Jump To Close Expand all Collapse all Table of contents Identity Management Guide 1. Introduction to Identity Management Expand section "1. Introduction to Identity Management" Collapse section "1. Introduction to Identity Management" 1.1. IdM v. LDAP: A More Focused Type of Service Expand section "1.1. IdM v. LDAP: A More Focused Type of Service" Collapse section "1.1. IdM v. LDAP: A More Focused Type of Service" 1.1.1. A Working Definition for Identity Management 1.1.2. Contrasting Identity Management with a Standard LDAP Directory 1.2. Bringing Linux Services Together Expand section "1.2. Bringing Linux Services Together" Collapse section "1.2. Bringing Linux Services Together" 1.2.1. Authentication: Kerberos KDC 1.2.2. Data Storage: 389 Directory Server 1.2.3. Authentication: Dogtag Certificate System 1.2.4. Server/Client Discovery: DNS 1.2.5. Management: SSSD 1.2.6. Management: NTP 1.3. Relationships Between Servers and Clients Expand section "1.3. Relationships Between Servers and Clients" Collapse section "1.3. Relationships Between Servers and Clients" 1.3.1. About IdM Servers and Replicas 1.3.2. About IdM Clients I. Installing Identity Management; Servers and Services Expand section "I. Installing Identity Management; Servers and Services" Collapse section "I. Installing Identity Management; Servers and Services" 2. Prerequisites for Installation Expand section "2. Prerequisites for Installation" Collapse section "2. Prerequisites for Installation" 2.1. Supported Server Platforms 2.2. Hardware Recommendations 2.3. Software Requirements 2.4. System Prerequisites Expand section "2.4. System Prerequisites" Collapse section "2.4. System Prerequisites" 2.4.1. DNS Records 2.4.2. Hostname and IP Address Requirements 2.4.3. Directory Server 2.4.4. System Files 2.4.5. System Ports 2.4.6. NTP 2.4.7. NSCD 2.4.8. Networking 3. Installing an IdM Server Expand section "3. Installing an IdM Server" Collapse section "3. Installing an IdM Server" 3.1. Installing the IdM Server Packages 3.2. About ipa-server-install 3.3. Example: Running the Script Interactively and Silently Expand section "3.3. Example: Running the Script Interactively and Silently" Collapse section "3.3. Example: Running the Script Interactively and Silently" 3.3.1. Basic Interactive Installation 3.3.2. Silent (Non-Interactive) Installation 3.4. Examples: Installing with Different CA Configurations Expand section "3.4. Examples: Installing with Different CA Configurations" Collapse section "3.4. Examples: Installing with Different CA Configurations" 3.4.1. Installing with an Internal Root CA 3.4.2. Installing Using an External CA 3.4.3. Installing without a CA 3.5. Example: Configuring DNS Services within the IdM Domain Expand section "3.5. Example: Configuring DNS Services within the IdM Domain" Collapse section "3.5. Example: Configuring DNS Services within the IdM Domain" 3.5.1. DNS Notes 3.5.2. Installing with an Integrated DNS 4. Setting up IdM Replicas Expand section "4. Setting up IdM Replicas" Collapse section "4. Setting up IdM Replicas" 4.1. Planning the Server/Replica Topologies 4.2. Prerequisites for Installing a Replica Server 4.3. Installing the Replica Packages 4.4. Creating the Replica 4.5. Alternate Options for Creating a Replica Expand section "4.5. Alternate Options for Creating a Replica" Collapse section "4.5. Alternate Options for Creating a Replica" 4.5.1. Different DNS Settings 4.5.2. Different CA Settings 4.5.3. Different Services 5. Setting up Systems as IdM Clients Expand section "5. Setting up Systems as IdM Clients" Collapse section "5. Setting up Systems as IdM Clients" 5.1. What Happens in Client Setup 5.2. System Ports 5.3. Configuring a Linux System as an IdM Client Expand section "5.3. Configuring a Linux System as an IdM Client" Collapse section "5.3. Configuring a Linux System as an IdM Client" 5.3.1. Installing the Client (Full Example) 5.3.2. Examples of Other Client Installation Options 5.4. Manually Configuring a Linux Client Expand section "5.4. Manually Configuring a Linux Client" Collapse section "5.4. Manually Configuring a Linux Client" 5.4.1. Setting up an IdM Client (Full Procedure) 5.4.2. Other Examples of Adding a Host Entry Expand section "5.4.2. Other Examples of Adding a Host Entry" Collapse section "5.4.2. Other Examples of Adding a Host Entry" 5.4.2.1. Adding Host Entries from the Web UI 5.4.2.2. Adding Host Entries from the Command Line 5.5. Setting up a Linux Client Through Kickstart 5.6. Performing a Two-Administrator Enrollment 5.7. Manually Unconfiguring Client Machines 6. Upgrading Identity Management Expand section "6. Upgrading Identity Management" Collapse section "6. Upgrading Identity Management" 6.1. Upgrade Notes 6.2. Upgrading Packages 6.3. Removing Browser Configuration for Ticket Delegation (For Upgrading from 6.2) 6.4. Testing Before Upgrading the IdM Server (Recommended) 7. Uninstalling IdM Servers and Replicas 8. The Basics of Managing the IdM Server and Services Expand section "8. The Basics of Managing the IdM Server and Services" Collapse section "8. The Basics of Managing the IdM Server and Services" 8.1. Starting and Stopping the IdM Domain 8.2. About the IdM Client Tools Expand section "8.2. About