9.11. Managing User Groups
- ipausers, which contains all users.
- admins, which contains administrative users. The initial
admin
user belongs to this group. - trusted admins, which contains administrative users used to manage Active Directory trusts.
- editors, which is a special group for users working through the web UI. This group allows users to edit other users' entries, though without all of the rights of the admin user.
Note
9.11.1. Types of Groups in IdM
- Internal groups (the default), where all members belong to the IdM domain.
- External groups, where some or all of the members exist in an identity store outside of the IdM domain. This can be a local system, an Active Directory domain, or a directory service.
posixgroup
object class).
9.11.2. Group Object Classes
Table 9.4. Default Identity Management Group Object Classes
Description | Object Classes | |||
---|---|---|---|---|
IdM object classes |
| |||
Group object classes | groupofnames |
9.11.2.1. Creating User Groups
9.11.2.1.1. With the Web UI
- Open the Identity tab, and select the User Groups subtab.
- Click the Add link at the top of the groups list.
- Enter all of the information for the group.
- A unique name. This is the identifier used for the group in the IdM domain, and it cannot be changed after it is created. The name cannot contain spaces, but other separators like an underscore (_) are allowed.
- A text description of the group.
- Whether the group is a POSIX group, which adds Linux-specific information to the entry. By default, all groups are POSIX groups unless they are explicitly configured not to be. Non-POSIX groups can be created for interoperability with Windows or Samba.
- Optionally, the GID number for the group. All POSIX groups require a GID number, but IdM automatically assigns the GID number.Setting a GID number is not necessary because of the risk of collisions. If a GID number is given manually, IdM will not override the specified GID number, even if it is not unique.
- Click thebutton to go immediately to the member selection page.
- Select the members, as described in Section 9.11.2.2.1, “With the Web UI (Group Page)”.
9.11.2.1.2. With the Command Line
group-add
command. (This adds only the group; members are added separately.)
[bjensen@server ~]$ ipa group-add groupName --desc="description" [--nonposix]
--nonposix
. (By default, all groups are created as POSIX groups.) To enable interoperability with Windows users and groups and programs like Samba, it is possible to create non-POSIX groups by using the --nonposix
option. This option tells the script not to add the posixGroup
object class to the entry.
[bjensen@server ~]$ ipa group-add examplegroup --desc="for examples" --nonposix ---------------------- Added group "examplegroup" ---------------------- Group name: examplegroup Description: for examples GID: 855800010
[bjensen@server ~]$ ipa group-add Group name: engineering Description: for engineers ------------------------- Added group "engineering" ------------------------- Group name: engineering Description: for engineers GID: 387115842
Important
gidNumber
is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
ipa group-find --all
.
Note
9.11.2.2. Adding Group Members
9.11.2.2.1. With the Web UI (Group Page)
Note
- Open the Identity tab, and select the User Groups subtab.
- Click the name of the group to which to add members.
- Click the Add link at the top of the task area.
- Click the checkbox by the names of the users to add, and click the right arrows button,, to move the names to the selection box.
- Click thebutton.
9.11.2.2.2. With the Web UI (User's Page)
- Open the Identity tab, and select the Users subtab.
- Click the name of the user to edit.
- Open the User Groups tab on the user entry page.
- Click the Add link at the top of the task area.
- Click the checkbox by the names of the groups for the user to join, and click the right arrows button,, to move the groups to the selection box.
- Click thebutton.
9.11.2.2.3. With the Command Line
group-add-member
command. This command can add both users as group members and other groups as group members.
group-add-member
command requires only the group name and a comma-separated list of users to add:
[bjensen@server ~]$ ipa group-add-member groupName [--users=list] [--groups=list]
engineering
group:
[bjensen@server ~]$ ipa group-add-member engineering --users=jsmith,bjensen,mreynolds Group name: engineering Description: for engineers GID: 387115842 Member users: jsmith,bjensen,mreynolds ------------------------- Number of members added 3 -------------------------
[bjensen@server ~]$ ipa group-add-member engineering --groups=dev,qe1,dev2 Group name: engineering Description: for engineers GID: 387115842 Member groups: dev,qe1,dev2 ------------------------- Number of members added 3 -------------------------
[bjensen@server ~]$ ipa group-show examplegroup Group name: examplegroup Description: for examples GID: 93200002 Member users: jsmith,bjensen,mreynolds Member groups: californiausers Indirect Member users: sbeckett,acalavicci
Note
group-remove-member
command.
[bjensen@server ~]$ ipa group-remove-member engineering --users=jsmith Group name: engineering Description: for engineers GID: 855800009 Member users: bjensen,mreynolds --------------------------- Number of members removed 1 ---------------------------
9.11.2.2.4. Viewing Direct and Indirect Members of a Group
- Direct members, which are added explicitly to the group
- Indirect members, which are members of the group because they are members of another user group which is a member of the group

Figure 9.4. Indirect and Direct Members
9.11.2.3. Deleting User Groups
Warning
9.11.2.3.1. With the Web UI
- Open the Identity tab, and select the User Groups subtab.
- Select the checkbox by the name of the group to delete.
- Click the Delete link at the top of the task area.
- When prompted, confirm the delete action.
