites"><h5 class="formalpara">Prerequisites</h5>
Before you can create a service for a FreeIPA host, you need to ensure that the host exists. This should be true if it has already joined the realm. Use the following command to determine if the host exists:
<pre class="screen"><code class="command"># ipa host-show myserver.mydomain.net</code></pre>
@@ -52,7 +52,7 @@
Added service "test/myserver.mydomain.net at MYDOMAIN.NET"
-------------------------------------------------------
Principal: test/myserver.mydomain.net at MYDOMAIN.NET
- Managed by: myserver.mydomain.net</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service">7.3.1.1. Requesting a Certificate for a Service</h4></div></div></div><div class="para">
+ Managed by: myserver.mydomain.net</pre><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Requesting_a_Certificate_for_a_Service">6.3.1.1. Requesting a Certificate for a Service</h4></div></div></div><div class="para">
Use the following command to request a certificate for the new service. The certificate request is contained in the <code class="filename">example.csr</code> file.
<pre class="screen"><code class="command"># ipa cert-request --principal=test/myserver.mydomain.net example.csr </code></pre>
@@ -84,7 +84,7 @@ Email Address []:authors at mydomain.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
-An optional company name []:</pre></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests">7.3.1.2. Using certmonger to Manage Certificate Requests</h4></div></div></div><div class="para">
+An optional company name []:</pre></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_certmonger_to_Manage_Certificate_Requests">6.3.1.2. Using certmonger to Manage Certificate Requests</h4></div></div></div><div class="para">
You can also use <span class="application"><strong>certmonger</strong></span> to manage the certificate request process for you. Use the following command to request a certificate:
<pre class="screen"><code class="command"># ipa-getcert request -d /etc/pki/nssdb -n Server-Cert</code></pre>
@@ -100,8 +100,8 @@ An optional company name []:</pre></div><div class="section" id="sect-Enterprise
<pre class="screen"><code class="command">$ ipa config-show | grep -i subject</code></pre>
FreeIPA will reject requests with invalid subject base values.
</div><div class="para">
- Refer to the <code class="systemitem">certmonger</code> man page and also to <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">Section C.1, “What is certmonger?”</a> for more information.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS">7.3.1.3. Using NSS</h4></div></div></div><div class="para">
+ Refer to the <code class="systemitem">certmonger</code> man page and also to <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">Section B.1, “What is certmonger?”</a> for more information.
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Creating_an_IPA_Service-Using_NSS">6.3.1.3. Using NSS</h4></div></div></div><div class="para">
If you need to create an NSS database in which to store your key, use the <code class="command">certutil</code> command as follows:
<pre class="screen"><code class="command">$ certutil -N -d /path/to/database/dir</code>
<code class="command">$ certutil -R -s "CN=myserver.mydomain.net, O=MYDOMAIN.NET" \</code>
@@ -117,9 +117,9 @@ An optional company name []:</pre></div><div class="section" id="sect-Enterprise
Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
This means you need to use MYDOMAIN.NET for the organization. FreeIPA will reject requests whose subject base differs from this value.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">7.3.2. Configuring an NFS Service Principal on the FreeIPA Server</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_Service_Principals-Configuring_an_NFS_Service_Principal_on_the_IPA_Server">6.3.2. Configuring an NFS Service Principal on the FreeIPA Server</h3></div></div></div><div class="para">
The following procedure describes how to configure <code class="systemitem">NFS</code> on the FreeIPA server and to set up an <code class="systemitem">NFS</code> service principal.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_an_NFS_Service_Principal_on_the_IPA_Server-Configuring_NFS_on_the_IPA_Server"><h6>Procedure 7.1. Configuring <code class="systemitem">NFS</code> on the FreeIPA Server</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Configuring_an_NFS_Service_Principal_on_the_IPA_Server-Configuring_NFS_on_the_IPA_Server"><h6>Procedure 6.1. Configuring <code class="systemitem">NFS</code> on the FreeIPA Server</h6><ol class="1"><li class="step"><div class="para">
Configure the export directory.
<pre class="screen"><code class="command"># mkdir /export</code>
<code class="command"># chmod 777 /export</code></pre>
@@ -160,4 +160,4 @@ Certificate Subject base: O=MYDOMAIN.NET</pre><div class="para">
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Note the use of the <code class="option">-k</code> option when restarting <code class="systemitem">rpcgssd</code>. This is necessary to update the NFS configuration with the path to the NFS keytab.
- </div></div></div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="kerb-policies.html"><strong>Prev</strong>7.2. Setting Kerberos Ticket Policies</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Next</strong>7.4. Refreshing Kerberos Tickets</a></li></ul></body></html>
+ </div></div></div></li></ol></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="kerb-policies.html"><strong>Prev</strong>6.2. Setting Kerberos Ticket Policies</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Configuring_Authentication-Refreshing_Kerberos_Tickets.html"><strong>Next</strong>6.4. Refreshing Kerberos Tickets</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html
index 2150508..33d559f 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>10.2. Configuring the Network Information Service (NIS)</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.2. Configuring the Network Information Service (NIS)</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="nis.html" title="Chapter 10. Identity: Integrating with NIS Domains and Netgroups" /><link rel="prev" href="nis.html" title="Chapter 10. Identity: Integrating with NIS Domains and Netgroups" /><link rel="next" href="migrintg-from-nis.html" title="10.3. Migrating from NIS to IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="nis.html"><strong>Prev
</strong></a></li><li class="next"><a accesskey="n" href="migrintg-from-nis.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">10.2. Configuring the Network Information Service (NIS)</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="nis.html" title="Chapter 9. Identity: Integrating with NIS Domains and Netgroups" /><link rel="prev" href="nis.html" title="Chapter 9. Identity: Integrating with NIS Domains and Netgroups" /><link rel="next" href="migrintg-from-nis.html" title="9.3. Migrating from NIS to IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="nis.html"><strong>Prev</s
trong></a></li><li class="next"><a accesskey="n" href="migrintg-from-nis.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS">9.2. Configuring the Network Information Service (NIS)</h2></div></div></div><div class="para">
The Network Information Service (NIS) is an RPC service, used in conjunction with <code class="systemitem">portmap</code> and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
</div><div class="para">
IPA provides a NIS server plug-in to facilitate the integration of NIS clients with an IPA domain, including exposing any automount maps that have been configured.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">10.2.1. Exposing Automount Maps to NIS Clients</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Configuring_the_Network_Information_Service_NIS-Exposing_Automount_Maps_to_NIS_Clients">9.2.1. Exposing Automount Maps to NIS Clients</h3></div></div></div><div class="para">
Currently, when the NIS service is enabled, the server is automatically configured to serve the NIS domain with the IPA domain's name, and to serve IPA users, groups, and netgroups (passwd, group, and netgroup maps) to the NIS domain.
</div><div class="para">
If you have defined automount maps, these maps need to be manually added to the NIS server plug-in's configuration in the directory server in order to expose them to NIS clients.
@@ -19,7 +19,7 @@
The NIS plug-in needs to know the name of the NIS domain, the name of the NIS map, how to find the directory entries to use as the NIS map's contents, and which attributes to use as the NIS map's key and value. Most of these settings will be the same for every map.
</div><div class="para">
The IPA server stores the automount maps, grouped by automount location, in the <em class="parameter"><code>cn=automount</code></em> branch of the IPA domain's tree.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration">10.2.1.1. Example Automount Map Configuration</h4></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration"><div class="titlepage"><div><div><h4 class="title" id="sect-Enterprise_Identity_Management_Guide-Exposing_Automount_Maps_to_NIS_Clients-Example_Automount_Map_Configuration">9.2.1.1. Example Automount Map Configuration</h4></div></div></div><div class="para">
If you have created an automount map named <code class="filename">auto.example</code> in a location named "default", you first need to add an entry to the configuration for the NIS server running on a host named <code class="systemitem">dirsrv</code>, as follows:
<pre class="screen">LOCATION=default
NISDOMAIN=example.com
@@ -46,4 +46,4 @@ EOF
This entry instructs the plug-in to create a map named <code class="filename">auto.master</code> in the domain named <code class="systemitem">${NISDOMAIN}</code>, and that the data for that map should be read from the entries at and below <em class="parameter"><code>automountmapname=${NISMAP}</code></em>, which exists inside a container named <code class="systemitem">cn=${LOCATION}</code>. This container is in the automount section of the IPA data store. The keys for the entries in the automount map in NIS are the values of the <em class="parameter"><code>automountKey</code></em> attribute for the directory server entries, and the corresponding values in the NIS map are the values of the <em class="parameter"><code>automountInformation</code></em> attribute in those same entries.
</div><div class="para">
You then need to repeat the process for the <code class="filename">auto.direct</code> map, and then any other maps that you have defined.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="nis.html"><strong>Prev</strong>Chapter 10. Identity: Integrating with NIS Domain...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="migrintg-from-nis.html"><strong>Next</strong>10.3. Migrating from NIS to IPA</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="nis.html"><strong>Prev</strong>Chapter 9. Identity: Integrating with NIS Domains...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="migrintg-from-nis.html"><strong>Next</strong>9.3. Migrating from NIS to IPA</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html
index c7ed82c..cd2d83c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>7.6. Kerberos Errors</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.6. Kerberos Errors</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 7. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="rotating-keys.html" title="7.5. Rotating Keys" /><link rel="next" href="automount.html" title="Chapter 8. Identity: Using Automount" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="rotating-keys.html"><strong>Prev</strong></a></li><li class="nex
t"><a accesskey="n" href="automount.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">7.6. Kerberos Errors</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="kerberos.html" title="Chapter 6. Identity: Using FreeIPA for a Kerberos Domain" /><link rel="prev" href="rotating-keys.html" title="6.5. Rotating Keys" /><link rel="next" href="automount.html" title="Chapter 7. Identity: Using Automount" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="rotating-keys.html"><strong>Prev</strong></a></li><li class="nex
t"><a accesskey="n" href="automount.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-General_Troubleshooting_Tips-Kerberos_Errors">6.6. Kerberos Errors</h2></div></div></div><div class="para">
If <code class="command">kinit</code> fails or you see an unusual Kerberos error back in the framework, inspect the following files for possible causes:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
On the server: <code class="filename">/var/log/krb5kdc.log</code>
@@ -15,4 +15,4 @@
If you were using the framework also look in <code class="filename">/var/log/httpd/error_log</code>
</div></li></ul></div>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="rotating-keys.html"><strong>Prev</strong>7.5. Rotating Keys</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="automount.html"><strong>Next</strong>Chapter 8. Identity: Using Automount</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="rotating-keys.html"><strong>Prev</strong>6.5. Rotating Keys</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="automount.html"><strong>Next</strong>Chapter 7. Identity: Using Automount</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html
index cce9faf..a4cbef5 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>11.2. HBAC Service Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>10.2. HBAC Service Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="authz.html" title="Chapter 11. Policy: Configuring Authorization" /><link rel="prev" href="authz.html" title="Chapter 11. Policy: Configuring Authorization" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html" title="11.3. HBAC Services" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" h
ref="authz.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">11.2. HBAC Service Groups</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="authz.html" title="Chapter 10. Policy: Configuring Authorization" /><link rel="prev" href="authz.html" title="Chapter 10. Policy: Configuring Authorization" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html" title="10.3. HBAC Services" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" h
ref="authz.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups">10.2. HBAC Service Groups</h2></div></div></div><div class="para">
HBAC service groups can contain any number of individual services (<em class="firstterm">members</em>), and are typically used to group similar services to make it easier to create HBAC rules. All HBAC service groups require a name and description. IPA provides a single default group, SUDO, used for SUDO-related services.
</div><div class="para">
Use the <code class="command">ipa hbacsvcgroup-find</code> command to display the existing HBAC groups:
@@ -23,4 +23,4 @@ Number of entries returned 1
</div><div class="para">
IPA provides commands for adding, removing and modifying HBAC service groups, adding and removing members to and from those groups, and displaying group information. Refer to the <code class="command">ipa help hbacsvcgroup</code> help page for more information.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="authz.html"><strong>Prev</strong>Chapter 11. Policy: Configuring Authorization</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Next</strong>11.3. HBAC Services</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="authz.html"><strong>Prev</strong>Chapter 10. Policy: Configuring Authorization</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Next</strong>10.3. HBAC Services</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html
index 87a3ea2..cdf3eac 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>11.3. HBAC Services</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>10.3. HBAC Services</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="authz.html" title="Chapter 11. Policy: Configuring Authorization" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html" title="11.2. HBAC Service Groups" /><link rel="next" href="sudo.html" title="Chapter 12. Policy: Using sudo" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href=
"sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sudo.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">11.3. HBAC Services</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="authz.html" title="Chapter 10. Policy: Configuring Authorization" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html" title="10.2. HBAC Service Groups" /><link rel="next" href="sudo.html" title="Chapter 11. Policy: Using sudo" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href=
"sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sudo.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services">10.3. HBAC Services</h2></div></div></div><div class="para">
HBAC services refer to the PAM services that the IPA HBAC system can control access to. HBAC service names must exactly match the service name that PAM is evaluating. For example, use the following command to add the <code class="systemitem">tftp</code> service as an HBAC service:
<pre class="screen"><code class="command"># ipa hbacsvc-add tftp</code>
-------------------------
@@ -31,4 +31,4 @@ Number of entries returned 2
</div><div class="para">
Refer to the <code class="command">ipa help hbacsvc</code> help page for more information.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Prev</strong>11.2. HBAC Service Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sudo.html"><strong>Next</strong>Chapter 12. Policy: Using sudo</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Service_Groups.html"><strong>Prev</strong>10.2. HBAC Service Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sudo.html"><strong>Next</strong>Chapter 11. Policy: Using sudo</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html
index 17f3146..1fd816e 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html
@@ -1,21 +1,21 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>D.3. Performing a Client-based Migration</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>C.3. Performing a Client-based Migration</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix D. Migrating from a Directory Server to IPA" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html" title="D.2. Performing a Server-based Migration" /><link rel="next" href="Glossary.html" title="Glossary" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul
class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Glossary.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">D.3. Performing a Client-based Migration</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_
Configuring_SSSD">D.3.1. Phase 1: Installing and Configuring SSSD</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix C. Migrating from a Directory Server to IPA" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html" title="C.2. Performing a Server-based Migration" /><link rel="next" href="Glossary.html" title="Glossary" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul
class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Glossary.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration">C.3. Performing a Client-based Migration</h2></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_1_Installing_and_
Configuring_SSSD">C.3.1. Phase 1: Installing and Configuring SSSD</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Install SSSD first on the machines that can support it:
</div><div class="para">
<code class="command"># yum install sssd</code>
</div></li><li class="listitem"><div class="para">
Configure SSSD with the LDAP back end and point it to the existing DS deployment.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">D.3.2. Phase 2: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
- Install IPA and migrate the existing DS data as described in <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">Section D.2.1, “Phase 1: Migrating Existing Data to IPA”</a>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">D.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_2_Migrating_Existing_Data_to_IPA">C.3.2. Phase 2: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
+ Install IPA and migrate the existing DS data as described in <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">Section C.2.1, “Phase 1: Migrating Existing Data to IPA”</a>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_3_Migrate_SSSD_Clients_from_LDAP_to_IPA">C.3.3. Phase 3: Migrate SSSD Clients from LDAP to IPA</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Start moving clients that have SSSD installed from the LDAP back end to the IPA back end, and enroll them with IPA. This will download the required keys and certificates.
</div></li><li class="listitem"><div class="para">
Instruct users to use (that is, to log in at least once) the machines with SSSD and IPA back end, or go to the web page and authenticate.
@@ -28,8 +28,8 @@
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
It is important to include the quotes around the filter so that it is not interpreted by the shell.
- </div></div></div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">D.3.4. Phase 4: Reconfigure non-SSSD Clients</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></div></div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_4_Reconfigure_non_SSSD_Clients">C.3.4. Phase 4: Reconfigure non-SSSD Clients</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
As the user population is migrated (the Kerberos keys are generated), you can start reconfiguring other (non‐SSSD) clients as required. The clients can be set up in any state shown on the diagram above.
- </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">D.3.5. Phase 5: Decommission the Directory Server</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></li></ul></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Client_based_Migration-Phase_5_Decommission_the_Directory_Server">C.3.5. Phase 5: Decommission the Directory Server</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
When the migration of the clients is complete, decommission the DS.
- </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Prev</strong>D.2. Performing a Server-based Migration</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Glossary.html"><strong>Next</strong>Glossary</a></li></ul></body></html>
+ </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html"><strong>Prev</strong>C.2. Performing a Server-based Migration</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Glossary.html"><strong>Next</strong>Glossary</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html
index e1ae994..e032be0 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html
@@ -1,21 +1,21 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>D.2. Performing a Server-based Migration</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>C.2. Performing a Server-based Migration</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix D. Migrating from a Directory Server to IPA" /><link rel="prev" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix D. Migrating from a Directory Server to IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html" title="D.3. Performing a Client-based Migration" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src=
"Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">D.2. Performing a Server-based Migration</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix C. Migrating from a Directory Server to IPA" /><link rel="prev" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix C. Migrating from a Directory Server to IPA" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html" title="C.3. Performing a Client-based Migration" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src=
"Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration">C.2. Performing a Server-based Migration</h2></div></div></div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Each phase of the migration should be performed as a single step.
- </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">D.2.1. Phase 1: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_1_Migrating_Existing_Data_to_IPA">C.2.1. Phase 1: Migrating Existing Data to IPA</h3></div></div></div><div class="para">
The first phase of the migration consists of setting up IPA and migrating data from the existing DS to that used by IPA. This involves the use of the <code class="command">ipa migrate-ds</code> command, which dumps the user data from the original DS, converts it into a format suitable for use by IPA, and then loads the converted data into IPA.
</div><div class="para">
The <code class="command">ipa migrate-ds</code> command connects to the DS and binds as the <code class="systemitem">Directory Manager</code>, and then extracts all objectClass=person objects from ou=People. This can be changed using the <code class="option">--user-container</code> option. It also extracts all objects from ou=Groups. This can be changed using the <code class="option">--group-container</code> option. It adds all object classes and attributes required by IPA (if they are missing) and coverts DNs in attributes to match the IPA Directory Information Tree (DIT). The command returns an error if migration is not enabled.
</div><div class="para">
Refer to the <code class="command">ipa migrate-ds</code> help page for more details about this command (<code class="command">ipa help migrate-ds</code>).
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_1_Migrating_Existing_Data_to_IPA-To_migrate_existing_data_to_IPA"><h6>Procedure D.1. To migrate existing data to IPA:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_1_Migrating_Existing_Data_to_IPA-To_migrate_existing_data_to_IPA"><h6>Procedure C.1. To migrate existing data to IPA:</h6><ol class="1"><li class="step"><div class="para">
Install IPA, including any custom DS schema, on a different machine from the existing DS. Refer to
</div></li><li class="step"><div class="para">
Use the following command to enable IPA migration mode:
@@ -39,7 +39,7 @@
The migration log file is currently not implemented. Instead, any error messages are printed to standard output.
</div></div></div>
- </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">D.2.2. Phase 2: Updating the Client Configuration</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_2_Updating_the_Client_Configuration-To_update_the_client_configuration"><h6>Procedure D.2. To update the client configuration:</h6><ul><li class="step"><div class="para">
+ </div></li></ol></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_2_Updating_the_Client_Configuration">C.2.2. Phase 2: Updating the Client Configuration</h3></div></div></div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Phase_2_Updating_the_Client_Configuration-To_update_the_client_configuration"><h6>Procedure C.2. To update the client configuration:</h6><ul><li class="step"><div class="para">
Update the client configuration to use PAM_LDAP and NSS_LDAP to connect to IPA instead of connecting to DS, NIS, or using local files.
