Add details on using a principal for the admin

When Ipsilon is being installed with IPA, one is most likely going
to use Kerberos to login to Ipsilon as the administrator.  We should
call this out, as the default of 'admin' for the Ipsilon admin user
will conflict with the IPA 'admin' user.  You will be unable to
create a local 'admin' user at this point, requiring you to modify
the sqlite database directly to change the admin user to a full
principal.

I also corrected a typo and wrapped a line that was > 79 chars.

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>

diff --git a/README b/README
index ae0c46f..dc4dae8 100644 (file)
--- a/README
+++ b/README
@@ -14,7 +14,8 @@ completely agnostic of what authentication infrastructure is being used.
 Applications can currently use the SAML2[2] protocol to talk to the Ipsilon
 identity provider, an application that uses SAML is called a Service Provider.
 
-Ipsilon uses the LASSO[3] libraries an Python bindings to implement SAML support.
+Ipsilon uses the LASSO[3] libraries and Python bindings to implement SAML
+support.
 
 Ipsilon Server Installation
 ===========================
@@ -67,7 +68,12 @@ The install script expects to find the keytab in /etc/httpd/conf/http.keytab
 NOTE: If you are installing Ipsilon in a FreeIPA[4] environment you can use the
 --ipa switch to simplify the deployment. Using the --ipa switch will allow the
 use of your IPA Kerberos administrative credentials to automatically provision
-a keytab for the HTTP service if one is not available yet.
+a keytab for the HTTP service if one is not available yet.  You will likely
+want to use the --admin-user option to specify the full principal of the user
+who will administer Ipsilon.  For example to use the FreeIPA admin user for
+the EXAMPLE.COM realm, you would use:
+
+ $ ipsilon-server-install --ipa --admin-user admin@EXAMPLE.COM
 
 Once the script has successfully completed the installation, restart the Apache
 HTTPD server to activate it.