the IdM Client Tools" Collapse section "8.2. About the IdM Client Tools" 8.2.1. The Structure of the ipa Command Expand section "8.2.1. The Structure of the ipa Command" Collapse section "8.2.1. The Structure of the ipa Command" 8.2.1.1. Adding, Editing, and Deleting Entries with ipa 8.2.1.2. Finding and Displaying Entries with ipa 8.2.1.3. Adding Members to Groups and Containers with ipa 8.2.2. Positional Elements in ipa Commands 8.2.3. Managing Entry Attributes with --setattr, --addattr, and --delattr 8.2.4. Using Special Characters with IdM Tools 8.2.5. Logging into the IdM Domain Before Running 8.3. Logging into IdM Expand section "8.3. Logging into IdM" Collapse section "8.3. Logging into IdM" 8.3.1. Logging into IdM 8.3.2. Logging in When an IdM User Is Different Than the System User 8.3.3. Checking the Current Logged in User 8.3.4. Caching User Kerberos Tickets 8.4. Using the IdM Web UI Expand section "8.4. Using the IdM Web UI" Collapse section "8.4. Using the IdM Web UI" 8.4.1. About the Web UI 8.4.2. Opening the IdM Web UI 8.4.3. Configuring the Browser Expand section "8.4.3. Configuring the Browser" Collapse section "8.4.3. Configuring the Browser" 8.4.3.1. Configuring Firefox 8.4.3.2. Configuring Chrome 8.4.4. Using a Browser on Another System 8.4.5. Logging in with Simple Username/Password Credentials 8.4.6. Using the UI with Proxy Servers 8.5. Configuring an IdM Server to Run in a TLS 1.2 Environment 9. Identity: Managing Users and User Groups Expand section "9. Identity: Managing Users and User Groups" Collapse section "9. Identity: Managing Users and User Groups" 9.1. Setting up User Home Directories Expand section "9.1. Setting up User Home Directories" Collapse section "9.1. Setting up User Home Directories" 9.1.1. About Home Directories 9.1.2. Enabling the PAM Home Directory Module 9.1.3. Manually Mounting Home Directories 9.2. Managing User Entries Expand section "9.2. Managing User Entries" Collapse section "9.2. Managing User Entries" 9.2.1. About Username Formats 9.2.2. Adding Users Expand section "9.2.2. Adding Users" Collapse section "9.2.2. Adding Users" 9.2.2.1. From the Web UI 9.2.2.2. From the Command Line 9.2.3. Editing Users Expand section "9.2.3. Editing Users" Collapse section "9.2.3. Editing Users" 9.2.3.1. From the Web UI 9.2.3.2. From the Command Line 9.2.4. Deleting Users Expand section "9.2.4. Deleting Users" Collapse section "9.2.4. Deleting Users" 9.2.4.1. With the Web UI 9.2.4.2. From the Command Line 9.3. Managing Public SSH Keys for Users Expand section "9.3. Managing Public SSH Keys for Users" Collapse section "9.3. Managing Public SSH Keys for Users" 9.3.1. About the SSH Key Format 9.3.2. Uploading User SSH Keys Through the Web UI 9.3.3. Uploading User SSH Keys Through the Command Line 9.3.4. Deleting User Keys 9.4. Changing Passwords Expand section "9.4. Changing Passwords" Collapse section "9.4. Changing Passwords" 9.4.1. From the Web UI 9.4.2. From the Command Line 9.5. Enabling and Disabling User Accounts Expand section "9.5. Enabling and Disabling User Accounts" Collapse section "9.5. Enabling and Disabling User Accounts" 9.5.1. From the Web UI 9.5.2. From the Command Line 9.6. Unlocking User Accounts After Password Failures 9.7. Smart Cards Expand section "9.7. Smart Cards" Collapse section "9.7. Smart Cards" 9.7.1. Smart Card and Smart Card Reader Support in Identity Management 9.7.2. Exporting a Certificate From a Smart Card 9.7.3. Storing Smart Card Certificates for IdM Users 9.7.4. Smart Card Authentication on Identity Management Clients Expand section "9.7.4. Smart Card Authentication on Identity Management Clients" Collapse section "9.7.4. Smart Card Authentication on Identity Management Clients" 9.7.4.1. Configuring Smart Card Authentication on an IdM Client 9.7.4.2. SSH Log in Using a Smart Card 9.8. Managing User Private Groups Expand section "9.8. Managing User Private Groups" Collapse section "9.8. Managing User Private Groups" 9.8.1. Listing User Private Groups 9.8.2. Disabling Private Groups for a Specific User 9.8.3. Disabling Private Groups Globally 9.9. Managing Unique UID and GID Number Assignments Expand section "9.9. Managing Unique UID and GID Number Assignments" Collapse section "9.9. Managing Unique UID and GID Number Assignments" 9.9.1. About ID Number Ranges 9.9.2. About ID Range Assignments During Installation 9.9.3. A Note on Conflicting ID Ranges 9.9.4. Adding New Ranges 9.9.5. Repairing Changed UID and GID Numbers 9.10. Managing User and Group Schema Expand section "9.10. Managing User and Group Schema" Collapse section "9.10. Managing User and Group Schema" 9.10.1. About Changing the Default User and Group Schema 9.10.2. Applying Custom Object Classes to New User Entries Expand section "9.10.2. Applying Custom Object Classes to New User Entries" Collapse section "9.10.2. Applying Custom Object Classes to New User Entries" 9.10.2.1. From the Web UI 9.10.2.2. From the Command Line 9.10.3. Applying Custom Object Classes to New Group Entries Expand section "9.10.3. Applying Custom Object Classes to New Group Entries" Collapse section "9.10.3. Applying Custom Object Classes to New Group Entries" 9.10.3.1. From the Web UI 9.10.3.2. From the Command Line 9.10.4. Specifying