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
If the intention is to automatically generate the Kerberos keys when a user authenticates, the configuration should use startTLS and simple bind authentication. For this to occur, the IT department needs to ensure the IPA server certificate is copied to the client.
@@ -49,7 +49,7 @@
</div></li></ul></div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
You should not update your client configuration to use PAM_KRB5 and NSS_LDAP (that is, the equivalent of IPA v1) at this stage unless absolutely necessary. This is because the Kerberos keys will not yet exist in the IPA user entries, and consequently users will not be able to log in. If such a configuration is required, users can be directed to a specific web page on the IPA server after the data has been loaded into the IPA server. This page will prompt the user for their password and perform an LDAP bind. The DS password plug-in will capture these passwords and generate the Kerberos keys.
- </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">D.2.3. Phase 3: Installing and Configuring SSSD</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_3_Installing_and_Configuring_SSSD-To_install_and_configure_SSSD"><h5 class="formalpara">To install and configure SSSD:</h5>
+ </div></div></div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">C.2.3. Phase 3: Installing and Configuring SSSD</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_3_Installing_and_Configuring_SSSD-To_install_and_configure_SSSD"><h5 class="formalpara">To install and configure SSSD:</h5>
<div class="orderedlist"><ol><li class="listitem"><div class="para">
Install SSSD on the machines that can support it:
</div><div class="para">
@@ -58,13 +58,13 @@
Configure SSSD to use IPA as a back end (Kerberos and LDAP). Installing SSSD and enrolling the client with IPA will ensure delivery of the machine Kerberos key and server certificate to the client. Refer to
</div></li></ol></div>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">D.2.4. Phase 4: Migrating Users</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_4_Migrating_Users-To_migrate_the_users_from_DS_to_IPA"><h5 class="formalpara">To migrate the users from DS to IPA:</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_4_Migrating_Users">C.2.4. Phase 4: Migrating Users</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Phase_4_Migrating_Users-To_migrate_the_users_from_DS_to_IPA"><h5 class="formalpara">To migrate the users from DS to IPA:</h5>
<div class="orderedlist"><ol><li class="listitem"><div class="para">
- Instruct users to log in to IPA using either an SSSD client or a client that supports PAM_LDAP with startTLS and simple bind. An SSSD client configured as described in <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">Section D.2.3, “Phase 3: Installing and Configuring SSSD”</a> will perform a silent migration. Clients configured with startTLS and simple bind will also trigger key generation. A Kerberos key is created the first time a user logs in, and this key is stored in the IPA back end.
+ Instruct users to log in to IPA using either an SSSD client or a client that supports PAM_LDAP with startTLS and simple bind. An SSSD client configured as described in <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Server_based_Migration.html#sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_3_Installing_and_Configuring_SSSD">Section C.2.3, “Phase 3: Installing and Configuring SSSD”</a> will perform a silent migration. Clients configured with startTLS and simple bind will also trigger key generation. A Kerberos key is created the first time a user logs in, and this key is stored in the IPA back end.
</div></li><li class="listitem"><div class="para">
As the migration of the user population progresses (that is, as the Kerberos keys are generated on the IPA server), you can begin to configure other, non-SSSD clients to suit your requirements.
</div></li></ol></div>
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">D.2.5. Phase 5: Decommission the DS</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Performing_a_Server_based_Migration-Phase_5_Decommission_the_DS">C.2.5. Phase 5: Decommission the DS</h3></div></div></div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
When the migration of all clients and users is complete, decommission the DS.
- </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Prev</strong>Appendix D. Migrating from a Directory Server to ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Next</strong>D.3. Performing a Client-based Migration</a></li></ul></body></html>
+ </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Prev</strong>Appendix C. Migrating from a Directory Server to ...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA-Performing_a_Client_based_Migration.html"><strong>Next</strong>C.3. Performing a Client-based Migration</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html
index 7f46955..d98946d 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.2. Setting up Active Directory</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.2. Setting up Active Directory</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="next" href="configuring-active-directory.html" title="9.3. Configuring Active Directory Synchronization" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="
previous"><a accesskey="p" href="active-directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-active-directory.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">9.2. Setting up Active Directory</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="next" href="configuring-active-directory.html" title="8.3. Configuring Active Directory Synchronization" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="
previous"><a accesskey="p" href="active-directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-active-directory.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Prerequisites-Setting_up_Active_Directory">8.2. Setting up Active Directory</h2></div></div></div><div class="para">
The Windows Sync utility requires TLS/SSL to synchronize password changes. Therefore, you need to set up Active Directory as an SSL server. The easiest way to achieve this is to install Microsoft Certificate System in Enterprise Root Mode; Active Directory will then automatically enroll to retrieve its SSL server certificate.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You need to install both the <code class="command">winsync</code> and <code class="command">passsync</code> utilities to synchronize User IDs and attributes as well as passwords.
@@ -17,7 +17,7 @@
Refer to the <a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync">Fedora Project Windows Sync Howto</a> for information on setting up Active Directory as an SSL server.
</div><div class="para">
After you have installed Microsoft Certificate System, you need to save the CA certificate in ASCII (PEM) format. This CA Certificate is required to create the synchronization agreement.
- </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-To_save_the_CA_certificate_in_ASCII_format"><h6>Procedure 9.1. To save the CA certificate in ASCII format:</h6><ol class="1"><li class="step"><div class="para">
+ </div><div class="procedure" id="proc-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-To_save_the_CA_certificate_in_ASCII_format"><h6>Procedure 8.1. To save the CA certificate in ASCII format:</h6><ol class="1"><li class="step"><div class="para">
Navigate to My Network Places and drill down to the CA distribution point. On Windows 2003 Server this is typically <code class="filename">C:\WINDOWS\system32\certsrv\CertEnroll\</code>
</div></li><li class="step"><div class="para">
Double-click the security certificate file (<code class="filename">.crt</code> file) to display the <span class="guilabel"><strong>Certificate</strong></span> dialog box.
@@ -30,5 +30,5 @@
</div></li><li class="step"><div class="para">
Click <span class="guibutton"><strong>OK</strong></span> to exit the wizard.
</div></li></ol></div><div class="para">
- Refer to <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">Section 9.4, “Creating Synchronization Agreements”</a> for information on how to use the CA Certificate to create the synchronization agreement.
- </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-Select_Base_64_encoded_X.509_to_export_the_security_certificate_as_ASCII"><div class="figure-contents"><div class="mediaobject" align="center"><img src="images/ASCII_Cert_Export.png" align="middle" alt="Select Base-64 encoded X.509 to export the security certificate as ASCII" /></div></div><h6>Figure 9.1. Select Base-64 encoded X.509 to export the security certificate as ASCII</h6></div><br class="figure-break" /></div><ul class="docnav"><li class="previous"><a accesskey="p" href="active-directory.html"><strong>Prev</strong>Chapter 9. Identity: Integrating with Microsoft A...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-active-directory.html"><strong>Next</strong>9.3. Configuring Active Directory Synchroniz
ation</a></li></ul></body></html>
+ Refer to <a class="xref" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html">Section 8.4, “Creating Synchronization Agreements”</a> for information on how to use the CA Certificate to create the synchronization agreement.
+ </div><div class="figure" id="figu-Enterprise_Identity_Management_Guide-Setting_up_Active_Directory-Select_Base_64_encoded_X.509_to_export_the_security_certificate_as_ASCII"><div class="figure-contents"><div class="mediaobject" align="center"><img src="images/ASCII_Cert_Export.png" align="middle" alt="Select Base-64 encoded X.509 to export the security certificate as ASCII" /></div></div><h6>Figure 8.1. Select Base-64 encoded X.509 to export the security certificate as ASCII</h6></div><br class="figure-break" /></div><ul class="docnav"><li class="previous"><a accesskey="p" href="active-directory.html"><strong>Prev</strong>Chapter 8. Identity: Integrating with Microsoft A...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-active-directory.html"><strong>Next</strong>8.3. Configuring Active Directory Synchroniz
ation</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html
index f70ce4b..8ca991d 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.4. Creating Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.4. Creating Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="configuring-active-directory.html" title="9.3. Configuring Active Directory Synchronization" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html" title="9.5. Modifying Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common
_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-active-directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">9.4. Creating Synchronization Agreements</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="configuring-active-directory.html" title="8.3. Configuring Active Directory Synchronization" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html" title="8.5. Modifying Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common
_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-active-directory.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements">8.4. Creating Synchronization Agreements</h2></div></div></div><div class="para">
Use the <code class="command">ipa-replica-manage connect</code> command to create synchronization agreements. The following command-line arguments apply to creating synchronization agreements:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<code class="option">--winsync</code> — specifies that this is a Windows Sync agreement. Winsync replication occurs every five minutes.
@@ -23,5 +23,5 @@
<code class="option">--win-subtree</code> — the DN of the Windows subtree containing the users you want to synchronize. The default value is <em class="parameter"><code>cn=Users,$SUFFIX</code></em> — this is what Windows AD typically uses as the default value.
</div></li></ul></div><div class="para">
The following example illustrates adding a new WinSync agreement:
- </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Creating_Synchronization_Agreements-Adding_a_WinSync_agreement_between_an_IPA_server_and_an_AD_server."><h6>Example 9.1. Adding a WinSync agreement between an IPA server and an AD server.</h6><div class="example-contents"><pre class="screen"><code class="command">ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \</code>
-<code class="command">--bindpw password --passsync password --cacert /path/to/certfile.cer adserver.example.com -v</code></pre></div></div><br class="example-break" /></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-active-directory.html"><strong>Prev</strong>9.3. Configuring Active Directory Synchronization</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Next</strong>9.5. Modifying Synchronization Agreements</a></li></ul></body></html>
+ </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Creating_Synchronization_Agreements-Adding_a_WinSync_agreement_between_an_IPA_server_and_an_AD_server."><h6>Example 8.1. Adding a WinSync agreement between an IPA server and an AD server.</h6><div class="example-contents"><pre class="screen"><code class="command">ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=example,dc=com \</code>
+<code class="command">--bindpw password --passsync password --cacert /path/to/certfile.cer adserver.example.com -v</code></pre></div></div><br class="example-break" /></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-active-directory.html"><strong>Prev</strong>8.3. Configuring Active Directory Synchronization</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Next</strong>8.5. Modifying Synchronization Agreements</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html
index 9329aaa..770ae5c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.6. Deleting Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.6. Deleting Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html" title="9.5. Modifying Synchronization Agreements" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html" title="9.7. Winsync Agreement Failures" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" hre
f="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">9.6. Deleting Synchronization Agreements</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html" title="8.5. Modifying Synchronization Agreements" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html" title="8.7. Winsync Agreement Failures" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" hre
f="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements">8.6. Deleting Synchronization Agreements</h2></div></div></div><div class="para">
You can use the IPA administration tools to delete existing synchronization agreements. For example, to delete an agreement with the AD server <code class="systemitem">adserver.example.com</code>, run the following command:
</div><div class="para">
<code class="command"># ipa-replica-manage disconnect adserver.example.com</code>
@@ -15,4 +15,4 @@
This removes the replication agreement between the IPA and AD servers. To complete the operation, you need to remove the AD certificate from the IPA server. Run the following command to remove the AD certificate:
</div><div class="para">
<code class="command"># certutil -D -d /etc/dirsrv/slapd-$REALM/ -n "Imported CA"</code>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Prev</strong>9.5. Modifying Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Next</strong>9.7. Winsync Agreement Failures</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html"><strong>Prev</strong>8.5. Modifying Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html"><strong>Next</strong>8.7. Winsync Agreement Failures</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html
index 83643b0..989d04b 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements.html
@@ -1,17 +1,17 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.5. Modifying Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.5. Modifying Synchronization Agreements</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html" title="9.4. Creating Synchronization Agreements" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html" title="9.6. Deleting Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.pn
g" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">9.5. M
odifying Synchronization Agreements</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html" title="8.4. Creating Synchronization Agreements" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html" title="8.6. Deleting Synchronization Agreements" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.pn
g" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Modifying_Synchronization_Agreements">8.5. M
odifying Synchronization Agreements</h2></div></div></div><div class="para">
You can change the behavior of the synchronization agreement to suit the changing needs of your organization. You can modify a number of attributes related to the synchronization agreement using default tools provided with IPA.
</div><div class="para">
The following example illustrates changing the synchronization behavior of account lock status. By default, account lock status is synchronized between IPA and AD. This means that accounts that are locked in IPA are also locked (disabled) in AD, and vice versa. You can change this synchronization behavior as follows:
- </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Configuring_the_IPA_WinSync_agreement_to_not_synchronize_account_lock_status_information."><h6>Example 9.2. Configuring the IPA WinSync agreement to not synchronize account lock status information.</h6><div class="example-contents"><pre class="screen"><code class="command">$ ldapmodify -x -D "cn=directory manager" -w password</code>
+ </div><div class="example" id="exam-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Configuring_the_IPA_WinSync_agreement_to_not_synchronize_account_lock_status_information."><h6>Example 8.2. Configuring the IPA WinSync agreement to not synchronize account lock status information.</h6><div class="example-contents"><pre class="screen"><code class="command">$ ldapmodify -x -D "cn=directory manager" -w password</code>
dn: cn=ipa-winsync,cn=plugins,cn=config
changetype: modify
replace: ipaWinSyncAcctDisable
@@ -20,10 +20,10 @@ ipaWinSyncAcctDisable: none
modifying entry "cn=ipa-winsync,cn=plugins,cn=config"
</pre></div></div><br class="example-break" /><div class="para">
The default value of the <em class="parameter"><code>ipaWinSyncAcctDisable</code></em> attribute is <code class="literal">both</code>. If you change this value to <code class="literal">none</code>, as described in the example, account lock status synchronization is completely disabled. Valid values for <em class="parameter"><code>ipaWinSyncAcctDisable</code></em> are <code class="literal">both</code>, <code class="literal">to_ad</code>, <code class="literal">to_ds</code>, and <code class="literal">none</code>.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">9.5.1. Changing the Default Synchronization Subtree</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Modifying_Synchronization_Agreements-Changing_the_Default_Synchronization_Subtree">8.5.1. Changing the Default Synchronization Subtree</h3></div></div></div><div class="para">
When you create synchronization agreements, two default containers are used as the source of the user accounts to synchronize between IPA and Windows Active Directory. IPA uses the <em class="parameter"><code>cn=users,cn=accounts,$SUFFIX</code></em> subtree as the default container, and Windows uses the <em class="parameter"><code>CN=Users,$SUFFIX</code></em> subtree. You can use the <em class="parameter"><code>--win-subtree</code></em> argument to the <code class="command">ipa-replica-manage connect</code> command to override the default Windows subtree.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
If you pass such arguments to the bash or other shell, ensure that you quote spaces and other shell metacharacters. For example, the argument <em class="parameter"><code>--win-subtree=cn=users, dc=example, dc=com</code></em> will fail. The argument <em class="parameter"><code>--win-subtree="cn=users, dc=example, dc=com"</code></em> will succeed.
</div></div></div><div class="para">
IPA does not currently support modifying the default synchronization container while you are creating the synchronization agreement. You can, however, change the container after the agreement has been established. To do so, you can either modify the <code class="filename">dse.ldif</code> file directly (ensure that you stop the directory server before editing this file), or use <code class="command">ldapmodify</code> to change <em class="parameter"><code>nsds7WindowsReplicaSubtree</code></em>.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Prev</strong>9.4. Creating Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Next</strong>9.6. Deleting Synchronization Agreements</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Creating_Synchronization_Agreements.html"><strong>Prev</strong>8.4. Creating Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Next</strong>8.6. Deleting Synchronization Agreements</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html
index 7412e64..6fd2a87 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>9.7. Winsync Agreement Failures</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>8.7. Winsync Agreement Failures</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 9. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html" title="9.6. Deleting Synchronization Agreements" /><link rel="next" href="nis.html" title="Chapter 10. Identity: Integrating with NIS Domains and Netgroups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/im
ages/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="nis.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">9.7. Winsync Agreement Failures</h2></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Winsync_Agreement_Failures-Symptom"><h5 class="formalpara">Symptom</h5>
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="active-directory.html" title="Chapter 8. Identity: Integrating with Microsoft Active Directory" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html" title="8.6. Deleting Synchronization Agreements" /><link rel="next" href="nis.html" title="Chapter 9. Identity: Integrating with NIS Domains and Netgroups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/ima
ges/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="nis.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Troubleshooting_IPA_Servers-Winsync_Agreement_Failures">8.7. Winsync Agreement Failures</h2></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Winsync_Agreement_Failures-Symptom"><h5 class="formalpara">Symptom</h5>
If the creation of a winsync agreement fails, you may see an error message similar to the following:
<pre class="screen">"Update failed! Status: [81 - LDAP error: Can't contact LDAP server]
</pre>
@@ -35,4 +35,4 @@ Imported CA CT,,C</pre>
</div><pre class="screen">"Windows PassSync entry exists, not resetting password"
</pre><div class="para">
This is not an error, but rather a notification that IPA is not re-adding the <code class="systemitem">passync</code> user, and neither is it changing the original password. The <code class="systemitem">passync</code> user is a special user entry that can change passwords in IPA.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Prev</strong>9.6. Deleting Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="nis.html"><strong>Next</strong>Chapter 10. Identity: Integrating with NIS Domain...</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Deleting_Synchronization_Agreements.html"><strong>Prev</strong>8.6. Deleting Synchronization Agreements</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="nis.html"><strong>Next</strong>Chapter 9. Identity: Integrating with NIS Domains...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html
index eebc7ae..acb9c57 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>C.2. Using certmonger</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>B.2. Using certmonger</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix C. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix C. Services: Working with certmonger" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html" title="C.3. Using certmonger with NSS" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="
Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">C.2. Using certmonger</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix B. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix B. Services: Working with certmonger" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html" title="B.3. Using certmonger with NSS" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="
Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger">B.2. Using certmonger</h2></div></div></div><div class="para">
Probably the simplest use case is to generate a certificate which is signed by the subject itself. These are not typically used in production, but are suitable for demonstration and testing purposes. Consider the following command:
</div><pre class="screen"><code class="command"># selfsign-getcert request -f /tmp/server.crt -k /tmp/server.key</code></pre><div class="para">
This informs <code class="systemitem">certmonger</code> that we want a key to be stored in the file <code class="filename">/tmp/server.key</code>, to generate a corresponding certificate, and to store that certificate in the file <code class="filename">/tmp/server.crt</code>. Using <code class="command">selfsign-getcert</code> also implicitly tells <code class="systemitem">certmonger</code> to <span class="emphasis"><em>self-sign</em></span> the CSR, which it generates and uses internally, with the subject's own key. During this process, certmonger:
@@ -19,4 +19,4 @@
created the CSR
</div></li><li class="listitem"><div class="para">
used the same key to produce a signed certificate.
