From Fedora Project Wiki

(Created page with '{{QA/Test_Case |description=Installation testing. |setup=<ol> <li>Ensure the {{package|freeipa-server}} package is installed:</li> # yum install --enablerepo=updates-testing fre...')
 
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{QA/Test_Case
{{QA/Test_Case
|description=Installation testing.
|description=Installation testing.
|setup=<ol>
|setup=
<ol>
<li>The freeipa package did not make the F-15 split. To get the latest F-15 packages you'll need to configure the freeipa-devel.repo. Retrieve this file from http://freeipa.org/downloads/freeipa-devel.repo and place it in /etc/yum.repos.d.</li>
<li>The dogtag packages are not unfortunately not working in F-15. This does not preclude freeipa testing but it does mean that you won't be able to test with a full CA. The <code>--selfsign</code> option will need to be added to every <code>ipa-server-install</code> invocation</li>
<li>Ensure the {{package|freeipa-server}} package is installed:</li>
<li>Ensure the {{package|freeipa-server}} package is installed:</li>
  # yum install --enablerepo=updates-testing freeipa-server
  # yum install --enablerepo=freeipa-devel freeipa-server
<li>(optional) To install with DNS, ensure the {{package|bind}} and {{package|bind-dyndb-ldap}} packages are installed.</li>
<li>(optional) To install with DNS, ensure the {{package|bind}} and {{package|bind-dyndb-ldap}} packages are installed.</li>
<li>Make sure <code>/etc/hosts</code> is sane. This means that your host will be listed on a separate line with its IP address with the FQDN listed first, this is necessary to avoid chicken/egg issues when the DNS is installed as name resolution for the public host name is needed to start the DNS itself (to init krb credentials). In particular the hostname SHOULD not appear in either the IPv4 or IPv6 localhost lines.</li>
<li>Make sure <code>/etc/hosts</code> is sane. This means that your host will be listed on a separate line with its IP address with the FQDN listed first, this is necessary to avoid chicken/egg issues when the DNS is installed as name resolution for the public host name is needed to start the DNS itself (to init krb credentials). In particular the hostname SHOULD not appear in either the IPv4 or IPv6 localhost lines.</li>
Line 9: Line 12:
</ol>
</ol>
|actions=
|actions=
=== '''Installation (with DNS)''' ===
=== Installation ===
 
==== Without DNS ====


<ol>
For a fully-interactive install run:
<li>For a fully-interactive install run:</li>


  # ipa-server-install
  # ipa-server-install --selfsign


You can optionally provide all options on the command-line:
You can optionally provide all options on the command-line:


  # ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG -U
  # ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG -U --selfsign


</ol>
==== With DNS ====


=== '''Installation (without DNS)''' ===
  # ipa-server-install --setup-dns --selfsign
 
<ol>
<li>To install with DNS run:</li>
 
  # ipa-server-install --setup-dns


Or with all options on the command-line:
Or with all options on the command-line:


  # ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U
  # ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign
 
</ol>
 
=== '''Uninstallation''' ===
 
<ol>
<li>FreeIPA provides a way to unininstall the configured services and it does its best to return the system to its previous state. To run the uninstaller execute:</li>
 
# ipa-server-install --uninstall
 
</ol>


|results=
==== Verify the basics ====
=== '''Installation''' ===
 
<ol>
<li>Verify the basics:</li>


Ideally each of these installation steps will conclude with no errors and a running set of IPA services.
Ideally each of these installation steps will conclude with no errors and a running set of IPA services.
Line 65: Line 49:
  # getent passwd admin
  # getent passwd admin


<li>Verify Services:</li>
==== Verify Services ====


We install a number of SSL certificates that should be automatically managed by certmonger:
We install a number of SSL certificates that should be automatically managed by certmonger:
Line 82: Line 66:
There should be 2 services: ldap and HTTP for your FreeIPA server
There should be 2 services: ldap and HTTP for your FreeIPA server


<li>Verify DNS (if installed):</li>
==== Verify DNS ====


Verify these only if you installed with a DNS server.
Verify these only if you installed with a DNS server.
Line 106: Line 90:
   Managed by: server.freepia.org
   Managed by: server.freepia.org