Default User and Group Attributes Expand section "9.10.4. Specifying Default User and Group Attributes" Collapse section "9.10.4. Specifying Default User and Group Attributes" 9.10.4.1. Viewing Attributes from the Web UI 9.10.4.2. Viewing Attributes from the Command Line 9.11. Managing User Groups Expand section "9.11. Managing User Groups" Collapse section "9.11. Managing User Groups" 9.11.1. Types of Groups in IdM 9.11.2. Group Object Classes Expand section "9.11.2. Group Object Classes" Collapse section "9.11.2. Group Object Classes" 9.11.2.1. Creating User Groups Expand section "9.11.2.1. Creating User Groups" Collapse section "9.11.2.1. Creating User Groups" 9.11.2.1.1. With the Web UI 9.11.2.1.2. With the Command Line 9.11.2.2. Adding Group Members Expand section "9.11.2.2. Adding Group Members" Collapse section "9.11.2.2. Adding Group Members" 9.11.2.2.1. With the Web UI (Group Page) 9.11.2.2.2. With the Web UI (User's Page) 9.11.2.2.3. With the Command Line 9.11.2.2.4. Viewing Direct and Indirect Members of a Group 9.11.2.3. Deleting User Groups Expand section "9.11.2.3. Deleting User Groups" Collapse section "9.11.2.3. Deleting User Groups" 9.11.2.3.1. With the Web UI 9.11.2.3.2. With the Command Line 9.11.3. Searching for Users and Groups Expand section "9.11.3. Searching for Users and Groups" Collapse section "9.11.3. Searching for Users and Groups" 9.11.3.1. Setting Search Limits Expand section "9.11.3.1. Setting Search Limits" Collapse section "9.11.3.1. Setting Search Limits" 9.11.3.1.1. Types of Search Limits and Where They Apply 9.11.3.1.2. Setting IdM Search Limits Expand section "9.11.3.1.2. Setting IdM Search Limits" Collapse section "9.11.3.1.2. Setting IdM Search Limits" 9.11.3.1.2.1. With the Web UI 9.11.3.1.2.2. With the Command Line 9.11.3.1.3. Overriding the Search Defaults 9.11.3.2. Setting Search Attributes Expand section "9.11.3.2. Setting Search Attributes" Collapse section "9.11.3.2. Setting Search Attributes" 9.11.3.2.1. Default Attributes Checked by Searches 9.11.3.2.2. Changing User Search Attributes Expand section "9.11.3.2.2. Changing User Search Attributes" Collapse section "9.11.3.2.2. Changing User Search Attributes" 9.11.3.2.2.1. From the Web UI 9.11.3.2.2.2. From the Command Line 9.11.3.2.3. Changing Group Search Attributes Expand section "9.11.3.2.3. Changing Group Search Attributes" Collapse section "9.11.3.2.3. Changing Group Search Attributes" 9.11.3.2.3.1. From the Web UI 9.11.3.2.3.2. From the Command Line 9.11.3.2.4. Limits on Attributes Returned in Search Results 9.11.3.3. Searching for Groups Based on Type 10. Identity: Managing Hosts Expand section "10. Identity: Managing Hosts" Collapse section "10. Identity: Managing Hosts" 10.1. About Hosts, Services, and Machine Identity and Authentication 10.2. About Host Entry Configuration Properties 10.3. Disabling and Re-enabling Host Entries Expand section "10.3. Disabling and Re-enabling Host Entries" Collapse section "10.3. Disabling and Re-enabling Host Entries" 10.3.1. Disabling Host Entries 10.3.2. Re-enabling Hosts 10.4. Managing Public SSH Keys for Hosts Expand section "10.4. Managing Public SSH Keys for Hosts" Collapse section "10.4. Managing Public SSH Keys for Hosts" 10.4.1. About the SSH Key Format 10.4.2. About ipa-client-install and OpenSSH 10.4.3. Uploading Host SSH Keys Through the Web UI 10.4.4. Adding Host Keys from the Command Line 10.4.5. Removing Host Keys 10.5. Setting Ethers Information for a Host 10.6. Renaming Machines and Reconfiguring IdM Client Configuration 10.7. Managing Host Groups Expand section "10.7. Managing Host Groups" Collapse section "10.7. Managing Host Groups" 10.7.1. Creating Host Groups Expand section "10.7.1. Creating Host Groups" Collapse section "10.7.1. Creating Host Groups" 10.7.1.1. Creating Host Groups from the Web UI 10.7.1.2. Creating Host Groups from the Command Line 10.7.2. Adding Host Group Members Expand section "10.7.2. Adding Host Group Members" Collapse section "10.7.2. Adding Host Group Members" 10.7.2.1. Showing and Changing Group Members 10.7.2.2. Adding Host Group Members from the Web UI 10.7.2.3. Adding Host Group Members from the Command Line 11. Identity: Managing Services Expand section "11. Identity: Managing Services" Collapse section "11. Identity: Managing Services" 11.1. Adding and Editing Service Entries and Keytabs Expand section "11.1. Adding and Editing Service Entries and Keytabs" Collapse section "11.1. Adding and Editing Service Entries and Keytabs" 11.1.1. Adding Services and Keytabs from the Web UI 11.1.2. Adding Services and Keytabs from the Command Line 11.2. Adding Services and Certificates for Services Expand section "11.2. Adding Services and Certificates for Services" Collapse section "11.2. Adding Services and Certificates for Services" 11.2.1. Adding Services and Certificates from the Web UI 11.2.2. Adding Services and Certificates from the Command Line 11.3. Storing Certificates in NSS Databases 11.4. Configuring Clustered Services 11.5. Using the Same Service Principal for Multiple Services 11.6. Disabling and Re-enabling Service Entries Expand section "11.6. Disabling and Re-enabling Service Entries" Collapse section "11.6. Disabling and Re-enabling