9.11.2.3.2. With the Command Line
group-del
command to deletes the specified group. For example:
[bjensen@server ~]$ ipa group-del examplegroup
9.11.3. Searching for Users and Groups
9.11.3.1. Setting Search Limits
9.11.3.1.1. Types of Search Limits and Where They Apply
- The search limit configuration for the IdM server. This is a setting for the IdM server itself, which is applied to all requests sent to the server from all IdM clients, the IdM CLI tools, and the IdM web UI for normal page display.By default, this limit is 100 entries.
- The time limit configuration for the IdM server. Much like the search size limit, the time limit sets a maximum amount of time that the IdM server, itself, waits for searches to run. Once it reaches that limit, the server stops the search and returns whatever entries were returned in that time.By default, this limit is two seconds.
- The page size limit. Although not strictly a search limit, the page size limit does limit how many entries are returned per page. The server returns the set of entries, up to the search limit, and then sorts and displays 20 entries per page. Paging results makes the results more understandable and more viewable.This is hard-coded to 20 for all searches.
- The LDAP search limit (--pkey option). All searches performed in the UI, and CLI searches which use the
--pkey
option, override the search limit set in the IdM server configuration and use the search limit set in the underlying LDAP directory.By default, this limit is 2000 entries. It can be edited by editing the 389 Directory Server configuration.
9.11.3.1.2. Setting IdM Search Limits
Important
9.11.3.1.2.1. With the Web UI
- Open the IPA Server tab.
- Select the Configuration subtab.
- Scroll to the Search Options area.
- Change the search limit settings.
- Search size limit, the maximum number of records to return in a search.
- Search time limit, the maximum amount of time, in seconds, to spend on a search before the server returns results.
Note
Setting the time limit or size limit value to -1 means that there are no limits on searches. - When the changes are complete, click the Update link at the top of the Configuration page.
9.11.3.1.2.2. With the Command Line
config-mod
command.
[bjensen@server ~]$ ipa config-mod --searchtimelimit=5 --searchrecordslimit=500 Max. username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain for new users: example.com Search time limit: 5 Search size limit: 50 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Password Expiration Notification (days): 4
Note
9.11.3.1.3. Overriding the Search Defaults
*-find
command run through the command line.
--sizelimit
and --timelimit
options set alternative size and time limits, respectively, for that specific command run. The limits can be higher or lower, depending on the kinds of results you need.
[jsmith@ipaserver ~]$ ipa user-find smith --timelimit=120
9.11.3.2. Setting Search Attributes
9.11.3.2.1. Default Attributes Checked by Searches
Table 9.5. Default Search Attributes
User Search Attributes | |
First name | Last name |
Login ID | Job title |
Organizational unit | Phone number |
Group Search Attributes | |
Name | Description |
9.11.3.2.2. Changing User Search Attributes
9.11.3.2.2.1. From the Web UI
- Open the IPA Server tab.
- Select the Configuration subtab.
- Scroll to the User Options area.
- Add any additional search attributes, in a comma-separated list, in the User search fields field.
- When the changes are complete, click the Update link at the top of the Configuration page.
9.11.3.2.2.2. From the Command Line
--usersearch
option to set the attributes for user searches.
[bjensen@server ~]$ ipa config-mod --usersearch=uid,givenname,sn,telephonenumber,ou,title
Note
9.11.3.2.3. Changing Group Search Attributes
9.11.3.2.3.1. From the Web UI
- Open the IPA Server tab.
- Select the Configuration subtab.
- Scroll to the Group Options area.
- Add any additional search attributes, in a comma-separated list, in the Group search fields field.
- When the changes are complete, click the Update link at the top of the Configuration page.
9.11.3.2.3.2. From the Command Line
--groupsearch
options to set the attributes for group searches.
[bjensen@server ~]$ ipa config-mod --groupsearch=cn,description
Note
9.11.3.2.4. Limits on Attributes Returned in Search Results
9.11.3.3. Searching for Groups Based on Type
--private
option, however, limits the search results to only private groups.
[root@server ~]# ipa group-find --private --------------- 1 group matched --------------- Group name: jsmith Description: User private group for jsmith GID: 1084600001 ---------------------------- Number of entries returned 1 ----------------------------
jsmith
belongs to:
[root@server ~]# ipa group-find --user=jsmith --------------- 1 group matched --------------- Group name: ipausers Description: Default group for all users Member users: jsmith ---------------------------- Number of entries returned 1 ----------------------------
jsmith
does not belong to:
[root@server ~]# ipa group-find --no-user=jsmith ---------------- 3 groups matched ---------------- Group name: admins Description: Account administrators group GID: 1084600000 Member users: admin Group name: editors Description: Limited admins who can edit other users GID: 1084600002 Group name: trust admins Description: Trusts administrators group Member users: admin ---------------------------- Number of entries returned 3 ----------------------------
Table 9.6. Common Group Search Options
Option | Criteria Description |
---|---|
--private | Displays only private groups. |
--gid | Displays only the group which matches the complete, specified GID. |
--group-name | Displays only groups with that name or part of their name. |
--users, --no-users | Displays only groups which have the given users as members (or which do not include the given user). |
--in-hbacrules, --not-inhbac-rules | Displays only groups which belong to a given host-based access control rule (or which do not belong to the rule, for the --not-in option). There are similar options to display (or not) groups which belong to a specified sudo rule and role. |
--in-groups, --not-in-groups | Displays only groups which belong to another, specified group (or which do not belong to the group, for the --not-in option). There are similar options to display (or not) groups which belong to a specified netgroup. |