- </div></li></ul></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Prev</strong>Appendix C. Services: Working with certmonger</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Next</strong>C.3. Using certmonger with NSS</a></li></ul></body></html>
+ </div></li></ul></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html"><strong>Prev</strong>Appendix B. Services: Working with certmonger</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Next</strong>B.3. Using certmonger with NSS</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html
index 80ae191..a6d1e6f 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>C.4. Using certmonger with IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>B.4. Using certmonger with IPA</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix C. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html" title="C.3. Using certmonger with NSS" /><link rel="next" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix D. Migrating from a Directory Server to IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/ima
ges/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">C.4. Using certmonger with IPA</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix B. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html" title="B.3. Using certmonger with NSS" /><link rel="next" href="Migrating_from_a_Directory_Server_to_IPA.html" title="Appendix C. Migrating from a Directory Server to IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/ima
ges/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA">B.4. Using certmonger with IPA</h2></div></div></div><div class="para">
The only difference between using <code class="systemitem">certmonger</code> with the IPA CA and producing a self-signed certificate is changing the command prefix. Instead of using <code class="command">selfsign-getcert</code>, use the <code class="command">ipa-getcert</code> command. For example:
<pre class="screen"><code class="command">ipa-getcert request -r \</code>
<code class="command">-f /etc/httpd/conf/ssl.crt/server.crt \</code>
@@ -16,4 +16,4 @@
<code class="command">-D `hostname --fqdn` \</code>
<code class="command">-U id-kp-serverAuth</code></pre>
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Prev</strong>C.3. Using certmonger with NSS</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Next</strong>Appendix D. Migrating from a Directory Server to ...</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html"><strong>Prev</strong>B.3. Using certmonger with NSS</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Migrating_from_a_Directory_Server_to_IPA.html"><strong>Next</strong>Appendix C. Migrating from a Directory Server to ...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html
index 997f9ea..4f5bb91 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>C.3. Using certmonger with NSS</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>B.3. Using certmonger with NSS</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix C. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html" title="C.2. Using certmonger" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html" title="C.4. Using certmonger with IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_C
ontent/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">C.3. Using certmonger with NSS</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html" title="Appendix B. Services: Working with certmonger" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html" title="B.2. Using certmonger" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html" title="B.4. Using certmonger with IPA" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_C
ontent/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Next</strong></a></li></ul><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS">B.3. Using certmonger with NSS</h2></div></div></div><div class="para">
The previous example used plain files for holding the key and the certificate, but certmonger can also take advantage of NSS database storage. In this scenario, you need to pass the database's location and a nickname for the certificate to certmonger. Consider the following example:
<pre class="screen"><code class="command"># selfsign-getcert request -d /tmp -n Test-Certificate</code></pre>
@@ -18,4 +18,4 @@
</div><div class="para">
Refer to the <code class="command">getcert</code> man page for more information about the available command options.
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Prev</strong>C.2. Using certmonger</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Next</strong>C.4. Using certmonger with IPA</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Prev</strong>B.2. Using certmonger</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html"><strong>Next</strong>B.4. Using certmonger with IPA</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html
index 24c05cf..2bdda06 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html
@@ -1,16 +1,16 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Appendix C. Services: Working with certmonger</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Appendix B. Services: Working with certmonger</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="certmonger-tools.html" title="B.4. Certmonger Scripts" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html" title="C.2. Using certmonger" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="certmonger-tools.html"><s
trong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Services: Working with certmonger</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html">C.2. Using certmonger</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html">C.3. Using certmonge
r with NSS</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html">C.4. Using certmonger with IPA</a></span></dt></dl></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">C.1. What is certmonger?</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html" title="Appendix A. Frequently Asked Questions" /><link rel="next" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html" title="B.2. Using certmonger" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><
li class="previous"><a accesskey="p" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="appendix" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger" lang="en-US"><div class="titlepage"><div><div><h1 class="title">Services: Working with certmonger</h1></div></div></div><div class="toc"><dl><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger.html#sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html">B.2. Using certmonger</a></span></dt><dt><span class="section"><a href
="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_NSS.html">B.3. Using certmonger with NSS</a></span></dt><dt><span class="section"><a href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger_with_IPA.html">B.4. Using certmonger with IPA</a></span></dt></dl></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger"><div class="titlepage"><div><div><h2 class="title" id="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-What_is_certmonger">B.1. What is certmonger?</h2></div></div></div><div class="para">
The <code class="systemitem">certmonger</code> daemon, together with its command line clients, attempts to simplify the process of generating public/private key pairs and Certificate Signing Requests (CSRs), and submitting CSRs to Certificate Authorities (CAs) for signing.
</div><div class="para">
The <code class="systemitem">certmonger</code> daemon also monitors certificates for imminent expiration and, with the help of a CA, can optionally refresh certificates that are about to expire. It can also drive the entire IPA enrollment process, from key generation through to enrollment itself and refreshing certificates.
</div><div class="para">
The set of certificates that <code class="systemitem">certmonger</code> monitors is tracked in files stored in a user-configurable directory. The default location is <code class="filename">/var/lib/certmonger/requests</code>.
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="certmonger-tools.html"><strong>Prev</strong>B.4. Certmonger Scripts</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Next</strong>C.2. Using certmonger</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="chap-Enterprise_Identity_Management_Guide-Frequently_Asked_Questions.html"><strong>Prev</strong>Appendix A. Frequently Asked Questions</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="sect-Enterprise_Identity_Management_Guide-Working_with_certmonger-Using_certmonger.html"><strong>Next</strong>B.2. Using certmonger</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html
index 0e34eef..c188669 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/server-config.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 13. Configuring the FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 12. Configuring the FreeIPA Server</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="configuring-sudo.html" title="12.2. Configuring sudo" /><link rel="next" href="disabling-anon-binds.html" title="13.2. Disabling Anonymous Binds" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-sudo.html"><strong>Prev</strong></a></li><li class="next"><a acces
skey="n" href="disabling-anon-binds.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="server-config" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 13. Configuring the FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="server-config.html#managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#Server_side_Access_Control">13.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="server-config.html#creating-roles">13.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="server-config.html#self-service">13.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="disabling-anon-binds.html">13.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.h
tml">13.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#id-ranges-at-install">13.3.1. About ID Range Assignments During Installation</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#Assigning_UIDs_and_GIDs-Adding_New_Ranges">13.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html">13.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">13.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Using_Yo
ur_Own_Certificate_with_Firefox">13.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Using_OCSP">13.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="ipa-apache.html">13.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="ipa-cluster.html">13.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">13.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">13.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a
href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html">13.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="promoting-replica.html">13.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="logging.html">13.9. FreeIPA Server Logging</a></span></dt></dl></div><div class="section" id="managing-access-to-ipa"><div class="titlepage"><div><div><h2 class="title" id="managing-access-to-ipa">13.1. Defining Access Controls within FreeIPA</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="configuring-sudo.html" title="11.2. Configuring sudo" /><link rel="next" href="disabling-anon-binds.html" title="12.2. Disabling Anonymous Binds" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-sudo.html"><strong>Prev</strong></a></li><li class="next"><a acces
skey="n" href="disabling-anon-binds.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="server-config" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 12. Configuring the FreeIPA Server</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="server-config.html#managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="server-config.html#Server_side_Access_Control">12.1.1. Server-side Access Control</a></span></dt><dt><span class="section"><a href="server-config.html#creating-roles">12.1.2. Creating Roles</a></span></dt><dt><span class="section"><a href="server-config.html#self-service">12.1.3. Defining Self-Service Settings</a></span></dt></dl></dd><dt><span class="section"><a href="disabling-anon-binds.html">12.2. Disabling Anonymous Binds</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.h
tml">12.3. Managing Unique UID and GID Number Assignments</a></span></dt><dd><dl><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#id-ranges-at-install">12.3.1. About ID Range Assignments During Installation</a></span></dt><dt><span class="section"><a href="Managing-Unique_UID_and_GID_Attributes.html#Assigning_UIDs_and_GIDs-Adding_New_Ranges">12.3.2. Adding New Ranges</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html">12.4. Configuring Certificates and Certificate Authorities</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Installing_Your_Own_Certificate">12.4.1. Installing Your Own Certificate</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Configuring_Certificates_and_Certificate_Authorities-Using_Yo
ur_Own_Certificate_with_Firefox">12.4.2. Using Your Own Certificate with Firefox</a></span></dt><dt><span class="section"><a href="Configuring_Certificates_and_Certificate_Authorities.html#Using_OCSP">12.4.3. Using OCSP</a></span></dt></dl></dd><dt><span class="section"><a href="ipa-apache.html">12.5. Setting a FreeIPA Server as an Apache Virtual Host</a></span></dt><dt><span class="section"><a href="ipa-cluster.html">12.6. Using FreeIPA in a Cluster</a></span></dt><dd><dl><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Configuring_Kerberos_Credentials_for_a_Clustered_Environment">12.6.1. Configuring Kerberos Credentials for a Clustered Environment</a></span></dt><dt><span class="section"><a href="ipa-cluster.html#Implementing_IPA_in_a_Clustered_Environment-Using_the_Same_Service_Principal_for_Multiple_Services">12.6.2. Using the Same Service Principal for Multiple Services</a></span></dt></dl></dd><dt><span class="section"><a
href="Working_with_DNS-Creating_DNS_Entries_for_IPA_Replicas.html">12.7. Creating DNS Entries for FreeIPA Replicas</a></span></dt><dt><span class="section"><a href="promoting-replica.html">12.8. Promoting a Read-Only Replica to a FreeIPA Server</a></span></dt><dt><span class="section"><a href="logging.html">12.9. FreeIPA Server Logging</a></span></dt></dl></div><div class="section" id="managing-access-to-ipa"><div class="titlepage"><div><div><h2 class="title" id="managing-access-to-ipa">12.1. Defining Access Controls within FreeIPA</h2></div></div></div><div class="para">
Access control is a mechanism which defines user access. That is, it defines the rights that users and other objects have been granted in order to perform operations on other users or objects. When the FreeIPA directory server receives a request, it uses the authentication information provided by the user in the bind operation together with <em class="firstterm">access control instructions (ACIs)</em> defined in the server to allow or deny access to directory information. The server can allow or deny permissions for actions, such as read, write, search, and compare, on directory server entries. The permission level granted to a user may depend on the authentication information provided.
</div><div class="para">
FreeIPA implements a number of different methods for controlling access to the various objects, commands and processes that exist within a FreeIPA domain. This includes a Kerberos Ticket Policy, a Password Policy, Host-based Access Control and SUDO Command Policies for controlling client access to services and commands; that is, outside of the FreeIPA server, and a separate Access Control Model for controlling server-side objects; that is, LDAP entries within the FreeIPA server.
@@ -27,7 +27,7 @@
There are several aspects to working with roles. Because it is a hierarchical system, to create a fully operational role you need to create the role itself, add privileges to this role to establish what tasks it can and cannot perform, and finally add members to the role, such as users, groups, etc. The reverse is also true; if you remove a role, then any users or groups who relied on this role to perform certain tasks will no longer be able to do so.
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
You cannot create nested roles. That is, a role cannot contain another role.
- </div></div></div><div class="section" id="Server_side_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Server_side_Access_Control">13.1.1. Server-side Access Control</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Server_side_Access_Control"><div class="titlepage"><div><div><h3 class="title" id="Server_side_Access_Control">12.1.1. Server-side Access Control</h3></div></div></div><div class="para">
The FreeIPA Access Control Model is based on the underlying 389 Directory Server access control model, which uses access control instructions (ACIs) to define user access within the system. An ACI is a construct that can express a complex set of access control information.
</div><div class="para">
As explained in the directory server documentation, the three main parts of an ACI statement are:
@@ -41,7 +41,7 @@
</div><div class="para">
The ACI structure itself is very flexible, but can also be confusing. FreeIPA attempts to structure these ACIs in order to provide a formalized input and output that can be expressed on the command line and in the WebUI, while at the same time maintaining sufficient flexibility to create complex access control rules. In order to achieve this, FreeIPA implements three types of access control. These are discussed in the following sections.
- </div><div class="section" id="Server_side_Access_Control-Types_of_Access_Control"><div class="titlepage"><div><div><h4 class="title" id="Server_side_Access_Control-Types_of_Access_Control">13.1.1.1. Types of Access Control</h4></div></div></div><div class="para">
+ </div><div class="section" id="Server_side_Access_Control-Types_of_Access_Control"><div class="titlepage"><div><div><h4 class="title" id="Server_side_Access_Control-Types_of_Access_Control">12.1.1.1. Types of Access Control</h4></div></div></div><div class="para">
FreeIPA relies on three separate types of access control rules:
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
Role-based
@@ -59,7 +59,7 @@
Delegation access control defines what operations one group of users or entries can perform on another group of users or entries. In each case, the group of users or entries may be identified by a provided filter. The core difference between delegation access control rules and other rules is that the target—the object of the access control rule—is not a class of entries but rather a set of specific entries that are members of a group or retrieved by a specific filter. The delegation rules allow targeted management of specific user entries.
</div><div class="para">
In each case, the access control rule resolves the constituents of the FreeIPA access control expression: "<em class="firstterm">Who</em> can do <em class="firstterm">What</em> to <em class="firstterm">Whom</em>". The following section explains these constituents in more detail.
- </div><div class="section" id="Types_of_Access_Control-The_IPA_Access_Control_Expression"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-The_IPA_Access_Control_Expression">13.1.1.1.1. The FreeIPA Access Control Expression</h5></div></div></div><div class="formalpara" id="The_IPA_Access_Control_Expression-The_Who_of_Access_Control"><h5 class="formalpara">The "Who" of Access Control</h5>
+ </div><div class="section" id="Types_of_Access_Control-The_IPA_Access_Control_Expression"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-The_IPA_Access_Control_Expression">12.1.1.1.1. The FreeIPA Access Control Expression</h5></div></div></div><div class="formalpara" id="The_IPA_Access_Control_Expression-The_Who_of_Access_Control"><h5 class="formalpara">The "Who" of Access Control</h5>
In simple grammatical terms, the "who" of a FreeIPA <em class="firstterm">access control instruction (ACI)</em>, or expression, is the subject. It specifies the entity that interacts with the system and tries to perform an administrative task. This task could be an administrator adding a user, a user changing his home address, or a host requesting a certificate for a service running on the host.
</div><div class="para">
It is important to understand that the "who" is not necessarily a person; it can be any entity that has successfully authenticated against FreeIPA. In order to authenticate against the FreeIPA server, this entity, the "who", needs to have a Kerberos principal. After the entity has authenticated, it can connect to the FreeIPA server and try to issue administrative commands. The system will either allow or deny the requested operation based on this entity's permissions.
@@ -91,9 +91,9 @@
As a set of entries selected by filter, for example: <em class="parameter"><code>cn="filter"</code></em>.
</div></li></ul></div>
- </div></div><div class="section" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types">13.1.1.1.2. 389 Directory Server ACIs and FreeIPA Access Control Types</h5></div></div></div><div class="para">
+ </div></div><div class="section" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types"><div class="titlepage"><div><div><h5 class="title" id="Types_of_Access_Control-Directory_Server_ACIs_and_IPA_Access_Control_Types">12.1.1.1.2. 389 Directory Server ACIs and FreeIPA Access Control Types</h5></div></div></div><div class="para">
The following table summarizes the relationship between the different 389 Directory Server ACI components and the FreeIPA access control types.
- </div><div class="table" id="tab.aci-mapping"><h6>Table 13.1. Mapping 389 Directory Server and FreeIPA Access Control Types</h6><div class="table-contents"><table summary="Mapping 389 Directory Server and FreeIPA Access Control Types" border="1"><colgroup><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /></colgroup><thead><tr><th align="left">
+ </div><div class="table" id="tab.aci-mapping"><h6>Table 12.1. Mapping 389 Directory Server and FreeIPA Access Control Types</h6><div class="table-contents"><table summary="Mapping 389 Directory Server and FreeIPA Access Control Types" border="1"><colgroup><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /><col align="left" width="25%" /></colgroup><thead><tr><th align="left">
Type of Access Control
</th><th align="left">
Target
@@ -131,7 +131,7 @@
Write, Add, or Delete. Read is implied.
</td><td align="left">
A group of users, usually a group of administrative users.
- </td></tr></tbody></table></div></div><br class="table-break" /></div></div></div><div class="section" id="creating-roles"><div class="titlepage"><div><div><h3 class="title" id="creating-roles">13.1.2. Creating Roles</h3></div></div></div><div class="orderedlist"><h6>To set up a new role:</h6><ol><li class="listitem"><div class="para">
+ </td></tr></tbody></table></div></div><br class="table-break" /></div></div></div><div class="section" id="creating-roles"><div class="titlepage"><div><div><h3 class="title" id="creating-roles">12.1.2. Creating Roles</h3></div></div></div><div class="orderedlist"><h6>To set up a new role:</h6><ol><li class="listitem"><div class="para">
Add the new role:
</div><pre class="screen"># ipa role-add --desc="User Administrator" useradmin
------------------------
@@ -170,7 +170,7 @@
As the needs of your enterprise change, you may need to modify the roles that you have established. For example, you may need to change the members of the role, or change the privileges associated with the role. You can use the <code class="command">ipa role-*</code> commands to perform these functions. For example, to remove an existing privilege from a role, use the <code class="command">ipa role-remove-privilege</code> command. To remove members from a role, use the <code class="command">ipa role-remove-member</code> command. Refer to the <code class="command">ipa role help</code> pages for more information.
</div><div class="para">
You can use the <code class="command">ipa role-del</code> command to delete FreeIPA roles from your configuration. Bear in mind, however, that any entities that rely on this role for access to FreeIPA objects or to perform certain tasks will no longer have that ability.
- </div></div><div class="section" id="self-service"><div class="titlepage"><div><div><h3 class="title" id="self-service">13.1.3. Defining Self-Service Settings</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="self-service"><div class="titlepage"><div><div><h3 class="title" id="self-service">12.1.3. Defining Self-Service Settings</h3></div></div></div><div class="para">
Self-service access control rules define the operations that an entity can perform on itself. These rules are attribute based; that is, they define what attributes can be modified for any particular entity. You can create self-service rules so that users can manage their own addresses, keep their contact details current, change their passwords, etc.
</div><div class="para">
Self-service rules are defined and managed by a number of sub-commands. Use the <code class="command">ipa help selfservice</code> command to display the list of available commands.
@@ -198,4 +198,4 @@ Attributes: givenname, displayname, title, initials, homephone, mobile, telephon
</div><div class="important"><div class="admonition_header"><h2>Important</h2></div><div class="admonition"><div class="para">
You need to include all of the required attributes when you modify a self-service rule, including existing ones.