Service Entries" 11.6.1. Disabling Service Entries 11.6.2. Re-enabling and Services 12. Identity: Delegating Access to Hosts and Services Expand section "12. Identity: Delegating Access to Hosts and Services" Collapse section "12. Identity: Delegating Access to Hosts and Services" 12.1. Delegating Service Management 12.2. Delegating Host Management 12.3. Delegating Host or Service Management in the Web UI 12.4. Accessing Delegated Services 13. Identity: Integrating with NIS Domains and Netgroups Expand section "13. Identity: Integrating with NIS Domains and Netgroups" Collapse section "13. Identity: Integrating with NIS Domains and Netgroups" 13.1. About NIS and Identity Management 13.2. Setting the NIS Port for Identity Management 13.3. Creating Netgroups Expand section "13.3. Creating Netgroups" Collapse section "13.3. Creating Netgroups" 13.3.1. Adding Netgroups Expand section "13.3.1. Adding Netgroups" Collapse section "13.3.1. Adding Netgroups" 13.3.1.1. With the Web UI 13.3.1.2. With the Command Line 13.3.2. Adding Netgroup Members Expand section "13.3.2. Adding Netgroup Members" Collapse section "13.3.2. Adding Netgroup Members" 13.3.2.1. With the Web UI 13.3.2.2. With the Command Line 13.4. Exposing Automount Maps to NIS Clients 13.5. Migrating from NIS to IdM Expand section "13.5. Migrating from NIS to IdM" Collapse section "13.5. Migrating from NIS to IdM" 13.5.1. Preparing Netgroup Entries in IdM 13.5.2. Enabling the NIS Listener in Identity Management 13.5.3. Exporting and Importing the Existing NIS Data Expand section "13.5.3. Exporting and Importing the Existing NIS Data" Collapse section "13.5.3. Exporting and Importing the Existing NIS Data" 13.5.3.1. Importing User Entries 13.5.3.2. Importing Group Entries 13.5.3.3. Importing Host Entries 13.5.3.4. Importing Netgroup Entries 13.5.3.5. Importing Automount Maps 13.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM 14. Identity: Integrating with Active Directory Through Cross-forest Trust (Technology Preview) 15. Identity: Integrating with Microsoft Active Directory Through Synchronization Expand section "15. Identity: Integrating with Microsoft Active Directory Through Synchronization" Collapse section "15. Identity: Integrating with Microsoft Active Directory Through Synchronization" 15.1. Supported Windows Platforms 15.2. About Active Directory and Identity Management 15.3. About Synchronized Attributes Expand section "15.3. About Synchronized Attributes" Collapse section "15.3. About Synchronized Attributes" 15.3.1. User Schema Differences between Identity Management and Active Directory Expand section "15.3.1. User Schema Differences between Identity Management and Active Directory" Collapse section "15.3.1. User Schema Differences between Identity Management and Active Directory" 15.3.1.1. Values for cn Attributes 15.3.1.2. Values for street and streetAddress 15.3.1.3. Constraints on the initials Attribute 15.3.1.4. Requiring the surname (sn) Attribute 15.3.2. Active Directory Entries and RFC 2307 Attributes 15.4. Setting up Active Directory for Synchronization Expand section "15.4. Setting up Active Directory for Synchronization" Collapse section "15.4. Setting up Active Directory for Synchronization" 15.4.1. Creating an Active Directory User for Sync 15.4.2. Setting up an Active Directory Certificate Authority 15.5. Managing Synchronization Agreements Expand section "15.5. Managing Synchronization Agreements" Collapse section "15.5. Managing Synchronization Agreements" 15.5.1. Trusting the Active Directory and IdM CA Certificates 15.5.2. Creating Synchronization Agreements 15.5.3. Changing the Behavior for Syncing User Account Attributes 15.5.4. Changing the Synchronized Windows Subtree 15.5.5. Configuring Uni-Directional Sync 15.5.6. Deleting Synchronization Agreements 15.5.7. Winsync Agreement Failures 15.6. Managing Password Synchronization Expand section "15.6. Managing Password Synchronization" Collapse section "15.6. Managing Password Synchronization" 15.6.1. Setting up the Windows Server for Password Synchronization 15.6.2. Setting up Password Synchronization 15.6.3. Allowing Users to Change Other Users' Passwords Cleanly 16. Identity: ID Views and Migrating Existing Environments to Trust Expand section "16. Identity: ID Views and Migrating Existing Environments to Trust" Collapse section "16. Identity: ID Views and Migrating Existing Environments to Trust" 16.1. User Overrides and Group Overrides 16.2. Managing ID Views on the Server Side 16.3. ID Views on the Client Side 16.4. Migrating from the Synchronization-Based to the Trust-Based Solution 17. Identity: Managing DNS Expand section "17. Identity: Managing DNS" Collapse section "17. Identity: Managing DNS" 17.1. About DNS in IdM 17.2. Using IdM and DNS Service Discovery with an Existing DNS Configuration 17.3. DNS Notes 17.4. Adding or Updating DNS Services After Installation 17.5. Setting up the rndc Service 17.6. Managing DNS Zone Entries Expand section "17.6. Managing DNS Zone Entries" Collapse section "17.6. Managing DNS Zone Entries" 17.6.1. Adding Forward DNS Zones Expand section "17.6.1. Adding Forward DNS Zones" Collapse section "17.6.1. Adding Forward DNS Zones" 17.6.1.1. From the Web UI 