</ol>
=== Uninstallation ===
 
FreeIPA provides a way to unininstall the configured services and it does its best to return the system to its previous state. To run the uninstaller execute:
 
# ipa-server-install --uninstall -U


=== '''Uninstallation''' ===
==== Verify uninstallation ====


<ol>
Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.
<li>Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.</li>


To verify that the server is in a state where it can be re-installed re-run ipa-server-install:
To verify that the server is in a state where it can be re-installed re-run ipa-server-install:
Line 119: Line 106:
If something failed in the un-installation you would get an error message that the server is already installed/configured.
If something failed in the un-installation you would get an error message that the server is already installed/configured.


</ol>
|results=
 
All the test steps should end with the specified results.
}}
}}

Latest revision as of 09:46, 15 February 2011

Description

Installation testing.

Setup

  1. The freeipa package did not make the F-15 split. To get the latest F-15 packages you'll need to configure the freeipa-devel.repo. Retrieve this file from http://freeipa.org/downloads/freeipa-devel.repo and place it in /etc/yum.repos.d.
  2. The dogtag packages are not unfortunately not working in F-15. This does not preclude freeipa testing but it does mean that you won't be able to test with a full CA. The --selfsign option will need to be added to every ipa-server-install invocation
  3. Ensure the freeipa-server package is installed:
  4. # yum install --enablerepo=freeipa-devel freeipa-server
  5. (optional) To install with DNS, ensure the bind and bind-dyndb-ldap packages are installed.
  6. Make sure /etc/hosts is sane. This means that your host will be listed on a separate line with its IP address with the FQDN listed first, this is necessary to avoid chicken/egg issues when the DNS is installed as name resolution for the public host name is needed to start the DNS itself (to init krb credentials). In particular the hostname SHOULD not appear in either the IPv4 or IPv6 localhost lines.
  7. If you have an existing AD server in your network choose a unique name for the IPA server realm name. Clients that use DNS autodiscovery to find the KDC to use may get confused and try to authenticate to the AD KDC.

How to test

Installation

Without DNS

For a fully-interactive install run:

# ipa-server-install --selfsign

You can optionally provide all options on the command-line:

# ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG -U --selfsign

With DNS

# ipa-server-install --setup-dns --selfsign

Or with all options on the command-line:

# ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign

Verify the basics

Ideally each of these installation steps will conclude with no errors and a running set of IPA services.

To briefly test the installation:

# kinit admin (the password is the admin password, or the password from -a)

Show our own user entry:

# ipa user-show admin

And make sure nss can see us too:

# id admin
# getent passwd admin

Verify Services

We install a number of SSL certificates that should be automatically managed by certmonger:

# ipa-getcert list

There should be 3 certificates, all in MONITORING. The certificates should be in the following NSS databases:

* /etc/pki/nssdb
* /etc/httpd/alias
* /etc/dirsrv/slapd-FREEIPA-ORG
# kinit admin
# ipa service-find

There should be 2 services: ldap and HTTP for your FreeIPA server

Verify DNS

Verify these only if you installed with a DNS server.

# dig server.freeipa.org. (yes, add a trailing dot)

Look for a line like this in the output:

server.freeipa.org.      86400   IN      A       192.168.0.1
# host server.freeipa.org
server.freeipa.org has address 192.168.0.1
# ipa dns-resolve server.freeipa.org
---------------------------
Found 'server.freeipa.org.'
---------------------------
# ipa host-show server.freeipa.org
  Host name: server.freeipa.org
  Principal name: host/server.freeipa.org@FREEIPA.ORG
  Keytab: True
  Managed by: server.freepia.org

Uninstallation

FreeIPA provides a way to unininstall the configured services and it does its best to return the system to its previous state. To run the uninstaller execute:

# ipa-server-install --uninstall -U

Verify uninstallation

Un-installation is intended for developers. It is a best-as-we-can restoration of files primarily to prepare the server to be re-installed.

To verify that the server is in a state where it can be re-installed re-run ipa-server-install:

# ipa-server-install

If something failed in the un-installation you would get an error message that the server is already installed/configured.

Expected Results

All the test steps should end with the specified results.