- </div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-sudo.html"><strong>Prev</strong>12.2. Configuring sudo</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="disabling-anon-binds.html"><strong>Next</strong>13.2. Disabling Anonymous Binds</a></li></ul></body></html>
+ </div></div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="configuring-sudo.html"><strong>Prev</strong>11.2. Configuring sudo</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="disabling-anon-binds.html"><strong>Next</strong>12.2. Disabling Anonymous Binds</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html
index 8ebdc8c..d56d2cf 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/setting-up-clients.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 3. Setting up Systems as FreeIPA Clients</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 2. Setting up Systems as FreeIPA Clients</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="Uninstalling_IPA_Servers.html" title="2.5. Uninstalling FreeIPA Servers and Replicas" /><link rel="next" href="Configuring_Microsoft_Windows.html" title="3.2. Configuring a Microsoft Windows System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Unins
talling_IPA_Servers.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Microsoft_Windows.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="setting-up-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 3. Setting up Systems as FreeIPA Clients</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="setting-up-clients.html#what-happens-clients">3.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="Configuring_Microsoft_Windows.html">3.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html">3.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10">3.3.1. Configuring Solaris 10</a></span></dt><dt>
<span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">3.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html">3.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">3.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">3.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_Kerberos">3.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Confi
guring_PAM">3.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">3.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">3.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#hp-test">3.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html">3.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Prerequisites">3.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"
>3.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html">3.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">3.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">3.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">3.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Con
figuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">3.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#testing-config-on-mac">3.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="uninstalling-clients.html">3.7. Uninstalling a FreeIPA Client</a></span></dt></dl></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="Uninstalling_IPA_Servers.html" title="1.5. Uninstalling FreeIPA Servers and Replicas" /><link rel="next" href="Configuring_Microsoft_Windows.html" title="2.2. Configuring a Microsoft Windows System as a FreeIPA Client" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Unins
talling_IPA_Servers.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Microsoft_Windows.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="setting-up-clients" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 2. Setting up Systems as FreeIPA Clients</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="setting-up-clients.html#what-happens-clients">2.1. What Happens in Client Setup</a></span></dt><dt><span class="section"><a href="Configuring_Microsoft_Windows.html">2.2. Configuring a Microsoft Windows System as a FreeIPA Client</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html">2.3. Configuring a Solaris System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris_10">2.3.1. Configuring Solaris 10</a></span></dt><dt>
<span class="section"><a href="Configuring_an_IPA_Client_on_Solaris.html#Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9">2.3.2. Configuring Solaris 9</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html">2.4. Configuring an HP-UX System as a FreeIPA</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_NTP">2.4.1. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_LDAP_Authentication">2.4.2. Configuring LDAP Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Configuring_Kerberos">2.4.3. Configuring Kerberos</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_Kerberos_and_PAM-Confi
guring_PAM">2.4.4. Configuring PAM</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_SSH">2.4.5. Configuring SSH</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#Configuring_an_IPA_Client_on_HP_UX-Configuring_Access_Control">2.4.6. Configuring Access Control</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_HP_UX.html#hp-test">2.4.7. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html">2.5. Configuring an AIX System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Prerequisites">2.5.1. Prerequisites</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_AIX.html#Configuring_an_IPA_Client_on_AIX-Configuring_Client_Authentication"
>2.5.2. Configuring the AIX Client</a></span></dt></dl></dd><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html">2.6. Configuring a Macintosh OS X System as a FreeIPA Client</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_Kerberos_Authentication">2.6.1. Configuring Kerberos Authentication</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_LDAP_Authorization">2.6.2. Configuring LDAP Authorization</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Configuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_the_LDAP_Authorization_Options">2.6.3. Configuring the LDAP Authorization Options</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#Con
figuring_an_IPA_Client_on_Macintosh_OS_X-Configuring_NTP">2.6.4. Configuring NTP</a></span></dt><dt><span class="section"><a href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html#testing-config-on-mac">2.6.5. Testing the Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="uninstalling-clients.html">2.7. Uninstalling a FreeIPA Client</a></span></dt></dl></div><div class="para">
A <span class="emphasis"><em>client</em></span> is any system which is a member of the FreeIPA domain. While this is frequently a Fedora system (and FreeIPA has special tools to make configuring Fedora clients very simple), machines with other operating systems can also be added to the FreeIPA domain.
</div><div class="para">
One important aspect of a FreeIPA client is that <span class="emphasis"><em>only</em></span> the system configuration determines whether the system is part of the domain. (The configuration includes things like belonging to the Kerberos domain, DNS domain, and having the proper authentication and certificate setup.) FreeIPA does not require any sort of agent or daemon running on a client.
@@ -15,7 +15,7 @@
This chapter explains how to configure a system to join a FreeIPA domain.
</div><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
Clients can only be configured after at least one FreeIPA server has been installed.
- </div></div></div><div class="section" id="what-happens-clients"><div class="titlepage"><div><div><h2 class="title" id="what-happens-clients">3.1. What Happens in Client Setup</h2></div></div></div><div class="para">
+ </div></div></div><div class="section" id="what-happens-clients"><div class="titlepage"><div><div><h2 class="title" id="what-happens-clients">2.1. What Happens in Client Setup</h2></div></div></div><div class="para">
Whether the client configuration is performed automatically on Fedora systems using the client setup script or manually on other systems, the general process of configuring a machine to serve as a FreeIPA client is mostly the same, with slight variation depending on the platform:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
Retrieve the CA certificate for the FreeIPA CA.
@@ -51,4 +51,4 @@ example.com = EXAMPLE.COM
Configures SSSD or LDAP/KRB5, including NSS and PAM configuration files.
</div></li><li class="listitem"><div class="para">
Configure NTP.
- </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Uninstalling_IPA_Servers.html"><strong>Prev</strong>2.5. Uninstalling FreeIPA Servers and Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Microsoft_Windows.html"><strong>Next</strong>3.2. Configuring a Microsoft Windows System as a ...</a></li></ul></body></html>
+ </div></li></ul></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Uninstalling_IPA_Servers.html"><strong>Prev</strong>1.5. Uninstalling FreeIPA Servers and Replicas</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="Configuring_Microsoft_Windows.html"><strong>Next</strong>2.2. Configuring a Microsoft Windows System as a ...</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html
index c5cbb39..837bfa1 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/sudo.html
@@ -1,30 +1,30 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 12. Policy: Using sudo</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 11. Policy: Using sudo</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html" title="11.3. HBAC Services" /><link rel="next" href="configuring-sudo.html" title="12.2. Configuring sudo" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Iden
tity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-sudo.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="sudo" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 12. Policy: Using sudo</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="sudo.html#about-sudo">12.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alt
ernative_Schema">12.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">12.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-sudo.html">12.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">12.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">12.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></div><div class="section" id="about-sudo"><div class="titlepage"><div><div><h2 class="title" id="about-sudo">12.1.
About sudo and IPA</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html" title="10.3. HBAC Services" /><link rel="next" href="configuring-sudo.html" title="11.2. Configuring sudo" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Iden
tity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="configuring-sudo.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="sudo" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 11. Policy: Using sudo</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="sudo.html#about-sudo">11.1. About sudo and IPA</a></span></dt><dd><dl><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alt
ernative_Schema">11.1.3. Benefits of the IPA Alternative Schema</a></span></dt><dt><span class="section"><a href="sudo.html#sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">11.1.4. Compatibility and Managed Entry Plug-in Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="configuring-sudo.html">11.2. Configuring sudo</a></span></dt><dd><dl><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Server_Configuration_for_Sudo_Rules">11.2.1. Server Configuration for Sudo Rules</a></span></dt><dt><span class="section"><a href="configuring-sudo.html#sect-Enterprise_Identity_Management_Guide-Setting_up_Sudo_Rules-Client_Configuration_for_Sudo_Rules">11.2.2. Client Configuration for Sudo Rules</a></span></dt></dl></dd></dl></div><div class="section" id="about-sudo"><div class="titlepage"><div><div><h2 class="title" id="about-sudo">11.1.
About sudo and IPA</h2></div></div></div><div class="para">
The <code class="command">sudo</code> command allows a system administrator to delegate authority, allowing certain users (or groups of users) the ability to run one or more commands as root or as another user, and at the same time providing an audit trail of the commands and their arguments. For more information, including coverage of the options available for use with <code class="command">sudo</code>, refer to the <code class="command">sudo</code> and <code class="command">sudoers</code> man pages.
- </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">12.1.1. Sudo with LDAP</h3></div></div></div><div class="para">
+ </div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Sudo_with_LDAP">11.1.1. Sudo with LDAP</h3></div></div></div><div class="para">
In the past, <code class="command">sudo</code> used a single, local, configuration file, <code class="filename">/etc/sudoers</code>. It is possible to share the same <code class="filename">sudoers</code> file among machines, but there is no built-in mechanism to distribute it. Some have attempted to work around this by synchronizing changes using CVS, RSYNC, RDIST, RCP, SCP, and even NFS. By using LDAP for <code class="filename">sudoers</code>, IPA provides a centrally-administered, globally-available configuration source for <code class="command">sudo</code>.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">12.1.2. Limitations of the Existing Sudo LDAP Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Limitations_of_the_Existing_Sudo_LDAP_Schema">11.1.2. Limitations of the Existing Sudo LDAP Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
The current schema relies on LDAP-stored POSIX groups for its groups of users. The limitation here is that you cannot use a group of users for <code class="command">sudo</code> without the users inheriting potential POSIX rights.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Hosts"><h5 class="formalpara">Groups of Hosts</h5>
The current schema does not have a concept of host groups. Instead, it relies on the legacy LDAP nisNetgroupTriple to manage groups of hosts.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Limitations_of_the_Existing_Sudo_LDAP_Schema-Groups_of_Commands"><h5 class="formalpara">Groups of Commands</h5>
The current schema does not have a concept of command groups. This requires that individual commands be present in each Sudo rule. It also limits the ability to reuse a group of commands for multiple Sudo rules.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">12.1.3. Benefits of the IPA Alternative Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Benefits_of_the_IPA_Alternative_Schema">11.1.3. Benefits of the IPA Alternative Schema</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Users"><h5 class="formalpara">Groups of Users</h5>
Groups of users can be either POSIX or non-POSIX groups within IPA. This provides the flexibility to group users without assigning POSIX rights or GID information to the group.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Computers"><h5 class="formalpara">Groups of Computers</h5>
The IPA alternative schema also addresses the issue of host groups and netgroups for the purpose of sudo. The <code class="command">sudo</code> utility itself does not support host groups—a better and cleaner host grouping mechanism—but instead expects netgroups. To resolve this issue, IPA automatically creates a "shadow netgroup" with the same name as every host group that you create. This means that you can create host groups but still use netgroups with <code class="command">sudo</code> without encountering any problems.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Benefits_of_the_IPA_Alternative_Schema-Groups_of_Commands"><h5 class="formalpara">Groups of Commands</h5>
Command groups are a new concept introduced by IPA. These objects allow administrators the ability to create groups of <code class="command">sudo</code> commands that can be reused for multiple rules without the need of assigning individual commands throughout.
- </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">12.1.4. Compatibility and Managed Entry Plug-in Configuration</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Compatibility_Translation_for_Native_Sudo"><h5 class="formalpara">Compatibility Translation for Native Sudo</h5>
+ </div></div><div class="section" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration"><div class="titlepage"><div><div><h3 class="title" id="sect-Enterprise_Identity_Management_Guide-Introduction-Compatibility_and_Managed_Entry_Plug_in_Configuration">11.1.4. Compatibility and Managed Entry Plug-in Configuration</h3></div></div></div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Compatibility_Translation_for_Native_Sudo"><h5 class="formalpara">Compatibility Translation for Native Sudo</h5>
The native <code class="command">sudo</code> binary does not yet support SSSD or the IPA Sudo Schema. As an interim solution, IPA has implemented a compatibility plug-in which transparently translates IPA Sudo rules into those supported by the current <code class="command">sudo</code> binary.
</div><div class="formalpara" id="form-Enterprise_Identity_Management_Guide-Compatibility_and_Managed_Entry_Plug_in_Configuration-Managed_Entries_for_NIS_Netgroups"><h5 class="formalpara">Managed Entries for NIS Netgroups</h5>
In order to seamlessly support the current implementation of sudo, IPA provides a managed entry plug-in for NIS netgroups. Whenever an IPA host group is created, a translated nisNetgroupTriple is also created.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Prev</strong>11.3. HBAC Services</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-sudo.html"><strong>Next</strong>12.2. Configuring sudo</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="sect-Enterprise_Identity_Management_Guide-Host_based_Access_Control_Policies-HBAC_Services.html"><strong>Prev</strong>10.3. HBAC Services</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="configuring-sudo.html"><strong>Next</strong>11.2. Configuring sudo</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/switching-users.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/switching-users.html
index 498ad51..2ffa2ff 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/switching-users.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/switching-users.html
@@ -1,15 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>4.3. Switching Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.2. Switching Users</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="basic-usage.html" title="Chapter 4. Basic UI Usage" /><link rel="prev" href="using-the-ui.html" title="4.2. Using the FreeIPA UI" /><link rel="next" href="managing-clients.html" title="Chapter 5. Managing Clients in the FreeIPA Domain" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="using-the-ui.html"><strong>Prev</strong></a></li><li class="next">
<a accesskey="n" href="managing-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="switching-users"><div class="titlepage"><div><div><h2 class="title" id="switching-users">4.3. Switching Users</h2></div></div></div><div class="para">
- XXXXXXXXXXX FIX ME XXXXXXXX
- </div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="basic-usage.html" title="Chapter 3. Basic UI Usage" /><link rel="prev" href="basic-usage.html" title="Chapter 3. Basic UI Usage" /><link rel="next" href="managing-clients.html" title="Chapter 4. Managing Clients in the FreeIPA Domain" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="basic-usage.html"><strong>Prev</strong></a></li><li class="next"><
a accesskey="n" href="managing-clients.html"><strong>Next</strong></a></li></ul><div class="section" id="switching-users"><div class="titlepage"><div><div><h2 class="title" id="switching-users">3.2. Switching Users</h2></div></div></div><div class="para">
One of the main advantages of FreeIPA is that it uses Kerberos for authentication. This means that if the machine is configured to use FreeIPA as an authentication server and you have an FreeIPA account, then once you have logged in to the machine and authenticated, you can reuse your Kerberos credentials to access other services in the FreeIPA domain. This avoids the need to constantly re-enter your password to access different services.
</div><div class="para">
For example, to connect to the FreeIPA web interface, you can enter the server's address in your browser and it will use your Kerberos ticket to authenticate against FreeIPA. Similar functionality is available if you try to access a file share, a wiki or any other application that is configured to be a Kerberos service in the FreeIPA domain.
@@ -34,4 +32,4 @@ klist: You have no tickets cached
You should now be able to connect to the FreeIPA web interface. If you were already connected to the web interface as another user, refresh the browser to display the updated details for the new user.
</div><div class="para">
If you configured SSSD or <code class="systemitem">pam_krb5</code> on the machine with FreeIPA, then the ticket is created for you when you log in to the machine requires authentication (for example, <code class="command">sudo</code>).
- </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="using-the-ui.html"><strong>Prev</strong>4.2. Using the FreeIPA UI</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="managing-clients.html"><strong>Next</strong>Chapter 5. Managing Clients in the FreeIPA Domain</a></li></ul></body></html>
+ </div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="basic-usage.html"><strong>Prev</strong>Chapter 3. Basic UI Usage</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="managing-clients.html"><strong>Next</strong>Chapter 4. Managing Clients in the FreeIPA Domain</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/uninstalling-clients.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/uninstalling-clients.html
index 593fec6..265481c 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/uninstalling-clients.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/uninstalling-clients.html
@@ -1,14 +1,14 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>3.7. Uninstalling a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>2.7. Uninstalling a FreeIPA Client</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 3. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html" title="3.6. Configuring a Macintosh OS X System as a FreeIPA Client" /><link rel="next" href="basic-usage.html" title="Chapter 4. Basic UI Usage" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href=
"Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="basic-usage.html"><strong>Next</strong></a></li></ul><div class="section" id="uninstalling-clients"><div class="titlepage"><div><div><h2 class="title" id="uninstalling-clients">3.7. Uninstalling a FreeIPA Client</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="setting-up-clients.html" title="Chapter 2. Setting up Systems as FreeIPA Clients" /><link rel="prev" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html" title="2.6. Configuring a Macintosh OS X System as a FreeIPA Client" /><link rel="next" href="basic-usage.html" title="Chapter 3. Basic UI Usage" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href=
"Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="basic-usage.html"><strong>Next</strong></a></li></ul><div class="section" id="uninstalling-clients"><div class="titlepage"><div><div><h2 class="title" id="uninstalling-clients">2.7. Uninstalling a FreeIPA Client</h2></div></div></div><div class="para">
For Fedora clients, the <code class="command">ipa-client-install</code> utility can be used to uninstall the client and remove it from the FreeIPA domaine. To remove the client, use the <code class="option">--uninstall</code> option.
</div><pre class="programlisting"><span class="perl_Comment"># ipa-client-install --uninstall</span></pre><div class="note"><div class="admonition_header"><h2>NOTE</h2></div><div class="admonition"><div class="para">
There is an uninstall option with the <code class="command">ipa-join</code> command. This is called by <code class="command">ipa-client-install --uninstall</code> as part of the uninstallation process. However, while the <code class="command">ipa-join</code> option removes the client from the domain, it does not actually uninstall the client or properly remove all of the FreeIPA-related configuration. Do not run <code class="command">ipa-join -u</code> to attempt to uninstall the FreeIPA client. The only way to uninstall a client completely is to use <code class="command">ipa-client-install --uninstall</code>.
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Prev</strong>3.6. Configuring a Macintosh OS X System as a Fre...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="basic-usage.html"><strong>Next</strong>Chapter 4. Basic UI Usage</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_an_IPA_Client_on_Macintosh_OS_X.html"><strong>Prev</strong>2.6. Configuring a Macintosh OS X System as a Fre...</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="basic-usage.html"><strong>Next</strong>Chapter 3. Basic UI Usage</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-groups.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-groups.html
index 27eceae..7524fcd 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-groups.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-groups.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.8. Creating User Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.8. Creating User Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Deleting_IPA_Users.html" title="6.7. Deleting FreeIPA Users" /><link rel="next" href="user-pwdpolicy.html" title="6.9. Setting an Individual Password Policy" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Dele
ting_IPA_Users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="user-pwdpolicy.html"><strong>Next</strong></a></li></ul><div class="section" id="user-groups"><div class="titlepage"><div><div><h2 class="title" id="user-groups">6.8. Creating User Groups</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="Configuring_IPA_Users-Deleting_IPA_Users.html" title="5.7. Deleting FreeIPA Users" /><link rel="next" href="user-pwdpolicy.html" title="5.9. Setting an Individual Password Policy" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Dele
ting_IPA_Users.html"><strong>Prev</strong></a></li><li class="next"><a accesskey="n" href="user-pwdpolicy.html"><strong>Next</strong></a></li></ul><div class="section" id="user-groups"><div class="titlepage"><div><div><h2 class="title" id="user-groups">5.8. Creating User Groups</h2></div></div></div><div class="para">
FreeIPA uses groups to facilitate the management and administration of all types of objects, such as users, hosts, tasks, roles, and others. This section introduces <code class="systemitem">User Groups</code> and how they are used within FreeIPA. Other object groups behave and are used in similar ways; these are discussed elsewhere.
</div><div class="formalpara" id="Configuring_IPA_Groups-User_Groups"><h5 class="formalpara">User Groups</h5>
Three groups are created during the installation process: <code class="systemitem">ipausers</code>, <code class="systemitem">admins</code>, and <code class="systemitem">editors</code>. All of these groups are required for FreeIPA operation.
@@ -23,7 +23,7 @@
You can also create nested groups. For example, you can create a group called "Documentation", and then create sub-groups such as "Writers", "Translators", and "Editors". You can add users to each of the sub-groups to suit the needs of your organization. Any users that you add to a sub-group automatically become members of the parent group.
</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
Avoid the creation of cyclic groups; that is, groups that contain groups that in turn contain their own ancestors, and avoid creating group names that contain spaces. Either of these conditions can lead to unexpected behavior.
- </div></div></div><div class="section" id="Configuring_IPA_Groups-Creating_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Groups</h3></div></div></div><div class="section" id="Creating_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Creating_IPA_Groups-Using_the_Command_Line">6.8.1.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_IPA_Groups-Creating_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</h3></div></div></div><div class="section" id="Creating_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Creating_IPA_Groups-Using_the_Command_Line">5.8.1.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-add</code> command to add groups. You can include attributes on the command line or use the command interactively. For example:
</div><div class="para">
To create a group called "Engineering" using the command line:
@@ -47,7 +47,7 @@ Added group "documentation"
GID: 387115845</pre><div class="para">
The group name and description are mandatory fields. If either of these are not included on the command line, you will be prompted to include them.