17.6.1.2. From the Command Line 17.6.2. Adding Additional Configuration for DNS Zones Expand section "17.6.2. Adding Additional Configuration for DNS Zones" Collapse section "17.6.2. Adding Additional Configuration for DNS Zones" 17.6.2.1. DNS Zone Configuration Attributes 17.6.2.2. Editing the Zone Configuration in the Web UI 17.6.2.3. Editing the Zone Configuration in the Command Line 17.6.3. Adding Reverse DNS Zones 17.6.4. Enabling and Disabling Zones Expand section "17.6.4. Enabling and Disabling Zones" Collapse section "17.6.4. Enabling and Disabling Zones" 17.6.4.1. Disabling Zones in the Web UI 17.6.4.2. Disabling Zones in the Command Line 17.6.5. Enabling Dynamic DNS Updates Expand section "17.6.5. Enabling Dynamic DNS Updates" Collapse section "17.6.5. Enabling Dynamic DNS Updates" 17.6.5.1. Enabling Dynamic DNS Updates in the Web UI 17.6.5.2. Enabling Dynamic DNS Updates in the Command Line 17.6.6. Configuring Forwarders and Forward Policy Expand section "17.6.6. Configuring Forwarders and Forward Policy" Collapse section "17.6.6. Configuring Forwarders and Forward Policy" 17.6.6.1. Configuring Forwarders in the UI 17.6.6.2. Configuring Forwarders in the Command Line 17.6.7. Enabling Zone Transfers Expand section "17.6.7. Enabling Zone Transfers" Collapse section "17.6.7. Enabling Zone Transfers" 17.6.7.1. Enabling Zone Transfers in the UI 17.6.7.2. Enabling Zone Transfers in the Command Line 17.6.8. Defining DNS Queries 17.6.9. Synchronizing Forward and Reverse Zone Entries Expand section "17.6.9. Synchronizing Forward and Reverse Zone Entries" Collapse section "17.6.9. Synchronizing Forward and Reverse Zone Entries" 17.6.9.1. Configuring Zone Entry Sync in the UI 17.6.9.2. Configuring Zone Entry Sync in the Command Line 17.6.10. Setting DNS Access Policies Expand section "17.6.10. Setting DNS Access Policies" Collapse section "17.6.10. Setting DNS Access Policies" 17.6.10.1. Setting DNS Access Policies in the UI 17.6.10.2. Setting DNS Access Policies in the Command Line 17.7. Managing DNS Record Entries Expand section "17.7. Managing DNS Record Entries" Collapse section "17.7. Managing DNS Record Entries" 17.7.1. Adding Records to DNS Zones Expand section "17.7.1. Adding Records to DNS Zones" Collapse section "17.7.1. Adding Records to DNS Zones" 17.7.1.1. Adding DNS Resource Records from the Web UI 17.7.1.2. Adding DNS Resource Records from the Command Line Expand section "17.7.1.2. Adding DNS Resource Records from the Command Line" Collapse section "17.7.1.2. Adding DNS Resource Records from the Command Line" 17.7.1.2.1. About the Commands to Add DNS Records 17.7.1.2.2. Examples of Adding DNS Resource Records 17.7.2. Deleting Records from DNS Zones Expand section "17.7.2. Deleting Records from DNS Zones" Collapse section "17.7.2. Deleting Records from DNS Zones" 17.7.2.1. Deleting Records with the Web UI 17.7.2.2. Deleting Records with the Command Line 17.8. Configuring the bind-dyndb-ldap Plug-in Expand section "17.8. Configuring the bind-dyndb-ldap Plug-in" Collapse section "17.8. Configuring the bind-dyndb-ldap Plug-in" 17.8.1. Changing the DNS Cache Setting 17.8.2. Disabling Persistent Searches 17.9. Changing Recursive Queries Against Forwarders 17.10. Resolving Hostnames in the IdM Domain 18. Policy: Using Automount Expand section "18. Policy: Using Automount" Collapse section "18. Policy: Using Automount" 18.1. About Automount and IdM 18.2. Configuring Automount Expand section "18.2. Configuring Automount" Collapse section "18.2. Configuring Automount" 18.2.1. Configuring NFS Automatically 18.2.2. Configuring autofs Manually to Use SSSD and Identity Management 18.2.3. Configuring Automount on Solaris 18.3. Setting up a Kerberized NFS Server Expand section "18.3. Setting up a Kerberized NFS Server" Collapse section "18.3. Setting up a Kerberized NFS Server" 18.3.1. Setting up a Kerberized NFS Server 18.3.2. Setting up a Kerberized NFS Client 18.4. Configuring Locations Expand section "18.4. Configuring Locations" Collapse section "18.4. Configuring Locations" 18.4.1. Configuring Locations through the Web UI 18.4.2. Configuring Locations through the Command Line 18.5. Configuring Maps Expand section "18.5. Configuring Maps" Collapse section "18.5. Configuring Maps" 18.5.1. Configuring Direct Maps Expand section "18.5.1. Configuring Direct Maps" Collapse section "18.5.1. Configuring Direct Maps" 18.5.1.1. Configuring Direct Maps from the Web UI 18.5.1.2. Configuring Direct Maps from the Command Line 18.5.2. Configuring Indirect Maps Expand section "18.5.2. Configuring Indirect Maps" Collapse section "18.5.2. Configuring Indirect Maps" 18.5.2.1. Configuring Indirect Maps from the Web UI 18.5.2.2. Configuring Indirect Maps from the Command Line 18.5.3. Importing Automount Maps 19. Policy: Defining Password Policies Expand section "19. Policy: Defining Password Policies" Collapse section "19. Policy: Defining Password Policies" 19.1. About Password Policies and Policy Attributes 19.2. Viewing Password Policies Expand section "19.2. Viewing Password Policies" Collapse section "19.2. Viewing Password Policies" 19.2.1. Viewing the Global Password Policy Expand section "19.2.1. Viewing the Global Password Policy" Collapse section "19.2.1. Viewing the Global Password Policy" 19.2.1.1. With the Web UI 19.2.1.2. With the Command Line 19.2.2. Viewing Group-Level Password Policies Expand section "19.2.2. Viewing Group-Level Password Policies" Collapse section "19.2.2. Viewing Group-Level Password Policies" 19.2.2.1. With the Web UI 19.2.2.2. With the Command Line 19.2.3. Viewing the Password Policy in Effect for a User 19.3. Creating and Editing Password Policies Expand section "19.3. Creating and Editing Password Policies" Collapse section "19.3. Creating and Editing Password Policies" 19.3.1. Creating Password Policies in the Web UI 19.3.2. Creating Password Policies with the Command Line 19.3.3. Editing Password Policies with the Command Line 19.4. Managing Password Expiration Limits 19.5. Changing the Priority of Group Password Policies 19.6. Setting Account Lockout Policies Expand section "19.6. Setting Account Lockout Policies" Collapse section "19.6. Setting Account Lockout Policies" 19.6.1. In the UI 19.6.2. In the CLI 19.7. Enabling a Password Change Dialog 20. Policy: Managing the Kerberos Domain Expand section "20. Policy: Managing the Kerberos Domain" Collapse section "20. Policy: Managing the Kerberos Domain" 20.1. About Kerberos Expand section "20.1. About Kerberos" Collapse section "20.1. About Kerberos" 20.1.1. About Principal Names 20.1.2. About Protecting Keytabs 20.2. Setting Kerberos Ticket Policies Expand section "20.2. Setting Kerberos Ticket Policies" Collapse section "20.2. Setting Kerberos Ticket Policies" 20.2.1. Setting Global Ticket Policies Expand section "20.2.1. Setting Global Ticket Policies" Collapse section "20.2.1. Setting Global Ticket Policies" 20.2.1.1. From the Web UI 20.2.1.2. From the Command Line 20.2.2. Setting User-Level Ticket Policies 20.3. Refreshing Kerberos Tickets 20.4. Caching Kerberos Passwords 20.5. Removing Keytabs 21. Policy: Using sudo Expand section "21. Policy: Using sudo" Collapse section "21. Policy: Using sudo" 21.1. About sudo and IPA Expand section "21.1. About sudo and IPA" Collapse section "21.1. About sudo and IPA" 21.1.1. General sudo Configuration in Identity Management 21.1.2. sudo and Netgroups 21.1.3. Supported sudo Clients 21.2. Setting up sudo Commands and Command Groups Expand section "21.2. Setting up sudo Commands and Command Groups" Collapse section "21.2. Setting up sudo Commands and Command Groups" 21.2.1. Adding sudo Commands Expand section "21.2.1. Adding sudo Commands" Collapse section "21.2.1. Adding sudo Commands" 21.2.1.1. Adding sudo Commands with the Web UI 21.2.1.2. Adding sudo Commands with the Command Line 21.2.2. Adding sudo Command Groups Expand section "21.2.2. Adding sudo Command Groups" Collapse section "21.2.2. Adding sudo Command Groups" 21.2.2.1. Adding sudo Command Groups with the Web UI 21.2.2.2. Adding sudo Command Groups with the Command Line 21.3. Defining sudo Rules Expand section "21.3. Defining sudo Rules" Collapse section "21.3. Defining sudo Rules" 21.3.1. About External Users 21.3.2. About sudo Options Format 21.3.3. Defining sudo Rules in the Web UI 21.3.4. Defining sudo Rules in the Command Line 21.3.5. Suspending and Removing sudo Rules 21.4. Configuring Hosts to Use IdM sudo Policies Expand section "21.4. Configuring Hosts to Use IdM sudo Policies" Collapse section "21.4. Configuring Hosts to Use IdM sudo Policies" 21.4.1. Applying the sudo Policies to Hosts Using SSSD 21.4.2. Applying the sudo Policies to Hosts Using LDAP 22. Policy: Configuring Host-Based Access Control Expand section "22. Policy: Configuring Host-Based Access Control" Collapse section "22. Policy: Configuring Host-Based Access Control" 22.1. About Host-Based Access Control 22.2. Creating Host-Based Access Control Entries for Services and Service Groups Expand section "22.2. Creating Host-Based Access Control Entries for Services and Service Groups" Collapse section "22.2. Creating Host-Based Access Control Entries for Services and Service Groups" 22.2.1. Adding HBAC Services Expand section "22.2.1. Adding HBAC Services" Collapse section "22.2.1. Adding HBAC Services" 22.2.1.1. Adding HBAC Services in the Web UI 22.2.1.2. Adding Services in the Command Line 22.2.2. Adding Service Groups Expand section "22.2.2. Adding Service Groups" Collapse section "22.2.2. Adding Service Groups" 22.2.2.1. Adding Service Groups in the Web UI 22.2.2.2. Adding Service Groups in the Command Line 22.3. Defining Host-Based Access Control Rules Expand section "22.3. Defining Host-Based Access Control Rules" Collapse section "22.3. Defining Host-Based Access Control Rules" 22.3.1. Setting Host-Based Access Control Rules in the Web UI 22.3.2. Setting Host-Based Access Control Rules in the Command Line 22.4. Testing Host-Based Access Control Rules Expand section "22.4. Testing Host-Based Access Control Rules" Collapse section "22.4. Testing Host-Based Access Control Rules" 22.4.1. The Limits of Host-Based Access Control Configuration 22.4.2. Test Scenarios for Host-Based Access Control (CLI-Based) 22.4.3. Testing Host-Based Access Control Rules in the UI 23. Policy: Group Policy Object Access Control Expand section "23. Policy: Group Policy Object Access Control" Collapse section "23. Policy: Group Policy Object