3.2. About ipa-server-install

An IdM server instance is created by running the ipa-server-install script. This script can accept user-defined settings for services, like DNS and Kerberos, that are used by the IdM instance, or it can supply predefined values for minimal input from the administrator.
The IdM setup script creates a server instance, which includes configuring all of the required services for the IdM domain:
  • The network time daemon (ntpd)
  • A 389 Directory Server instance
  • A Kerberos key distribution center (KDC)
  • Apache (httpd)
  • An updated SELinux targeted policy
  • The Active Directory WinSync plug-in
  • A certificate authority
  • Optional. A domain name service (DNS) server
The IdM setup process can be minimal, where the administrator only supplies some required information, or it can be very specific, with user-defined settings for many parts of the IdM services. The configuration is passed using arguments with the ipa-server-install script.


The port numbers and directory locations used by IdM are all defined automatically, as defined in Section 2.4.5, “System Ports” and Section 28.1, “Identity Management Files and Logs”. These ports and directories cannot be changed or customized.
While ipa-server-install can be run without any options, so that it prompts for the required information, it has numerous arguments which allow the configuration process to be easily scripted or to supply additional information which is not requested during an interactive installation.
Table 3.1, “ipa-server-install Options” lists some common arguments used with ipa-server-install. The full list of options are in the ipa-server-install manpage. The ipa-server-install options are versatile enough to be customized to the specific deployment environment to install and configure different services as needed.

Table 3.1. ipa-server-install Options

Argument Description
-a ipa_admin_password The password for the IdM administrator. This is used for the admin user to authenticate to the Kerberos realm.
--hostname=hostname The fully-qualified domain name of the IdM server machine.


This must be a valid DNS name, which means only numbers, alphabetic characters, and hyphens (-) are allowed. Other characters, like underscores, in the hostname will cause DNS failures.
Additionally, the hostname must be all lower-case. No capital letters are allowed.
-n domain_name The name of the LDAP server domain to use for the IdM domain. This is usually based on the IdM server's hostname.
-p directory_manager_password The password for the superuser, cn=Directory Manager, for the LDAP service.
-P kerberos_master_password The password for the KDC administrator. This is randomly generated if no value is given.
-r realm_name The name of the Kerberos realm to create for the IdM domain.
--subject=subject_DN Sets the base element for the subject DN of the issued certificates. This defaults to O=realm.
--forwarder=forwarder Gives a DNS forwarder to use with the DNS service. To specify more than one forwarder, use this option multiple times.
--no-forwarders Uses root servers with the DNS service instead of forwarders.
--no-reverse Does not create a reverse DNS zone when the DNS domain is set up. (If a reverse DNS zone is already configured, then that existing reverse DNS zone is used.) If this option is not used, then the default value is true, which assumes that reverse DNS should be configured by the installation script.
--setup-dns Tells the installation script to set up a DNS service within the IdM domain. Using an integrated DNS service is optional, so if this option is not passed with the installation script, then no DNS is configured.
--idmax=number Sets the upper bound for IDs which can be assigned by the IdM server. The default value is the ID start value plus 199999.
--idstart=number Sets the lower bound (starting value) for IDs which can be assigned by the IdM server. The default value is randomly selected.
--ip-address Specifies the IP address of the server. When added to ipa-server-install, this option only accepts IP addresses associated with the local interface.
The way that an IdM server is installed can be different depending on the network environment, security requirements within the organization, and the desired topology. These examples illustrate some common options when installing the server. These examples are not mutually exclusive; it is entirely possible to use CA options, DNS options, and IdM configuration options in the same server invocation. These are called out separately simply to make it more clear what each configuration area requires.