</div><div class="important"><div class="admonition_header"><h2>IMPORTANT</h2></div><div class="admonition"><div class="para">
- When a group is created without specifying a GID number, then the group entry is assigned the ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="Managing-Unique_UID_and_GID_Attributes.html">Section 13.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a group always has a unique number for its GID number.
+ When a group is created without specifying a GID number, then the group entry is assigned the ID number that is next available in the server or replica range. (Number ranges are described more in <a class="xref" href="Managing-Unique_UID_and_GID_Attributes.html">Section 12.3, “Managing Unique UID and GID Number Assignments”</a>.) This means that a group always has a unique number for its GID number.
</div><div class="para">
If a number is <span class="emphasis"><em>manually</em></span> assigned to a group entry, the server does not validate that the <em class="parameter"><code>gidNumber</code></em> is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for Posix entries.
</div><div class="para">
@@ -72,20 +72,20 @@ Number of members added 3
-------------------------
Number of members added 2
-------------------------
-</pre></div></div><div class="section" id="Configuring_IPA_Groups-Editing_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</h3></div></div></div><div class="para">
+</pre></div></div><div class="section" id="Configuring_IPA_Groups-Editing_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</h3></div></div></div><div class="para">
You can edit many of the attributes that define a group, as well as add or remove members. Some attributes are read-only by default, however you can edit these attributes if required.
</div><div class="para">
You cannot edit the group name. The group name is the primary key, so changing it is the equivalent of deleting the group and creating a new one.
- </div><div class="section" id="Editing_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_IPA_Groups-Using_the_Command_Line">6.8.2.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Editing_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_IPA_Groups-Using_the_Command_Line">5.8.2.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-mod</code> command to modify specific attributes of FreeIPA groups. FreeIPA provides numerous commands for working with groups, such as <code class="command">ipa group-add-member</code> and <code class="command">ipa group-detach</code>; run the <code class="command">ipa help group</code> command to access the FreeIPA group help page for more information.
- </div></div></div><div class="section" id="Configuring_IPA_Groups-Deleting_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</h3></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Configuring_IPA_Groups-Deleting_IPA_Groups"><div class="titlepage"><div><div><h3 class="title" id="Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</h3></div></div></div><div class="para">
When you delete a FreeIPA group, only the immediate group is removed; members of the group are not affected.
</div><div class="para">
When you delete a FreeIPA group, any delegations that apply to that group are also removed. For example, suppose you added an "EngineeringManager" group specifically to set up delegations for the Engineering Manager. If you delete the EngineeringManager group, then those delegations are also lost. These delegations cannot be retrieved. If you need this group and delegation again, you need to recreate them.
- </div><div class="section" id="Deleting_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Deleting_IPA_Groups-Using_the_Command_Line">6.8.3.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Deleting_IPA_Groups-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Deleting_IPA_Groups-Using_the_Command_Line">5.8.3.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa group-del</code> command to delete groups. For example:
</div><div class="para">
To delete the Engineering group:
</div><div class="para">
$ ipa group-del Engineering
- </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Prev</strong>6.7. Deleting FreeIPA Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="user-pwdpolicy.html"><strong>Next</strong>6.9. Setting an Individual Password Policy</a></li></ul></body></html>
+ </div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="Configuring_IPA_Users-Deleting_IPA_Users.html"><strong>Prev</strong>5.7. Deleting FreeIPA Users</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="user-pwdpolicy.html"><strong>Next</strong>5.9. Setting an Individual Password Policy</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-pwdpolicy.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-pwdpolicy.html
index 53a83f7..54d85d1 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-pwdpolicy.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/user-pwdpolicy.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>6.9. Setting an Individual Password Policy</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5.9. Setting an Individual Password Policy</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 6. Identity: Managing Users and User Groups" /><link rel="prev" href="user-groups.html" title="6.8. Creating User Groups" /><link rel="next" href="searching.html" title="6.10. Searching for Users and Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="user-groups.html"><strong>Prev</strong></a></li><li class="next"><a
accesskey="n" href="searching.html"><strong>Next</strong></a></li></ul><div class="section" id="user-pwdpolicy"><div class="titlepage"><div><div><h2 class="title" id="user-pwdpolicy">6.9. Setting an Individual Password Policy</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="users.html" title="Chapter 5. Identity: Managing Users and User Groups" /><link rel="prev" href="user-groups.html" title="5.8. Creating User Groups" /><link rel="next" href="searching.html" title="5.10. Searching for Users and Groups" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="user-groups.html"><strong>Prev</strong></a></li><li class="next"><a
accesskey="n" href="searching.html"><strong>Next</strong></a></li></ul><div class="section" id="user-pwdpolicy"><div class="titlepage"><div><div><h2 class="title" id="user-pwdpolicy">5.9. Setting an Individual Password Policy</h2></div></div></div><div class="para">
FreeIPA has a default policy of never exposing passwords, even hashed passwords, to clients, in the interests of system security. This policy applies even if you still rely on NIS server functionality to some degree, for example, as a result of a full or partial migration from NIS to FreeIPA. FreeIPA normally expects a switch to Kerberos for authentication, but this may not always be possible.
</div><div class="para">
The FreeIPA password policy supports the specification of various password attributes that help to ensure the security of your system, and also that of individual user accounts. You can specify the password lifetime, length, and the types of characters required, all as part of the FreeIPA password policy.
@@ -17,17 +17,17 @@
Because the password policy is enforced by the <abbr class="abbrev">KDC</abbr>, any further policy specifications that you implement as part of the Directory Server password policy will not be visible in FreeIPA, and neither will they be enforced.
</div></li><li class="listitem"><div class="para">
Different rules apply to changing passwords, depending on your login credentials.
- </div></li></ul></div></div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</h3></div></div></div><div class="para">
+ </div></li></ul></div></div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</h3></div></div></div><div class="para">
If you reset a password using <em class="parameter entry"><code>cn=Directory Manager</code></em> credentials (only possible if you manually perform an <code class="systemitem">LDAP</code> password change operation) then you override any checks and the password is set to whatever you specify. The FreeIPA password policy is ignored.
- </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing Passwords as the FreeIPA Administrator</h3></div></div></div><div class="para">
If you reset a password using <code class="systemitem">admin</code> credentials (that is, as part of the <code class="systemitem">admins</code> group), the FreeIPA password policy is ignored, but the expiration date is set to "now". This means that the user is forced to change the password at login time, and the password policy is then enforced. This is also true for users who have had password changing rights delegated to them.
</div><div class="para">
Consequently, the FreeIPA Administrator can easily create users with "default" passwords and reset user's passwords, but will not know the actual, final password entered by the user. Further, any password that is transmitted from the FreeIPA Administrator to the user, even over insecure channels, is a temporary password. Consequently, it is not critical if it is accidentally disclosed, provided that the user promptly resets it.
- </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</h3></div></div></div><div class="para">
If you are logged in as a regular user (that is, you are not part of the <code class="systemitem">admins</code> group, or possessed of any elevated privileges), then you can only change your own password, and these changes are always subject to the FreeIPA password policy.
- </div></div><div class="section" id="The_IPA_Password_Policy-Editing_the_Password_Policy"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Editing_the_Password_Policy"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</h3></div></div></div><div class="para">
You can use either the web interface or the command line to edit the FreeIPA password policy. However, you can only edit those attributes supported by FreeIPA.
- </div><div class="section" id="Editing_the_Password_Policy-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_the_Password_Policy-Using_the_Command_Line">6.9.4.1. Using the Command Line</h4></div></div></div><div class="para">
+ </div><div class="section" id="Editing_the_Password_Policy-Using_the_Command_Line"><div class="titlepage"><div><div><h4 class="title" id="Editing_the_Password_Policy-Using_the_Command_Line">5.9.4.1. Using the Command Line</h4></div></div></div><div class="para">
Use the <code class="command">ipa pwpolicy-*</code> commands to create and modify FreeIPA password policies. These commands are provided as part of the <code class="command">ipa pwpolicy</code> plug-in functionality. The <code class="command">ipa help pwpolicy</code> command displays the help page and some examples of using this plug-in.
</div><div class="para">
For example, use the following command to update the minimum global password length to 10 characters, and to specify that no history of passwords be kept:
@@ -38,8 +38,8 @@
</div><div class="para">
# ipa pwpolicy-show
</div><div class="para">
- Refer to <a class="xref" href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">Section 6.9.6, “Password Policy Attributes”</a> for information on password policy attributes.
- </div></div></div><div class="section" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</h3></div></div></div><div class="para">
+ Refer to <a class="xref" href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">Section 5.9.6, “Password Policy Attributes”</a> for information on password policy attributes.
+ </div></div></div><div class="section" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</h3></div></div></div><div class="para">
The FreeIPA password policy plug-in (<code class="command">ipa pwpolicy</code>) manages both global and per-group password policies. You can use this plug-in to display or modify existing password policies to suit the needs of your environment.
</div><div class="para">
The following examples demonstrate how to display and modify existing password policies.
@@ -72,7 +72,7 @@ Max lifetime (days): 5</pre><div class="para">
# ipa pwpolicy-show --user=tuser1
</div><div class="note"><div class="admonition_header"><h2>Note</h2></div><div class="admonition"><div class="para">
Password policies are not cumulative. That is, you cannot override a single setting in a policy and let it fall back to the global policy on all the others; it is all or nothing.
- </div></div></div><div class="section" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies"><div class="titlepage"><div><div><h4 class="title" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies">6.9.5.1. Setting the Priority of Password Policies</h4></div></div></div><div class="para">
+ </div></div></div><div class="section" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies"><div class="titlepage"><div><div><h4 class="title" id="Setting_Different_Password_Policies_for_Different_User_Groups-Setting_the_Priority_of_Password_Policies">5.9.5.1. Setting the Priority of Password Policies</h4></div></div></div><div class="para">
The following example demonstrates the use of password priority, where a user and two groups are created, with a separate password policy for each group. Each policy has a different priority, and the user is added to both groups.
</div><div class="procedure"><ol class="1"><li class="step"><div class="formalpara" id="Setting_the_Priority_of_Password_Policies-Adding_a_user"><h5 class="formalpara">Adding a user</h5>
Use the <code class="command">ipa user-add</code> command to add a new user:
@@ -169,7 +169,7 @@ Number of members removed 1
$ ipa pwpolicy-show --user=tuser1
Group: g2
Minimum lifetime (in hours): 20
-</pre></li></ol></div></div></div><div class="section" id="The_IPA_Password_Policy-Password_Policy_Attributes"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</h3></div></div></div><div class="para">
+</pre></li></ol></div></div></div><div class="section" id="The_IPA_Password_Policy-Password_Policy_Attributes"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</h3></div></div></div><div class="para">
The password policy is enforced by the <code class="systemitem module">pwd_extop</code> SLAPI plug-in. FreeIPA supports the following password policy attributes:
</div><div class="itemizedlist"><ul><li class="listitem"><div class="para">
<span class="guilabel"><strong>Minimum Password Lifetime</strong></span> (<span class="property">krbMinPwdLife</span>): The minimum period of time, in hours, that a user's password must be in effect before the user can change it. The default value is one hour.
@@ -216,13 +216,13 @@ $ ipa pwpolicy-show --user=tuser1
<span class="guilabel"><strong>Lockout Time</strong></span> (<span class="property">lockouttime</span>): Specifies the period (in seconds) for which a lockout is enforced.
</div></li></ul></div><div class="para">
Refer to the <code class="command">ipa help pwpolicy-add</code> help page for more information on configuring the FreeIPA password policy.
- </div></div><div class="section" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</h3></div></div></div><div class="para">
If it is installed and configured, SSSD can use the PAM module to send messages to users, warning them about imminent password expiration. Fedora has a <code class="option">pam_pwd_expiration_warning</code> option to fine tune this feature. You can also manually search for passwords that are due to expire by a specified date. For example, to retrieve all user entries whose passwords are due to expire before March 1st, 2011, run the following command:
</div><div class="para">
<pre class="screen">$ ldapsearch -Y GSSAPI -b "cn=users,cn=accounts,dc=example,dc=com" '(krbPasswordExpiration<=20110301000000Z)'</pre>
- </div></div><div class="section" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Authentication</h3></div></div></div><div class="para">
If you use password authentication (no GSSAPI authentication, and no ticket on the client) with a new user, or with a user whose password has expired, you need to enable Challenge-Response authentication. Otherwise, the password changing dialog box will not display.
</div><div class="para">
This is not enabled by default because some older <code class="systemitem">SSL</code> clients may not support Challenge-Response authentication, and it is needed only if the password has expired.
@@ -231,8 +231,8 @@ $ ipa pwpolicy-show --user=tuser1
Set <em class="parameter"><code>ChallengeResponseAuthentication</code></em> to <code class="literal">yes</code> in the <code class="filename">/etc/ssh/sshd_config</code> file.
</div></li></ul></div>
- </div></div><div class="section" id="The_IPA_Password_Policy-Using_Local_Logins"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_Local_Logins">6.9.9. Using Local Logins</h3></div></div></div><div class="para">
+ </div></div><div class="section" id="The_IPA_Password_Policy-Using_Local_Logins"><div class="titlepage"><div><div><h3 class="title" id="The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local Logins</h3></div></div></div><div class="para">
User identity and authentication is managed by SSSD in recent versions of Fedora. The default settings specified by the FreeIPA installation script include timeout settings that still allow local logins to succeed if the client cannot access the FreeIPA server. These settings are specified in the <code class="filename">/etc/sssd/sssd.conf</code> file, and can be tuned to suit your particular deployment. Further, if SSSD's password caching feature is enabled, a user can log in even if the FreeIPA server is down. A typical deployment would normally include two or more servers for redundancy, and so this would not normally be a problem.
</div><div class="warning"><div class="admonition_header"><h2>Warning</h2></div><div class="admonition"><div class="para">
These timeout settings are only set on operating systems that support the FreeIPA installation script, meaning Fedora 15 and later. On other versions, specify these values manually or it may be impossible to log into the host if no FreeIPA servers are available.
- </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="user-groups.html"><strong>Prev</strong>6.8. Creating User Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="searching.html"><strong>Next</strong>6.10. Searching for Users and Groups</a></li></ul></body></html>
+ </div></div></div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="user-groups.html"><strong>Prev</strong>5.8. Creating User Groups</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="searching.html"><strong>Next</strong>5.10. Searching for Users and Groups</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/users.html b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/users.html
index 0df373e..3c03a84 100644
--- a/public_html/en-US/Fedora/15/html/FreeIPA_Guide/users.html
+++ b/public_html/en-US/Fedora/15/html/FreeIPA_Guide/users.html
@@ -1,13 +1,13 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 6. Identity: Managing Users and User Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Chapter 5. Identity: Managing Users and User Groups</title><link rel="stylesheet" href="Common_Content/css/default.css" type="text/css" /><link rel="stylesheet" media="print" href="Common_Content/css/print.css" type="text/css" /><meta name="generator" content="publican 2.5" /><meta name="package" content="Fedora-FreeIPA_Guide-15-en-US-0.1-0.0.5" /><script type="text/javascript" src="../../../../../toc.js"></script><script type="text/javascript">
addID('Fedora');
addID('Fedora.15');
addID('Fedora.15.books');
addID('Fedora.15.FreeIPA_Guide');
- </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="General_Troubleshooting_Tips-Client_Problems.html" title="5.6. Client Problems" /><link rel="next" href="adding-users.html" title="6.2. Adding Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Prev</strong></
a></li><li class="next"><a accesskey="n" href="adding-users.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="users" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 6. Identity: Managing Users and User Groups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="users.html#home-directories">6.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="adding-users.html">6.2. Adding Users</a></span></dt><dt><span class="section"><a href="editing-users.html">6.3. Editing Users</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html">6.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">6.4.1. Using the Command Line</a></span></
dt></dl></dd><dt><span class="section"><a href="Configuring_IPA_Users-Specifying_Default_User_Settings.html">6.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="search-limits.html">6.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html">6.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html#Deleting_IPA_Users-Using_the_Command_Line">6.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="user-groups.html">6.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Creating_IPA_Groups">6.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Editing_IPA_Groups">6.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section">
<a href="user-groups.html#Configuring_IPA_Groups-Deleting_IPA_Groups">6.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="user-pwdpolicy.html">6.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">6.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">6.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">6.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Editing_the_Password_Policy">6.9.4. Editing the Password Policy</a></span></dt><dt><span class="sectio
n"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">6.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">6.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">6.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">6.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_Local_Logins">6.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="searching.html">6.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span c
lass="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Users">6.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Groups">6.10.2. Searching for Groups</a></span></dt></dl></dd></dl></div><div class="section" id="home-directories"><div class="titlepage"><div><div><h2 class="title" id="home-directories">6.1. Managing User Home Directories</h2></div></div></div><div class="para">
+ </script><link rel="home" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="up" href="index.html" title="FreeIPA: Identity/Policy Management" /><link rel="prev" href="General_Troubleshooting_Tips-Client_Problems.html" title="4.6. Client Problems" /><link rel="next" href="adding-users.html" title="5.2. Adding Users" /></head><body class="toc_embeded "><div id="tocdiv" class="toc"><iframe id="tocframe" class="toc" src="../../../../toc.html">This is an iframe, to view it upgrade your browser or enable iframe display.</iframe></div><p id="title"><a class="left" href="http://www.fedoraproject.org"><img src="Common_Content/images/image_left.png" alt="Product Site" /></a><a class="right" href="http://docs.fedoraproject.org"><img src="Common_Content/images/image_right.png" alt="Documentation Site" /></a></p><ul class="docnav"><li class="previous"><a accesskey="p" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Prev</strong></
a></li><li class="next"><a accesskey="n" href="adding-users.html"><strong>Next</strong></a></li></ul><div xml:lang="en-US" class="chapter" id="users" lang="en-US"><div class="titlepage"><div><div><h2 class="title">Chapter 5. Identity: Managing Users and User Groups</h2></div></div></div><div class="toc"><dl><dt><span class="section"><a href="users.html#home-directories">5.1. Managing User Home Directories</a></span></dt><dt><span class="section"><a href="adding-users.html">5.2. Adding Users</a></span></dt><dt><span class="section"><a href="editing-users.html">5.3. Editing Users</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html">5.4. Activating and Deactivating User Accounts</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Activating_and_Deactivating_User_Accounts.html#Activating_and_Deactivating_User_Accounts-Using_the_Command_Line">5.4.1. Using the Command Line</a></span></
dt></dl></dd><dt><span class="section"><a href="Configuring_IPA_Users-Specifying_Default_User_Settings.html">5.5. Specifying Default User Settings</a></span></dt><dt><span class="section"><a href="search-limits.html">5.6. Setting Default Search Limits</a></span></dt><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html">5.7. Deleting FreeIPA Users</a></span></dt><dd><dl><dt><span class="section"><a href="Configuring_IPA_Users-Deleting_IPA_Users.html#Deleting_IPA_Users-Using_the_Command_Line">5.7.1. Using the Command Line</a></span></dt></dl></dd><dt><span class="section"><a href="user-groups.html">5.8. Creating User Groups</a></span></dt><dd><dl><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Creating_IPA_Groups">5.8.1. Creating FreeIPA Groups</a></span></dt><dt><span class="section"><a href="user-groups.html#Configuring_IPA_Groups-Editing_IPA_Groups">5.8.2. Editing FreeIPA Groups</a></span></dt><dt><span class="section">
<a href="user-groups.html#Configuring_IPA_Groups-Deleting_IPA_Groups">5.8.3. Deleting FreeIPA Groups</a></span></dt></dl></dd><dt><span class="section"><a href="user-pwdpolicy.html">5.9. Setting an Individual Password Policy</a></span></dt><dd><dl><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_Directory_Manager">5.9.1. Changing Passwords as the Directory Manager</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_the_IPA_Administrator">5.9.2. Changing Passwords as the FreeIPA Administrator</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Changing_Passwords_as_a_Regular_User">5.9.3. Changing Passwords as a Regular User</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Editing_the_Password_Policy">5.9.4. Editing the Password Policy</a></span></dt><dt><span class="sectio
n"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Setting_Different_Password_Policies_for_Different_User_Groups">5.9.5. Setting Different Password Policies for Different User Groups</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Password_Policy_Attributes">5.9.6. Password Policy Attributes</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Notifying_Users_of_Password_Expiration">5.9.7. Notifying Users of Password Expiration</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_SSH_for_Password_Authentication">5.9.8. Using SSH for Password Authentication</a></span></dt><dt><span class="section"><a href="user-pwdpolicy.html#The_IPA_Password_Policy-Using_Local_Logins">5.9.9. Using Local Logins</a></span></dt></dl></dd><dt><span class="section"><a href="searching.html">5.10. Searching for Users and Groups</a></span></dt><dd><dl><dt><span c
lass="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Users">5.10.1. Searching for Users</a></span></dt><dt><span class="section"><a href="searching.html#Searching_for_Users_and_Groups-Searching_for_Groups">5.10.2. Searching for Groups</a></span></dt></dl></dd></dl></div><div class="section" id="home-directories"><div class="titlepage"><div><div><h2 class="title" id="home-directories">5.1. Managing User Home Directories</h2></div></div></div><div class="para">
FreeIPA, as part of managing users, can manage user home directories. However, the FreeIPA server has expectations about
<div class="itemizedlist"><ul><li class="listitem"><div class="para">
The default prefix for users' home directories is <code class="filename">/home</code>.