Access Control" 23.1. Configuring GPO-Based Access Control 24. Policy: Defining SELinux User Maps Expand section "24. Policy: Defining SELinux User Maps" Collapse section "24. Policy: Defining SELinux User Maps" 24.1. About Identity Management, SELinux, and Mapping Users 24.2. Configuring SELinux User Map Order and Defaults Expand section "24.2. Configuring SELinux User Map Order and Defaults" Collapse section "24.2. Configuring SELinux User Map Order and Defaults" 24.2.1. In the Web UI 24.2.2. In the CLI 24.3. Mapping SELinux Users and IdM Users Expand section "24.3. Mapping SELinux Users and IdM Users" Collapse section "24.3. Mapping SELinux Users and IdM Users" 24.3.1. In the Web UI 24.3.2. In the CLI 25. Policy: Defining Automatic Group Membership for Users and Hosts Expand section "25. Policy: Defining Automatic Group Membership for Users and Hosts" Collapse section "25. Policy: Defining Automatic Group Membership for Users and Hosts" 25.1. About Automembership 25.2. Defining Automembership Rules (Basic Procedure) Expand section "25.2. Defining Automembership Rules (Basic Procedure)" Collapse section "25.2. Defining Automembership Rules (Basic Procedure)" 25.2.1. From the Web UI 25.2.2. From the CLI 25.3. Examples of Using Automember Groups Expand section "25.3. Examples of Using Automember Groups" Collapse section "25.3. Examples of Using Automember Groups" 25.3.1. Setting an All Users/Hosts Rule 25.3.2. Defining Default Automembership Groups 25.3.3. Using Automembership Groups with Windows Users 26. Policy: Restricting Domains for PAM services 27. Configuration: Defining Access Control for IdM Users Expand section "27. Configuration: Defining Access Control for IdM Users" Collapse section "27. Configuration: Defining Access Control for IdM Users" 27.1. About Access Controls for IdM Entries Expand section "27.1. About Access Controls for IdM Entries" Collapse section "27.1. About Access Controls for IdM Entries" 27.1.1. A Brief Look at Access Control Concepts 27.1.2. Access Control Methods in Identity Management 27.2. Defining Self-Service Settings Expand section "27.2. Defining Self-Service Settings" Collapse section "27.2. Defining Self-Service Settings" 27.2.1. Creating Self-Service Rules from the Web UI 27.2.2. Creating Self-Service Rules from the Command Line 27.2.3. Editing Self-Service Rules 27.3. Delegating Permissions over Users Expand section "27.3. Delegating Permissions over Users" Collapse section "27.3. Delegating Permissions over Users" 27.3.1. Delegating Access to User Groups in the Web UI 27.3.2. Delegating Access to User Groups in the Command Line 27.4. Defining Role-Based Access Controls Expand section "27.4. Defining Role-Based Access Controls" Collapse section "27.4. Defining Role-Based Access Controls" 27.4.1. Creating Roles Expand section "27.4.1. Creating Roles" Collapse section "27.4.1. Creating Roles" 27.4.1.1. Creating Roles in the Web UI 27.4.1.2. Creating Roles in the Command Line 27.4.2. Creating New Permissions Expand section "27.4.2. Creating New Permissions" Collapse section "27.4.2. Creating New Permissions" 27.4.2.1. Creating New Permissions from the Web UI 27.4.2.2. Creating New Permissions from the Command Line 27.4.3. Creating New Privileges Expand section "27.4.3. Creating New Privileges" Collapse section "27.4.3. Creating New Privileges" 27.4.3.1. Creating New Privileges from the Web UI 27.4.3.2. Creating New Privileges from the Command Line 28. Configuration: Configuring IdM Servers and Replicas Expand section "28. Configuration: Configuring IdM Servers and Replicas" Collapse section "28. Configuration: Configuring IdM Servers and Replicas" 28.1. Identity Management Files and Logs Expand section "28.1. Identity Management Files and Logs" Collapse section "28.1. Identity Management Files and Logs" 28.1.1. A Reference of IdM Server Configuration Files and Directories 28.1.2. IdM Domain Services and Log Rotation 28.1.3. About default.conf and Context Configuration Files 28.1.4. Checking IdM Server Logs Expand section "28.1.4. Checking IdM Server Logs" Collapse section "28.1.4. Checking IdM Server Logs" 28.1.4.1. Enabling Server Debug Logging 28.1.4.2. Debugging Command-Line Operations 28.2. Managing Certificates and Certificate Authorities Expand section "28.2. Managing Certificates and Certificate Authorities" Collapse section "28.2. Managing Certificates and Certificate Authorities" 28.2.1. Renewing CA Certificates Issued by External CAs Expand section "28.2.1. Renewing CA Certificates Issued by External CAs" Collapse section "28.2.1. Renewing CA Certificates Issued by External CAs" 28.2.1.1. The Renewal Procedure 28.2.2. Renewing CA Certificates Issued by the IdM CA Expand section "28.2.2. Renewing CA Certificates Issued by the IdM CA" Collapse section "28.2.2. Renewing CA Certificates Issued by the IdM CA" 28.2.2.1. The Renewal Procedure 28.2.3. Configuring Alternate Certificate Authorities 28.2.4. Changing Which Server Generates CRLs 28.2.5. Configuring OCSP Responders Expand section "28.2.5. Configuring OCSP Responders" Collapse section "28.2.5. Configuring OCSP Responders" 28.2.5.1. Using an OSCP Responder with SELinux 28.2.5.2. Changing the CRL Update Interval 28.2.5.3. Changing the OCSP Responder Location 28.3. Disabling Anonymous Binds 28.4. Changing Domain DNS Configuration Expand section "28.4. Changing Domain DNS Configuration" Collapse section "28.4. Changing Domain DNS Configuration" 28.4.1. Setting DNS Entries for Multi-Homed Servers 28.4.2. Setting up Additional Name Servers 28.4.3. Changing Load Balancing for IdM Servers and Replicas 28.5. Managing Replication Agreements Between IdM Servers Expand section "28.5. Managing Replication Agreements Between IdM Servers" Collapse section "28.5. Managing Replication Agreements Between IdM Servers" 28.5.1. Listing Replication Agreements 28.5.2. Creating and Removing Replication Agreements 28.5.3. Forcing Replication 28.5.4. Reinitializing IdM Servers 28.5.5. Resolving Replication Conflicts Expand section "28.5.5. Resolving Replication Conflicts" Collapse section "28.5.5. Resolving Replication Conflicts" 28.5.5.1. Solving Naming Conflicts 28.5.5.2. Solving Orphan Entry Conflicts 28.6. Removing a Replica 28.7. Renaming a Server or Replica Host System 29. Migrating from an LDAP Directory to IdM Expand section "29. Migrating from an LDAP Directory to IdM" Collapse section "29. Migrating from an LDAP Directory to IdM" 29.1. An Overview of LDAP to IdM Migration Expand section "29.1. An Overview of LDAP to IdM Migration" Collapse section "29.1. An Overview of LDAP to IdM Migration" 29.1.1. Planning the Client Configuration Expand section "29.1.1. Planning the Client Configuration" Collapse section "29.1.1. Planning the Client Configuration" 29.1.1.1. Initial Client Configuration (Pre-Migration) 29.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients 29.1.1.3. Alternative Supported Configuration 29.1.2. Planning Password Migration Expand section "29.1.2. Planning Password Migration" Collapse section "29.1.2. Planning Password Migration" 29.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change 29.1.2.2. Method 2: Using the Migration Web Page 29.1.2.3. Method 3: Using SSSD (Recommended) 29.1.2.4. Migrating Cleartext LDAP Passwords 29.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements 29.1.3. Migration Considerations and Requirements Expand section "29.1.3. Migration Considerations and Requirements" Collapse section "29.1.3. Migration Considerations and Requirements" 29.1.3.1. LDAP Servers Supported for Migration 29.1.3.2. Migration Environment Requirements 29.1.3.3. Migration Tools 29.1.3.4. Migration Sequence 29.2. Examples for Using migrate-ds Expand section "29.2. Examples for Using migrate-ds" Collapse section "29.2. Examples for Using migrate-ds" 29.2.1. Migrating Specific Subtrees 29.2.2. Specifically Including or Excluding Entries 29.2.3. Excluding Entry Attributes 29.2.4. Setting the Schema to Use 29.3. Scenario 1: Using SSSD as Part of Migration 29.4. Scenario 2: Migrating an LDAP Server Directly to Identity Management A. Troubleshooting Identity Management Expand section "A. Troubleshooting Identity Management" Collapse section "A. Troubleshooting Identity Management" A.1. Installation Issues Expand section "A.1. Installation Issues" Collapse section "A.1. Installation Issues" A.1.1. Server Installation Expand section "A.1.1. Server Installation" Collapse section "A.1.1. Server Installation" A.1.1.1. GSS Failures When Running IPA Commands A.1.1.2. named Daemon Fails to Start A.1.2. Replica Installation Expand section "A.1.2. Replica Installation" Collapse section "A.1.2. Replica Installation" A.1.2.1. Certificate System setup failed. A.1.2.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts. A.1.2.3. The DNS forward record does not match the reverse address A.1.3. Client Installations Expand section "A.1.3. Client Installations" Collapse section "A.1.3. Client Installations" A.1.3.1. The client can't resolve reverse hostnames when using an external DNS. A.1.3.2. The client is not added to the DNS zone. A.1.4. Uninstalling an IdM Client A.2. UI Connection Problems A.3. IdM Server Problems Expand section "A.3. IdM Server Problems" Collapse section "A.3. IdM Server Problems" A.3.1. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts. A.4. Host Problems Expand section "A.4. Host Problems" Collapse section "A.4. Host Problems" A.4.1. Certificate Not Found/Serial Number Not Found Errors A.4.2. Debugging Client Connection Problems A.5. Kerberos Errors Expand section "A.5. Kerberos Errors" Collapse section "A.5. Kerberos Errors" A.5.1. Problems making connections with SSH when using GSS-API A.5.2. There are problems connecting to an NFS server after changing a keytab A.6. SELinux Login Problems B. Working with certmonger Expand section "B. Working with certmonger" Collapse section "B. Working with certmonger" B.1. Requesting a Certificate with certmonger B.2. Storing Certificates in NSS Databases B.3. Tracking Certificates with certmonger Index C. Revision History Legal Notice Settings Close Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Language and Page Formatting Options Language: 日本語 English Language: 日本語 English Format: Multi-page Single-page PDF Format: Multi-page Single-page PDF Red Hat Training A Red Hat training course is available for Red Hat Enterprise Linux Part I. Installing Identity Management; Servers and Services Previous Next