@@ -23,4 +23,4 @@
If a suitable directory and mechanism are not available for the creation of home directories, users may not be able to log in.
</div></li></ul></div>
- </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Prev</strong>5.6. Client Problems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="adding-users.html"><strong>Next</strong>6.2. Adding Users</a></li></ul></body></html>
+ </div></div></div><ul class="docnav"><li class="previous"><a accesskey="p" href="General_Troubleshooting_Tips-Client_Problems.html"><strong>Prev</strong>4.6. Client Problems</a></li><li class="up"><a accesskey="u" href="#"><strong>Up</strong></a></li><li class="home"><a accesskey="h" href="index.html"><strong>Home</strong></a></li><li class="next"><a accesskey="n" href="adding-users.html"><strong>Next</strong>5.2. Adding Users</a></li></ul></body></html>
diff --git a/public_html/en-US/Fedora/15/pdf/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.pdf b/public_html/en-US/Fedora/15/pdf/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.pdf
index 89706d9..7698bcb 100644
Binary files a/public_html/en-US/Fedora/15/pdf/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.pdf and b/public_html/en-US/Fedora/15/pdf/FreeIPA_Guide/Fedora-15-FreeIPA_Guide-en-US.pdf differ
diff --git a/public_html/en-US/opds-Fedora.xml b/public_html/en-US/opds-Fedora.xml
index 12dd401..80e5940 100644
--- a/public_html/en-US/opds-Fedora.xml
+++ b/public_html/en-US/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/en-US/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/en-US/opds-Fedora_Contributor_Documentation.xml b/public_html/en-US/opds-Fedora_Contributor_Documentation.xml
index 0b41344..e6ad3e4 100644
--- a/public_html/en-US/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/en-US/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/en-US/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/en-US/opds-Fedora_Core.xml b/public_html/en-US/opds-Fedora_Core.xml
index 38261ca..d9feb5a 100644
--- a/public_html/en-US/opds-Fedora_Core.xml
+++ b/public_html/en-US/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/en-US/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/en-US/opds-Fedora_Draft_Documentation.xml b/public_html/en-US/opds-Fedora_Draft_Documentation.xml
index 37c2eb4..37866d8 100644
--- a/public_html/en-US/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/en-US/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/en-US/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/en-US/opds.xml b/public_html/en-US/opds.xml
index c2c77cf..8a337f4 100644
--- a/public_html/en-US/opds.xml
+++ b/public_html/en-US/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/en-US/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/en-US/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>en-US</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/en-US/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>en-US</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/en-US/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>en-US</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/en-US/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>en-US</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/es-ES/opds-Fedora.xml b/public_html/es-ES/opds-Fedora.xml
index fb0464e..ed3562f 100644
--- a/public_html/es-ES/opds-Fedora.xml
+++ b/public_html/es-ES/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/es-ES/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/es-ES/opds-Fedora_Contributor_Documentation.xml b/public_html/es-ES/opds-Fedora_Contributor_Documentation.xml
index 5a32141..27ff0f0 100644
--- a/public_html/es-ES/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/es-ES/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/es-ES/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/es-ES/opds-Fedora_Core.xml b/public_html/es-ES/opds-Fedora_Core.xml
index e198b4f..a6b42f1 100644
--- a/public_html/es-ES/opds-Fedora_Core.xml
+++ b/public_html/es-ES/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/es-ES/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/es-ES/opds-Fedora_Draft_Documentation.xml b/public_html/es-ES/opds-Fedora_Draft_Documentation.xml
index 4b2ee3a..44d8f22 100644
--- a/public_html/es-ES/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/es-ES/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/es-ES/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/es-ES/opds.xml b/public_html/es-ES/opds.xml
index d1c1efd..e5fc217 100644
--- a/public_html/es-ES/opds.xml
+++ b/public_html/es-ES/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/es-ES/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/es-ES/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>es-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/es-ES/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>es-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/es-ES/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>es-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/es-ES/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>es-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/fa-IR/opds-Fedora.xml b/public_html/fa-IR/opds-Fedora.xml
index 65343dd..ed44d0f 100644
--- a/public_html/fa-IR/opds-Fedora.xml
+++ b/public_html/fa-IR/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fa-IR/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fa-IR/opds-Fedora_Contributor_Documentation.xml b/public_html/fa-IR/opds-Fedora_Contributor_Documentation.xml
index 83de709..f5de7b7 100644
--- a/public_html/fa-IR/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/fa-IR/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fa-IR/opds-Fedora_Contributor_Documentation.xml</id>
<title>مستندات مشارکت کننده فدورا</title>
<subtitle>مستندات مشارکت کننده فدورا</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fa-IR/opds-Fedora_Core.xml b/public_html/fa-IR/opds-Fedora_Core.xml
index c05fcc5..d831217 100644
--- a/public_html/fa-IR/opds-Fedora_Core.xml
+++ b/public_html/fa-IR/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fa-IR/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fa-IR/opds-Fedora_Draft_Documentation.xml b/public_html/fa-IR/opds-Fedora_Draft_Documentation.xml
index caef154..eb5fc05 100644
--- a/public_html/fa-IR/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/fa-IR/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fa-IR/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fa-IR/opds.xml b/public_html/fa-IR/opds.xml
index ff628d9..0ca3bda 100644
--- a/public_html/fa-IR/opds.xml
+++ b/public_html/fa-IR/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/fa-IR/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/fa-IR/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fa-IR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>مستندات مشارکت کننده فدورا</title>
<id>http://docs.fedoraproject.org/fa-IR/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fa-IR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/fa-IR/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fa-IR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/fa-IR/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fa-IR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/fi-FI/opds-Fedora.xml b/public_html/fi-FI/opds-Fedora.xml
index 19c06e0..637a236 100644
--- a/public_html/fi-FI/opds-Fedora.xml
+++ b/public_html/fi-FI/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fi-FI/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fi-FI/opds-Fedora_Contributor_Documentation.xml b/public_html/fi-FI/opds-Fedora_Contributor_Documentation.xml
index ab3bc2e..8c00632 100644
--- a/public_html/fi-FI/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/fi-FI/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fi-FI/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fi-FI/opds-Fedora_Core.xml b/public_html/fi-FI/opds-Fedora_Core.xml
index 7e4fcc4..b3f897d 100644
--- a/public_html/fi-FI/opds-Fedora_Core.xml
+++ b/public_html/fi-FI/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fi-FI/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fi-FI/opds-Fedora_Draft_Documentation.xml b/public_html/fi-FI/opds-Fedora_Draft_Documentation.xml
index 7094629..8e205e1 100644
--- a/public_html/fi-FI/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/fi-FI/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fi-FI/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fi-FI/opds.xml b/public_html/fi-FI/opds.xml
index 74ec630..b858c26 100644
--- a/public_html/fi-FI/opds.xml
+++ b/public_html/fi-FI/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/fi-FI/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/fi-FI/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fi-FI</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/fi-FI/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fi-FI</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/fi-FI/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fi-FI</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/fi-FI/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fi-FI</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/fr-FR/opds-Fedora.xml b/public_html/fr-FR/opds-Fedora.xml
index d91b0ca..1e9b3f7 100644
--- a/public_html/fr-FR/opds-Fedora.xml
+++ b/public_html/fr-FR/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fr-FR/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fr-FR/opds-Fedora_Contributor_Documentation.xml b/public_html/fr-FR/opds-Fedora_Contributor_Documentation.xml
index fa779b7..aa49219 100644
--- a/public_html/fr-FR/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/fr-FR/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fr-FR/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fr-FR/opds-Fedora_Core.xml b/public_html/fr-FR/opds-Fedora_Core.xml
index 77fcd1f..092265a 100644
--- a/public_html/fr-FR/opds-Fedora_Core.xml
+++ b/public_html/fr-FR/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fr-FR/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fr-FR/opds-Fedora_Draft_Documentation.xml b/public_html/fr-FR/opds-Fedora_Draft_Documentation.xml
index 9082b82..87367ad 100644
--- a/public_html/fr-FR/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/fr-FR/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/fr-FR/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/fr-FR/opds.xml b/public_html/fr-FR/opds.xml
index 310f5d4..6b53d55 100644
--- a/public_html/fr-FR/opds.xml
+++ b/public_html/fr-FR/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/fr-FR/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/fr-FR/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>fr-FR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/fr-FR/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>fr-FR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/fr-FR/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>fr-FR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/fr-FR/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>fr-FR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/gu-IN/opds-Fedora.xml b/public_html/gu-IN/opds-Fedora.xml
index 9f1381e..7a81db3 100644
--- a/public_html/gu-IN/opds-Fedora.xml
+++ b/public_html/gu-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/gu-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/gu-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/gu-IN/opds-Fedora_Contributor_Documentation.xml
index 241bd62..4b02b25 100644
--- a/public_html/gu-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/gu-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/gu-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/gu-IN/opds-Fedora_Core.xml b/public_html/gu-IN/opds-Fedora_Core.xml
index cd8ee29..43bb297 100644
--- a/public_html/gu-IN/opds-Fedora_Core.xml
+++ b/public_html/gu-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/gu-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/gu-IN/opds-Fedora_Draft_Documentation.xml b/public_html/gu-IN/opds-Fedora_Draft_Documentation.xml
index 53e9114..a688f5f 100644
--- a/public_html/gu-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/gu-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/gu-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/gu-IN/opds.xml b/public_html/gu-IN/opds.xml
index 3b59399..542f44f 100644
--- a/public_html/gu-IN/opds.xml
+++ b/public_html/gu-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/gu-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/gu-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>gu-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/gu-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>gu-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/gu-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>gu-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/gu-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>gu-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/he-IL/opds-Fedora.xml b/public_html/he-IL/opds-Fedora.xml
index 05a0433..dee3c76 100644
--- a/public_html/he-IL/opds-Fedora.xml
+++ b/public_html/he-IL/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/he-IL/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/he-IL/opds-Fedora_Contributor_Documentation.xml b/public_html/he-IL/opds-Fedora_Contributor_Documentation.xml
index 5ec4217..7d0b108 100644
--- a/public_html/he-IL/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/he-IL/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/he-IL/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/he-IL/opds-Fedora_Core.xml b/public_html/he-IL/opds-Fedora_Core.xml
index 66578d5..c2f78ab 100644
--- a/public_html/he-IL/opds-Fedora_Core.xml
+++ b/public_html/he-IL/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/he-IL/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/he-IL/opds-Fedora_Draft_Documentation.xml b/public_html/he-IL/opds-Fedora_Draft_Documentation.xml
index ccd6eeb..cb7a36c 100644
--- a/public_html/he-IL/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/he-IL/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/he-IL/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/he-IL/opds.xml b/public_html/he-IL/opds.xml
index ff3f30b..d6bf815 100644
--- a/public_html/he-IL/opds.xml
+++ b/public_html/he-IL/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/he-IL/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/he-IL/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>he-IL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/he-IL/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>he-IL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/he-IL/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>he-IL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/he-IL/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>he-IL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/hi-IN/opds-Fedora.xml b/public_html/hi-IN/opds-Fedora.xml
index 00ec3c1..ec90fa8 100644
--- a/public_html/hi-IN/opds-Fedora.xml
+++ b/public_html/hi-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hi-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hi-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/hi-IN/opds-Fedora_Contributor_Documentation.xml
index f7df500..bd4bef1 100644
--- a/public_html/hi-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/hi-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hi-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hi-IN/opds-Fedora_Core.xml b/public_html/hi-IN/opds-Fedora_Core.xml
index 7327c2c..d1d50c6 100644
--- a/public_html/hi-IN/opds-Fedora_Core.xml
+++ b/public_html/hi-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hi-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hi-IN/opds-Fedora_Draft_Documentation.xml b/public_html/hi-IN/opds-Fedora_Draft_Documentation.xml
index c771541..88d4e6c 100644
--- a/public_html/hi-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/hi-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hi-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hi-IN/opds.xml b/public_html/hi-IN/opds.xml
index ea769b8..df26736 100644
--- a/public_html/hi-IN/opds.xml
+++ b/public_html/hi-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/hi-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/hi-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hi-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/hi-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hi-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/hi-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hi-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/hi-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hi-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/hu-HU/opds-Fedora.xml b/public_html/hu-HU/opds-Fedora.xml
index 1b7dff3..a1bbc87 100644
--- a/public_html/hu-HU/opds-Fedora.xml
+++ b/public_html/hu-HU/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hu-HU/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hu-HU/opds-Fedora_Contributor_Documentation.xml b/public_html/hu-HU/opds-Fedora_Contributor_Documentation.xml
index 4bd63f1..789cf11 100644
--- a/public_html/hu-HU/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/hu-HU/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hu-HU/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hu-HU/opds-Fedora_Core.xml b/public_html/hu-HU/opds-Fedora_Core.xml
index 64f8716..91ce5fb 100644
--- a/public_html/hu-HU/opds-Fedora_Core.xml
+++ b/public_html/hu-HU/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hu-HU/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hu-HU/opds-Fedora_Draft_Documentation.xml b/public_html/hu-HU/opds-Fedora_Draft_Documentation.xml
index 3209114..9a7ffad 100644
--- a/public_html/hu-HU/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/hu-HU/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/hu-HU/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/hu-HU/opds.xml b/public_html/hu-HU/opds.xml
index 2697506..2dbdbef 100644
--- a/public_html/hu-HU/opds.xml
+++ b/public_html/hu-HU/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/hu-HU/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/hu-HU/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hu-HU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/hu-HU/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hu-HU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/hu-HU/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hu-HU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/hu-HU/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hu-HU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/id-ID/opds-Fedora.xml b/public_html/id-ID/opds-Fedora.xml
index 6e89c90..2761e3f 100644
--- a/public_html/id-ID/opds-Fedora.xml
+++ b/public_html/id-ID/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/id-ID/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/id-ID/opds-Fedora_Contributor_Documentation.xml b/public_html/id-ID/opds-Fedora_Contributor_Documentation.xml
index dfa3d23..caaab88 100644
--- a/public_html/id-ID/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/id-ID/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/id-ID/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/id-ID/opds-Fedora_Core.xml b/public_html/id-ID/opds-Fedora_Core.xml
index c52d0da..6ba707e 100644
--- a/public_html/id-ID/opds-Fedora_Core.xml
+++ b/public_html/id-ID/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/id-ID/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/id-ID/opds-Fedora_Draft_Documentation.xml b/public_html/id-ID/opds-Fedora_Draft_Documentation.xml
index 394a8dd..f9e0318 100644
--- a/public_html/id-ID/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/id-ID/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/id-ID/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/id-ID/opds.xml b/public_html/id-ID/opds.xml
index d59d153..9f10741 100644
--- a/public_html/id-ID/opds.xml
+++ b/public_html/id-ID/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/id-ID/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/id-ID/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>id-ID</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/id-ID/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>id-ID</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/id-ID/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>id-ID</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/id-ID/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>id-ID</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/it-IT/opds-Fedora.xml b/public_html/it-IT/opds-Fedora.xml
index 58f6b3d..47549e0 100644
--- a/public_html/it-IT/opds-Fedora.xml
+++ b/public_html/it-IT/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/it-IT/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/it-IT/opds-Fedora_Contributor_Documentation.xml b/public_html/it-IT/opds-Fedora_Contributor_Documentation.xml
index 3d8fd64..233c077 100644
--- a/public_html/it-IT/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/it-IT/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/it-IT/opds-Fedora_Contributor_Documentation.xml</id>
<title>Documentazione Collaboratori Fedora</title>
<subtitle>Documentazione Collaboratori Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/it-IT/opds-Fedora_Core.xml b/public_html/it-IT/opds-Fedora_Core.xml
index 25151c9..e90f3b4 100644
--- a/public_html/it-IT/opds-Fedora_Core.xml
+++ b/public_html/it-IT/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/it-IT/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/it-IT/opds-Fedora_Draft_Documentation.xml b/public_html/it-IT/opds-Fedora_Draft_Documentation.xml
index 1ca3ade..f226881 100644
--- a/public_html/it-IT/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/it-IT/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/it-IT/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/it-IT/opds.xml b/public_html/it-IT/opds.xml
index 79409a1..3a3188d 100644
--- a/public_html/it-IT/opds.xml
+++ b/public_html/it-IT/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/it-IT/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/it-IT/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>it-IT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Documentazione Collaboratori Fedora</title>
<id>http://docs.fedoraproject.org/it-IT/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>it-IT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/it-IT/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>it-IT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/it-IT/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>it-IT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ja-JP/opds-Fedora.xml b/public_html/ja-JP/opds-Fedora.xml
index 0244df5..3db6fa2 100644
--- a/public_html/ja-JP/opds-Fedora.xml
+++ b/public_html/ja-JP/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ja-JP/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ja-JP/opds-Fedora_Contributor_Documentation.xml b/public_html/ja-JP/opds-Fedora_Contributor_Documentation.xml
index 0f14709..de56d8c 100644
--- a/public_html/ja-JP/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ja-JP/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ja-JP/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora コントリビュータ用ドキュメント</title>
<subtitle>Fedora コントリビュータ用ドキュメント</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ja-JP/opds-Fedora_Core.xml b/public_html/ja-JP/opds-Fedora_Core.xml
index c91e35c..1653d6d 100644
--- a/public_html/ja-JP/opds-Fedora_Core.xml
+++ b/public_html/ja-JP/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ja-JP/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ja-JP/opds-Fedora_Draft_Documentation.xml b/public_html/ja-JP/opds-Fedora_Draft_Documentation.xml
index 083acbe..2054c6e 100644
--- a/public_html/ja-JP/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ja-JP/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ja-JP/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ja-JP/opds.xml b/public_html/ja-JP/opds.xml
index cde5062..31ed589 100644
--- a/public_html/ja-JP/opds.xml
+++ b/public_html/ja-JP/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ja-JP/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ja-JP/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ja-JP</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora コントリビュータ用ドキュメント</title>
<id>http://docs.fedoraproject.org/ja-JP/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ja-JP</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ja-JP/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ja-JP</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ja-JP/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ja-JP</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/kn-IN/opds-Fedora.xml b/public_html/kn-IN/opds-Fedora.xml
index 0e95c16..3e78a4e 100644
--- a/public_html/kn-IN/opds-Fedora.xml
+++ b/public_html/kn-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/kn-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/kn-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/kn-IN/opds-Fedora_Contributor_Documentation.xml
index 287e6d2..a179518 100644
--- a/public_html/kn-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/kn-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/kn-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/kn-IN/opds-Fedora_Core.xml b/public_html/kn-IN/opds-Fedora_Core.xml
index a91a594..2952e50 100644
--- a/public_html/kn-IN/opds-Fedora_Core.xml
+++ b/public_html/kn-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/kn-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/kn-IN/opds-Fedora_Draft_Documentation.xml b/public_html/kn-IN/opds-Fedora_Draft_Documentation.xml
index 74760cd..749363b 100644
--- a/public_html/kn-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/kn-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/kn-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/kn-IN/opds.xml b/public_html/kn-IN/opds.xml
index 4f617c6..c011382 100644
--- a/public_html/kn-IN/opds.xml
+++ b/public_html/kn-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/kn-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/kn-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>kn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/kn-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>kn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/kn-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>kn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/kn-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>kn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ko-KR/opds-Fedora.xml b/public_html/ko-KR/opds-Fedora.xml
index 60d3200..3f887b0 100644
--- a/public_html/ko-KR/opds-Fedora.xml
+++ b/public_html/ko-KR/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ko-KR/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ko-KR/opds-Fedora_Contributor_Documentation.xml b/public_html/ko-KR/opds-Fedora_Contributor_Documentation.xml
index b64b0ed..f5d805f 100644
--- a/public_html/ko-KR/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ko-KR/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ko-KR/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ko-KR/opds-Fedora_Core.xml b/public_html/ko-KR/opds-Fedora_Core.xml
index 06a709e..2276856 100644
--- a/public_html/ko-KR/opds-Fedora_Core.xml
+++ b/public_html/ko-KR/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ko-KR/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ko-KR/opds-Fedora_Draft_Documentation.xml b/public_html/ko-KR/opds-Fedora_Draft_Documentation.xml
index 0412ef4..e3e0bbf 100644
--- a/public_html/ko-KR/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ko-KR/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ko-KR/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ko-KR/opds.xml b/public_html/ko-KR/opds.xml
index c0288f2..45dae5d 100644
--- a/public_html/ko-KR/opds.xml
+++ b/public_html/ko-KR/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ko-KR/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ko-KR/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ko-KR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/ko-KR/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ko-KR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ko-KR/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ko-KR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ko-KR/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ko-KR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ml-IN/opds-Fedora.xml b/public_html/ml-IN/opds-Fedora.xml
index 2ac2902..ac48e60 100644
--- a/public_html/ml-IN/opds-Fedora.xml
+++ b/public_html/ml-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ml-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ml-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/ml-IN/opds-Fedora_Contributor_Documentation.xml
index a53d030..d4d5937 100644
--- a/public_html/ml-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ml-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ml-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ml-IN/opds-Fedora_Core.xml b/public_html/ml-IN/opds-Fedora_Core.xml
index da4d5bc..bc4e1bd 100644
--- a/public_html/ml-IN/opds-Fedora_Core.xml
+++ b/public_html/ml-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ml-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ml-IN/opds-Fedora_Draft_Documentation.xml b/public_html/ml-IN/opds-Fedora_Draft_Documentation.xml
index 71fa9dc..9672e6e 100644
--- a/public_html/ml-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ml-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ml-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ml-IN/opds.xml b/public_html/ml-IN/opds.xml
index 9ea4d8b..96a92ed 100644
--- a/public_html/ml-IN/opds.xml
+++ b/public_html/ml-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ml-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ml-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ml-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/ml-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ml-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ml-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ml-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ml-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ml-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/mr-IN/opds-Fedora.xml b/public_html/mr-IN/opds-Fedora.xml
index 13771fe..0cbb799 100644
--- a/public_html/mr-IN/opds-Fedora.xml
+++ b/public_html/mr-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/mr-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/mr-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/mr-IN/opds-Fedora_Contributor_Documentation.xml
index 61369f9..4f3f3d3 100644
--- a/public_html/mr-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/mr-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/mr-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/mr-IN/opds-Fedora_Core.xml b/public_html/mr-IN/opds-Fedora_Core.xml
index f0aaf89..d52cbcf 100644
--- a/public_html/mr-IN/opds-Fedora_Core.xml
+++ b/public_html/mr-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/mr-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/mr-IN/opds-Fedora_Draft_Documentation.xml b/public_html/mr-IN/opds-Fedora_Draft_Documentation.xml
index 9c95e6e..e552d11 100644
--- a/public_html/mr-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/mr-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/mr-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/mr-IN/opds.xml b/public_html/mr-IN/opds.xml
index 736c27c..f4d2ad7 100644
--- a/public_html/mr-IN/opds.xml
+++ b/public_html/mr-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/mr-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/mr-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>mr-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/mr-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>mr-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/mr-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>mr-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/mr-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>mr-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/nb-NO/opds-Fedora.xml b/public_html/nb-NO/opds-Fedora.xml
index 9c0aab0..00b95da 100644
--- a/public_html/nb-NO/opds-Fedora.xml
+++ b/public_html/nb-NO/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nb-NO/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nb-NO/opds-Fedora_Contributor_Documentation.xml b/public_html/nb-NO/opds-Fedora_Contributor_Documentation.xml
index 3a07c08..5f157ff 100644
--- a/public_html/nb-NO/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/nb-NO/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nb-NO/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nb-NO/opds-Fedora_Core.xml b/public_html/nb-NO/opds-Fedora_Core.xml
index b6e0604..86f0da2 100644
--- a/public_html/nb-NO/opds-Fedora_Core.xml
+++ b/public_html/nb-NO/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nb-NO/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nb-NO/opds-Fedora_Draft_Documentation.xml b/public_html/nb-NO/opds-Fedora_Draft_Documentation.xml
index c98cee7..c79ff93 100644
--- a/public_html/nb-NO/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/nb-NO/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nb-NO/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nb-NO/opds.xml b/public_html/nb-NO/opds.xml
index b977eea..c586c99 100644
--- a/public_html/nb-NO/opds.xml
+++ b/public_html/nb-NO/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/nb-NO/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/nb-NO/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nb-NO</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/nb-NO/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nb-NO</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/nb-NO/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nb-NO</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/nb-NO/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nb-NO</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/nl-NL/opds-Fedora.xml b/public_html/nl-NL/opds-Fedora.xml
index 6fc15cb..b90a0bc 100644
--- a/public_html/nl-NL/opds-Fedora.xml
+++ b/public_html/nl-NL/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nl-NL/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nl-NL/opds-Fedora_Contributor_Documentation.xml b/public_html/nl-NL/opds-Fedora_Contributor_Documentation.xml
index 07562bc..7b6aba6 100644
--- a/public_html/nl-NL/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/nl-NL/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nl-NL/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nl-NL/opds-Fedora_Core.xml b/public_html/nl-NL/opds-Fedora_Core.xml
index 8b84141..f023ac1 100644
--- a/public_html/nl-NL/opds-Fedora_Core.xml
+++ b/public_html/nl-NL/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nl-NL/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nl-NL/opds-Fedora_Draft_Documentation.xml b/public_html/nl-NL/opds-Fedora_Draft_Documentation.xml
index 881bac4..27e6b5c 100644
--- a/public_html/nl-NL/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/nl-NL/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/nl-NL/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/nl-NL/opds.xml b/public_html/nl-NL/opds.xml
index 8cb737e..67fc939 100644
--- a/public_html/nl-NL/opds.xml
+++ b/public_html/nl-NL/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/nl-NL/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/nl-NL/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nl-NL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/nl-NL/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nl-NL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/nl-NL/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nl-NL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/nl-NL/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nl-NL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/opds.xml b/public_html/opds.xml
index 1903197..f33527a 100644
--- a/public_html/opds.xml
+++ b/public_html/opds.xml
@@ -7,7 +7,7 @@
<link rel="start" href="http://docs.fedoraproject.org/opds.xml" type="application/atom+xml;type=feed;profile=opds-catalog"/>
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<title>Fedora Documentation</title>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
@@ -16,7 +16,7 @@
<entry>
<title>অসমীয়া</title>
<id>as-IN/opds.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>as-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="as-IN/opds.xml"/>
@@ -24,7 +24,7 @@
<entry>
<title>български</title>
<id>bg-BG/opds.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bg-BG</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="bg-BG/opds.xml"/>
@@ -32,7 +32,7 @@
<entry>
<title>বাংলা</title>
<id>bn-IN/opds.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="bn-IN/opds.xml"/>
@@ -40,7 +40,7 @@
<entry>
<title>Bosanski</title>
<id>bs-BA/opds.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>bs-BA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="bs-BA/opds.xml"/>
@@ -48,7 +48,7 @@
<entry>
<title>Català</title>
<id>ca-ES/opds.xml</id>
- <updated>2011-06-28T21:51:43</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>ca-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ca-ES/opds.xml"/>
@@ -56,7 +56,7 @@
<entry>
<title>Čeština</title>
<id>cs-CZ/opds.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>cs-CZ</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="cs-CZ/opds.xml"/>
@@ -64,7 +64,7 @@
<entry>
<title>Dansk</title>
<id>da-DK/opds.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:46</updated>
<dc:language>da-DK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="da-DK/opds.xml"/>
@@ -72,7 +72,7 @@
<entry>
<title>Deutsch</title>
<id>de-DE/opds.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>de-DE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="de-DE/opds.xml"/>
@@ -80,7 +80,7 @@
<entry>
<title>Ελληνικά</title>
<id>el-GR/opds.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>el-GR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="el-GR/opds.xml"/>
@@ -88,7 +88,7 @@
<entry>
<title>English</title>
<id>en-US/opds.xml</id>
- <updated>2011-06-28T21:51:44</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>en-US</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="en-US/opds.xml"/>
@@ -96,7 +96,7 @@
<entry>
<title>Español</title>
<id>es-ES/opds.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>es-ES</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="es-ES/opds.xml"/>
@@ -104,7 +104,7 @@
<entry>
<title>فارسی</title>
<id>fa-IR/opds.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fa-IR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="fa-IR/opds.xml"/>
@@ -112,7 +112,7 @@
<entry>
<title>Suomi</title>
<id>fi-FI/opds.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:47</updated>
<dc:language>fi-FI</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="fi-FI/opds.xml"/>
@@ -120,7 +120,7 @@
<entry>
<title>Français</title>
<id>fr-FR/opds.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>fr-FR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="fr-FR/opds.xml"/>
@@ -128,7 +128,7 @@
<entry>
<title>ગુજરાતી</title>
<id>gu-IN/opds.xml</id>
- <updated>2011-06-28T21:51:45</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>gu-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="gu-IN/opds.xml"/>
@@ -136,7 +136,7 @@
<entry>
<title>עברית</title>
<id>he-IL/opds.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>he-IL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="he-IL/opds.xml"/>
@@ -144,7 +144,7 @@
<entry>
<title>हिन्दी</title>
<id>hi-IN/opds.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hi-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="hi-IN/opds.xml"/>
@@ -152,7 +152,7 @@
<entry>
<title>Magyar</title>
<id>hu-HU/opds.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>hu-HU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="hu-HU/opds.xml"/>
@@ -160,7 +160,7 @@
<entry>
<title>Indonesia</title>
<id>id-ID/opds.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:48</updated>
<dc:language>id-ID</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="id-ID/opds.xml"/>
@@ -168,7 +168,7 @@
<entry>
<title>Italiano</title>
<id>it-IT/opds.xml</id>
- <updated>2011-06-28T21:51:46</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>it-IT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="it-IT/opds.xml"/>
@@ -176,7 +176,7 @@
<entry>
<title>日本語</title>
<id>ja-JP/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ja-JP</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ja-JP/opds.xml"/>
@@ -184,7 +184,7 @@
<entry>
<title>ಕನ್ನಡ</title>
<id>kn-IN/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>kn-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="kn-IN/opds.xml"/>
@@ -192,7 +192,7 @@
<entry>
<title>한국어</title>
<id>ko-KR/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ko-KR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ko-KR/opds.xml"/>
@@ -200,7 +200,7 @@
<entry>
<title>മലയാളം</title>
<id>ml-IN/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>ml-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ml-IN/opds.xml"/>
@@ -208,7 +208,7 @@
<entry>
<title>मराठी</title>
<id>mr-IN/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:49</updated>
<dc:language>mr-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="mr-IN/opds.xml"/>
@@ -216,7 +216,7 @@
<entry>
<title>Norsk (bokmål)</title>
<id>nb-NO/opds.xml</id>
- <updated>2011-06-28T21:51:47</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nb-NO</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="nb-NO/opds.xml"/>
@@ -224,7 +224,7 @@
<entry>
<title>Nederlands</title>
<id>nl-NL/opds.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>nl-NL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="nl-NL/opds.xml"/>
@@ -232,7 +232,7 @@
<entry>
<title>ଓଡ଼ିଆ</title>
<id>or-IN/opds.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>or-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="or-IN/opds.xml"/>
@@ -240,7 +240,7 @@
<entry>
<title>ਪੰਜਾਬੀ</title>
<id>pa-IN/opds.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pa-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="pa-IN/opds.xml"/>
@@ -248,7 +248,7 @@
<entry>
<title>Polski</title>
<id>pl-PL/opds.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pl-PL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="pl-PL/opds.xml"/>
@@ -256,7 +256,7 @@
<entry>
<title>Português Brasileiro</title>
<id>pt-BR/opds.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pt-BR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="pt-BR/opds.xml"/>
@@ -264,7 +264,7 @@
<entry>
<title>Português</title>
<id>pt-PT/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>pt-PT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="pt-PT/opds.xml"/>
@@ -272,7 +272,7 @@
<entry>
<title>Русский</title>
<id>ru-RU/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ru-RU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ru-RU/opds.xml"/>
@@ -280,7 +280,7 @@
<entry>
<title>Slovenščina</title>
<id>sk-SK/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sk-SK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="sk-SK/opds.xml"/>
@@ -288,7 +288,7 @@
<entry>
<title>Srpski (latinica)</title>
<id>sr-Latn-RS/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-Latn-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="sr-Latn-RS/opds.xml"/>
@@ -296,7 +296,7 @@
<entry>
<title>Српски</title>
<id>sr-RS/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="sr-RS/opds.xml"/>
@@ -304,7 +304,7 @@
<entry>
<title>Svenska</title>
<id>sv-SE/opds.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sv-SE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="sv-SE/opds.xml"/>
@@ -312,7 +312,7 @@
<entry>
<title>தமிழ்</title>
<id>ta-IN/opds.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ta-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="ta-IN/opds.xml"/>
@@ -320,7 +320,7 @@
<entry>
<title>తెలుగు</title>
<id>te-IN/opds.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>te-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="te-IN/opds.xml"/>
@@ -328,7 +328,7 @@
<entry>
<title>Українська</title>
<id>uk-UA/opds.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>uk-UA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="uk-UA/opds.xml"/>
@@ -336,7 +336,7 @@
<entry>
<title>简体中文</title>
<id>zh-CN/opds.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-CN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="zh-CN/opds.xml"/>
@@ -344,7 +344,7 @@
<entry>
<title>繁體中文</title>
<id>zh-TW/opds.xml</id>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-TW</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="zh-TW/opds.xml"/>
diff --git a/public_html/or-IN/opds-Fedora.xml b/public_html/or-IN/opds-Fedora.xml
index 360a024..13b7b9e 100644
--- a/public_html/or-IN/opds-Fedora.xml
+++ b/public_html/or-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/or-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/or-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/or-IN/opds-Fedora_Contributor_Documentation.xml
index c4a13f4..b694aac 100644
--- a/public_html/or-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/or-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/or-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/or-IN/opds-Fedora_Core.xml b/public_html/or-IN/opds-Fedora_Core.xml
index c1937d8..597518b 100644
--- a/public_html/or-IN/opds-Fedora_Core.xml
+++ b/public_html/or-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/or-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/or-IN/opds-Fedora_Draft_Documentation.xml b/public_html/or-IN/opds-Fedora_Draft_Documentation.xml
index 94f02c9..9553b65 100644
--- a/public_html/or-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/or-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/or-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/or-IN/opds.xml b/public_html/or-IN/opds.xml
index 79a2be6..61c73b8 100644
--- a/public_html/or-IN/opds.xml
+++ b/public_html/or-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/or-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/or-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>or-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/or-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>or-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/or-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>or-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/or-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>or-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/pa-IN/opds-Fedora.xml b/public_html/pa-IN/opds-Fedora.xml
index dbd74c2..de5c7f5 100644
--- a/public_html/pa-IN/opds-Fedora.xml
+++ b/public_html/pa-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pa-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pa-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/pa-IN/opds-Fedora_Contributor_Documentation.xml
index 9daa39b..c6ae274 100644
--- a/public_html/pa-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/pa-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pa-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pa-IN/opds-Fedora_Core.xml b/public_html/pa-IN/opds-Fedora_Core.xml
index cfa50f7..8e69c8a 100644
--- a/public_html/pa-IN/opds-Fedora_Core.xml
+++ b/public_html/pa-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pa-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pa-IN/opds-Fedora_Draft_Documentation.xml b/public_html/pa-IN/opds-Fedora_Draft_Documentation.xml
index c301a64..1153db3 100644
--- a/public_html/pa-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/pa-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pa-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pa-IN/opds.xml b/public_html/pa-IN/opds.xml
index 943533a..a2c55f5 100644
--- a/public_html/pa-IN/opds.xml
+++ b/public_html/pa-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/pa-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/pa-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pa-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/pa-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pa-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/pa-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pa-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/pa-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pa-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/pl-PL/opds-Fedora.xml b/public_html/pl-PL/opds-Fedora.xml
index 7f762c0..2a9299d 100644
--- a/public_html/pl-PL/opds-Fedora.xml
+++ b/public_html/pl-PL/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pl-PL/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pl-PL/opds-Fedora_Contributor_Documentation.xml b/public_html/pl-PL/opds-Fedora_Contributor_Documentation.xml
index 1105cc2..bebb24f 100644
--- a/public_html/pl-PL/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/pl-PL/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pl-PL/opds-Fedora_Contributor_Documentation.xml</id>
<title>Dokumentacja dla współtwórców Fedory</title>
<subtitle>Dokumentacja dla współtwórców Fedory</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pl-PL/opds-Fedora_Core.xml b/public_html/pl-PL/opds-Fedora_Core.xml
index 7a25978..fa2accb 100644
--- a/public_html/pl-PL/opds-Fedora_Core.xml
+++ b/public_html/pl-PL/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pl-PL/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pl-PL/opds-Fedora_Draft_Documentation.xml b/public_html/pl-PL/opds-Fedora_Draft_Documentation.xml
index 2e11a01..c085b60 100644
--- a/public_html/pl-PL/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/pl-PL/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pl-PL/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pl-PL/opds.xml b/public_html/pl-PL/opds.xml
index 5c55054..090c5a7 100644
--- a/public_html/pl-PL/opds.xml
+++ b/public_html/pl-PL/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/pl-PL/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/pl-PL/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pl-PL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Dokumentacja dla współtwórców Fedory</title>
<id>http://docs.fedoraproject.org/pl-PL/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pl-PL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/pl-PL/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pl-PL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/pl-PL/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pl-PL</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/pt-BR/opds-Fedora.xml b/public_html/pt-BR/opds-Fedora.xml
index c65d8a0..1a28d90 100644
--- a/public_html/pt-BR/opds-Fedora.xml
+++ b/public_html/pt-BR/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-BR/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-BR/opds-Fedora_Contributor_Documentation.xml b/public_html/pt-BR/opds-Fedora_Contributor_Documentation.xml
index 9ed080f..ec271db 100644
--- a/public_html/pt-BR/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/pt-BR/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-BR/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-BR/opds-Fedora_Core.xml b/public_html/pt-BR/opds-Fedora_Core.xml
index 44d7042..2f44a16 100644
--- a/public_html/pt-BR/opds-Fedora_Core.xml
+++ b/public_html/pt-BR/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-BR/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-BR/opds-Fedora_Draft_Documentation.xml b/public_html/pt-BR/opds-Fedora_Draft_Documentation.xml
index 40dce1f..8d4aa37 100644
--- a/public_html/pt-BR/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/pt-BR/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-BR/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-BR/opds.xml b/public_html/pt-BR/opds.xml
index 96494d9..5815752 100644
--- a/public_html/pt-BR/opds.xml
+++ b/public_html/pt-BR/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/pt-BR/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/pt-BR/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pt-BR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/pt-BR/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pt-BR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/pt-BR/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pt-BR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/pt-BR/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:48</updated>
+ <updated>2011-06-28T22:10:50</updated>
<dc:language>pt-BR</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/pt-PT/opds-Fedora.xml b/public_html/pt-PT/opds-Fedora.xml
index 8bbc2c1..68218c2 100644
--- a/public_html/pt-PT/opds-Fedora.xml
+++ b/public_html/pt-PT/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-PT/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-PT/opds-Fedora_Contributor_Documentation.xml b/public_html/pt-PT/opds-Fedora_Contributor_Documentation.xml
index b1796ca..3d42af9 100644
--- a/public_html/pt-PT/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/pt-PT/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-PT/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-PT/opds-Fedora_Core.xml b/public_html/pt-PT/opds-Fedora_Core.xml
index fc58f6f..9a9f872 100644
--- a/public_html/pt-PT/opds-Fedora_Core.xml
+++ b/public_html/pt-PT/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-PT/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-PT/opds-Fedora_Draft_Documentation.xml b/public_html/pt-PT/opds-Fedora_Draft_Documentation.xml
index 8c34b08..86122b2 100644
--- a/public_html/pt-PT/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/pt-PT/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/pt-PT/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/pt-PT/opds.xml b/public_html/pt-PT/opds.xml
index ee11eaa..5d9882d 100644
--- a/public_html/pt-PT/opds.xml
+++ b/public_html/pt-PT/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/pt-PT/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/pt-PT/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>pt-PT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/pt-PT/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>pt-PT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/pt-PT/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>pt-PT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/pt-PT/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>pt-PT</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ru-RU/opds-Fedora.xml b/public_html/ru-RU/opds-Fedora.xml
index bbb83af..add16b3 100644
--- a/public_html/ru-RU/opds-Fedora.xml
+++ b/public_html/ru-RU/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ru-RU/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ru-RU/opds-Fedora_Contributor_Documentation.xml b/public_html/ru-RU/opds-Fedora_Contributor_Documentation.xml
index 737ca86..32ee4ba 100644
--- a/public_html/ru-RU/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ru-RU/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ru-RU/opds-Fedora_Contributor_Documentation.xml</id>
<title>Документация участника Fedora</title>
<subtitle>Документация участника Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ru-RU/opds-Fedora_Core.xml b/public_html/ru-RU/opds-Fedora_Core.xml
index 4235206..f6f886a 100644
--- a/public_html/ru-RU/opds-Fedora_Core.xml
+++ b/public_html/ru-RU/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ru-RU/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ru-RU/opds-Fedora_Draft_Documentation.xml b/public_html/ru-RU/opds-Fedora_Draft_Documentation.xml
index ba08a59..b72b221 100644
--- a/public_html/ru-RU/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ru-RU/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ru-RU/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ru-RU/opds.xml b/public_html/ru-RU/opds.xml
index 6ba00f8..3428dc4 100644
--- a/public_html/ru-RU/opds.xml
+++ b/public_html/ru-RU/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ru-RU/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ru-RU/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>ru-RU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Документация участника Fedora</title>
<id>http://docs.fedoraproject.org/ru-RU/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>ru-RU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ru-RU/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>ru-RU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ru-RU/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:51</updated>
<dc:language>ru-RU</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/sk-SK/opds-Fedora.xml b/public_html/sk-SK/opds-Fedora.xml
index 050744e..c55484d 100644
--- a/public_html/sk-SK/opds-Fedora.xml
+++ b/public_html/sk-SK/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sk-SK/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sk-SK/opds-Fedora_Contributor_Documentation.xml b/public_html/sk-SK/opds-Fedora_Contributor_Documentation.xml
index 4d05038..1a30ac5 100644
--- a/public_html/sk-SK/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/sk-SK/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sk-SK/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sk-SK/opds-Fedora_Core.xml b/public_html/sk-SK/opds-Fedora_Core.xml
index 6677bf9..3ed4cdf 100644
--- a/public_html/sk-SK/opds-Fedora_Core.xml
+++ b/public_html/sk-SK/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sk-SK/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sk-SK/opds-Fedora_Draft_Documentation.xml b/public_html/sk-SK/opds-Fedora_Draft_Documentation.xml
index a990656..167b36e 100644
--- a/public_html/sk-SK/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/sk-SK/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sk-SK/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sk-SK/opds.xml b/public_html/sk-SK/opds.xml
index 5099c24..84f6895 100644
--- a/public_html/sk-SK/opds.xml
+++ b/public_html/sk-SK/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/sk-SK/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/sk-SK/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sk-SK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/sk-SK/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sk-SK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/sk-SK/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sk-SK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/sk-SK/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sk-SK</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/sr-Latn-RS/opds-Fedora.xml b/public_html/sr-Latn-RS/opds-Fedora.xml
index 58e03e4..12acb8e 100644
--- a/public_html/sr-Latn-RS/opds-Fedora.xml
+++ b/public_html/sr-Latn-RS/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-Latn-RS/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-Latn-RS/opds-Fedora_Contributor_Documentation.xml b/public_html/sr-Latn-RS/opds-Fedora_Contributor_Documentation.xml
index 39230e6..2359897 100644
--- a/public_html/sr-Latn-RS/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/sr-Latn-RS/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-Latn-RS/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-Latn-RS/opds-Fedora_Core.xml b/public_html/sr-Latn-RS/opds-Fedora_Core.xml
index 9b69791..b06e0e9 100644
--- a/public_html/sr-Latn-RS/opds-Fedora_Core.xml
+++ b/public_html/sr-Latn-RS/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-Latn-RS/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-Latn-RS/opds-Fedora_Draft_Documentation.xml b/public_html/sr-Latn-RS/opds-Fedora_Draft_Documentation.xml
index f9b9239..f5f1b99 100644
--- a/public_html/sr-Latn-RS/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/sr-Latn-RS/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-Latn-RS/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-Latn-RS/opds.xml b/public_html/sr-Latn-RS/opds.xml
index 859a69c..c0d39ec 100644
--- a/public_html/sr-Latn-RS/opds.xml
+++ b/public_html/sr-Latn-RS/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/sr-Latn-RS/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/sr-Latn-RS/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-Latn-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/sr-Latn-RS/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-Latn-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/sr-Latn-RS/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-Latn-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/sr-Latn-RS/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-Latn-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/sr-RS/opds-Fedora.xml b/public_html/sr-RS/opds-Fedora.xml
index 8627469..90f7527 100644
--- a/public_html/sr-RS/opds-Fedora.xml
+++ b/public_html/sr-RS/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-RS/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-RS/opds-Fedora_Contributor_Documentation.xml b/public_html/sr-RS/opds-Fedora_Contributor_Documentation.xml
index da97262..8706a54 100644
--- a/public_html/sr-RS/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/sr-RS/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-RS/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-RS/opds-Fedora_Core.xml b/public_html/sr-RS/opds-Fedora_Core.xml
index 028c924..c32a79d 100644
--- a/public_html/sr-RS/opds-Fedora_Core.xml
+++ b/public_html/sr-RS/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-RS/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-RS/opds-Fedora_Draft_Documentation.xml b/public_html/sr-RS/opds-Fedora_Draft_Documentation.xml
index 330b6e4..bfd3037 100644
--- a/public_html/sr-RS/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/sr-RS/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sr-RS/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sr-RS/opds.xml b/public_html/sr-RS/opds.xml
index 18fa896..267a163 100644
--- a/public_html/sr-RS/opds.xml
+++ b/public_html/sr-RS/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/sr-RS/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/sr-RS/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/sr-RS/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/sr-RS/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/sr-RS/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sr-RS</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/sv-SE/opds-Fedora.xml b/public_html/sv-SE/opds-Fedora.xml
index 3ad0315..c2c66dd 100644
--- a/public_html/sv-SE/opds-Fedora.xml
+++ b/public_html/sv-SE/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sv-SE/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sv-SE/opds-Fedora_Contributor_Documentation.xml b/public_html/sv-SE/opds-Fedora_Contributor_Documentation.xml
index 97f7648..eb0e96d 100644
--- a/public_html/sv-SE/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/sv-SE/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sv-SE/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sv-SE/opds-Fedora_Core.xml b/public_html/sv-SE/opds-Fedora_Core.xml
index 2386e05..1d57261 100644
--- a/public_html/sv-SE/opds-Fedora_Core.xml
+++ b/public_html/sv-SE/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sv-SE/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sv-SE/opds-Fedora_Draft_Documentation.xml b/public_html/sv-SE/opds-Fedora_Draft_Documentation.xml
index 7324411..53eb013 100644
--- a/public_html/sv-SE/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/sv-SE/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/sv-SE/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/sv-SE/opds.xml b/public_html/sv-SE/opds.xml
index 3ee5ebf..2054d74 100644
--- a/public_html/sv-SE/opds.xml
+++ b/public_html/sv-SE/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/sv-SE/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/sv-SE/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sv-SE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/sv-SE/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sv-SE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/sv-SE/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sv-SE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/sv-SE/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:49</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>sv-SE</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/ta-IN/opds-Fedora.xml b/public_html/ta-IN/opds-Fedora.xml
index 30255f5..6abe341 100644
--- a/public_html/ta-IN/opds-Fedora.xml
+++ b/public_html/ta-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ta-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ta-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/ta-IN/opds-Fedora_Contributor_Documentation.xml
index 9a9023f..8bafa0a 100644
--- a/public_html/ta-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/ta-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ta-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ta-IN/opds-Fedora_Core.xml b/public_html/ta-IN/opds-Fedora_Core.xml
index ee01dde..93c23d0 100644
--- a/public_html/ta-IN/opds-Fedora_Core.xml
+++ b/public_html/ta-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ta-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ta-IN/opds-Fedora_Draft_Documentation.xml b/public_html/ta-IN/opds-Fedora_Draft_Documentation.xml
index 53034a5..65d4175 100644
--- a/public_html/ta-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/ta-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/ta-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/ta-IN/opds.xml b/public_html/ta-IN/opds.xml
index 299af3d..55aba5c 100644
--- a/public_html/ta-IN/opds.xml
+++ b/public_html/ta-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/ta-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/ta-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ta-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/ta-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ta-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/ta-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ta-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/ta-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>ta-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/te-IN/opds-Fedora.xml b/public_html/te-IN/opds-Fedora.xml
index 5dfe12c..f003482 100644
--- a/public_html/te-IN/opds-Fedora.xml
+++ b/public_html/te-IN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/te-IN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/te-IN/opds-Fedora_Contributor_Documentation.xml b/public_html/te-IN/opds-Fedora_Contributor_Documentation.xml
index 5841fc2..2b7c7d7 100644
--- a/public_html/te-IN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/te-IN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/te-IN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/te-IN/opds-Fedora_Core.xml b/public_html/te-IN/opds-Fedora_Core.xml
index 14f55a9..6e42542 100644
--- a/public_html/te-IN/opds-Fedora_Core.xml
+++ b/public_html/te-IN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/te-IN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/te-IN/opds-Fedora_Draft_Documentation.xml b/public_html/te-IN/opds-Fedora_Draft_Documentation.xml
index 9895399..cfb17bf 100644
--- a/public_html/te-IN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/te-IN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/te-IN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/te-IN/opds.xml b/public_html/te-IN/opds.xml
index 0190fb0..aa399c4 100644
--- a/public_html/te-IN/opds.xml
+++ b/public_html/te-IN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/te-IN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/te-IN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>te-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/te-IN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>te-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/te-IN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>te-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/te-IN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:52</updated>
<dc:language>te-IN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/uk-UA/opds-Fedora.xml b/public_html/uk-UA/opds-Fedora.xml
index 97123ef..d600373 100644
--- a/public_html/uk-UA/opds-Fedora.xml
+++ b/public_html/uk-UA/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/uk-UA/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/uk-UA/opds-Fedora_Contributor_Documentation.xml b/public_html/uk-UA/opds-Fedora_Contributor_Documentation.xml
index 7e5d7fb..329e90b 100644
--- a/public_html/uk-UA/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/uk-UA/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/uk-UA/opds-Fedora_Contributor_Documentation.xml</id>
<title>Документація для учасника розробки Fedora</title>
<subtitle>Документація для учасника розробки Fedora</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/uk-UA/opds-Fedora_Core.xml b/public_html/uk-UA/opds-Fedora_Core.xml
index a6ee8a7..bfea5bd 100644
--- a/public_html/uk-UA/opds-Fedora_Core.xml
+++ b/public_html/uk-UA/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/uk-UA/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/uk-UA/opds-Fedora_Draft_Documentation.xml b/public_html/uk-UA/opds-Fedora_Draft_Documentation.xml
index 5015e7c..ccd826b 100644
--- a/public_html/uk-UA/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/uk-UA/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/uk-UA/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/uk-UA/opds.xml b/public_html/uk-UA/opds.xml
index f030a76..87165d8 100644
--- a/public_html/uk-UA/opds.xml
+++ b/public_html/uk-UA/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/uk-UA/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/uk-UA/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>uk-UA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Документація для учасника розробки Fedora</title>
<id>http://docs.fedoraproject.org/uk-UA/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>uk-UA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/uk-UA/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>uk-UA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/uk-UA/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>uk-UA</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/zh-CN/opds-Fedora.xml b/public_html/zh-CN/opds-Fedora.xml
index 76f5b8e..d5d3313 100644
--- a/public_html/zh-CN/opds-Fedora.xml
+++ b/public_html/zh-CN/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-CN/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-CN/opds-Fedora_Contributor_Documentation.xml b/public_html/zh-CN/opds-Fedora_Contributor_Documentation.xml
index 5e5d187..db30d92 100644
--- a/public_html/zh-CN/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/zh-CN/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-CN/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-CN/opds-Fedora_Core.xml b/public_html/zh-CN/opds-Fedora_Core.xml
index 805a527..7f188bb 100644
--- a/public_html/zh-CN/opds-Fedora_Core.xml
+++ b/public_html/zh-CN/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-CN/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-CN/opds-Fedora_Draft_Documentation.xml b/public_html/zh-CN/opds-Fedora_Draft_Documentation.xml
index 40fa68b..3ad889d 100644
--- a/public_html/zh-CN/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/zh-CN/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-CN/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-CN/opds.xml b/public_html/zh-CN/opds.xml
index ef0e6f8..9cc3b72 100644
--- a/public_html/zh-CN/opds.xml
+++ b/public_html/zh-CN/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/zh-CN/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/zh-CN/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-CN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/zh-CN/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-CN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/zh-CN/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-CN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/zh-CN/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:50</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-CN</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
diff --git a/public_html/zh-TW/opds-Fedora.xml b/public_html/zh-TW/opds-Fedora.xml
index ce95e8b..c5e6cf3 100644
--- a/public_html/zh-TW/opds-Fedora.xml
+++ b/public_html/zh-TW/opds-Fedora.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-TW/opds-Fedora.xml</id>
<title>Fedora</title>
<subtitle>Fedora</subtitle>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-TW/opds-Fedora_Contributor_Documentation.xml b/public_html/zh-TW/opds-Fedora_Contributor_Documentation.xml
index f52d2e5..638bb3c 100644
--- a/public_html/zh-TW/opds-Fedora_Contributor_Documentation.xml
+++ b/public_html/zh-TW/opds-Fedora_Contributor_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-TW/opds-Fedora_Contributor_Documentation.xml</id>
<title>Fedora Contributor Documentation</title>
<subtitle>Fedora Contributor Documentation</subtitle>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-TW/opds-Fedora_Core.xml b/public_html/zh-TW/opds-Fedora_Core.xml
index 075add4..a969e69 100644
--- a/public_html/zh-TW/opds-Fedora_Core.xml
+++ b/public_html/zh-TW/opds-Fedora_Core.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-TW/opds-Fedora_Core.xml</id>
<title>Fedora Core</title>
<subtitle>Fedora Core</subtitle>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-TW/opds-Fedora_Draft_Documentation.xml b/public_html/zh-TW/opds-Fedora_Draft_Documentation.xml
index 99357f6..4f04124 100644
--- a/public_html/zh-TW/opds-Fedora_Draft_Documentation.xml
+++ b/public_html/zh-TW/opds-Fedora_Draft_Documentation.xml
@@ -6,7 +6,7 @@
<id>http://docs.fedoraproject.org/zh-TW/opds-Fedora_Draft_Documentation.xml</id>
<title>Fedora Draft Documentation</title>
<subtitle>Fedora Draft Documentation</subtitle>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
diff --git a/public_html/zh-TW/opds.xml b/public_html/zh-TW/opds.xml
index 3a90a89..405bea8 100644
--- a/public_html/zh-TW/opds.xml
+++ b/public_html/zh-TW/opds.xml
@@ -6,7 +6,7 @@
<link rel="http://opds-spec.org/crawlable" type="application/atom+xml" href="http://bookserver.archive.org/catalog/crawlable" title="Crawlable feed"/>
<id>http://docs.fedoraproject.org/zh-TW/opds.xml</id>
<title>Product List</title>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<!--author>
<name></name>
<uri></uri>
@@ -15,7 +15,7 @@
<entry>
<title>Fedora</title>
<id>http://docs.fedoraproject.org/zh-TW/Fedora/opds-Fedora.xml</id>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-TW</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora.xml"/>
@@ -23,7 +23,7 @@
<entry>
<title>Fedora Contributor Documentation</title>
<id>http://docs.fedoraproject.org/zh-TW/Fedora_Contributor_Documentation/opds-Fedora_Contributor_Documentation.xml</id>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-TW</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Contributor_Documentation.xml"/>
@@ -31,7 +31,7 @@
<entry>
<title>Fedora Core</title>
<id>http://docs.fedoraproject.org/zh-TW/Fedora_Core/opds-Fedora_Core.xml</id>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-TW</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Core.xml"/>
@@ -39,7 +39,7 @@
<entry>
<title>Fedora Draft Documentation</title>
<id>http://docs.fedoraproject.org/zh-TW/Fedora_Draft_Documentation/opds-Fedora_Draft_Documentation.xml</id>
- <updated>2011-06-28T21:51:51</updated>
+ <updated>2011-06-28T22:10:53</updated>
<dc:language>zh-TW</dc:language>
<content type="text"></content>
<link type="application/atom+xml" href="opds-Fedora_Draft_Documentation.xml"/>
More information about the docs-commits
mailing list