Identity Management Guide
1. Introduction to Identity Management
Expand section "1. Introduction to Identity Management" Collapse section "1. Introduction to Identity Management"
1. 1.1. IdM v. LDAP: A More Focused Type of Service
  Expand section "1.1. IdM v. LDAP: A More Focused Type of Service" Collapse section "1.1. IdM v. LDAP: A More Focused Type of Service"
  1. 1.1.1. A Working Definition for Identity Management
  2. 1.1.2. Contrasting Identity Management with a Standard LDAP Directory
2. 1.2. Bringing Linux Services Together
  Expand section "1.2. Bringing Linux Services Together" Collapse section "1.2. Bringing Linux Services Together"
3. 1.3. Relationships Between Servers and Clients
  Expand section "1.3. Relationships Between Servers and Clients" Collapse section "1.3. Relationships Between Servers and Clients"
  1. 1.3.1. About IdM Servers and Replicas
  2. 1.3.2. About IdM Clients
I. Installing Identity Management; Servers and Services
Expand section "I. Installing Identity Management; Servers and Services" Collapse section "I. Installing Identity Management; Servers and Services"
1. 2. Prerequisites for Installation
  Expand section "2. Prerequisites for Installation" Collapse section "2. Prerequisites for Installation"
  1. 2.1. Supported Server Platforms
  2. 2.2. Hardware Recommendations
  3. 2.3. Software Requirements
  4. 2.4. System Prerequisites
    
    Expand section "2.4. System Prerequisites" Collapse section "2.4. System Prerequisites"
    
    2.4.1. DNS Records
    
    2.4.2. Hostname and IP Address Requirements
    
    2.4.3. Directory Server
    
    2.4.4. System Files
    
    2.4.5. System Ports
    
    2.4.6. NTP
    
    2.4.7. NSCD
    
    2.4.8. Networking
2. 3. Installing an IdM Server
  Expand section "3. Installing an IdM Server" Collapse section "3. Installing an IdM Server"
  1. 3.1. Installing the IdM Server Packages
  2. 3.2. About ipa-server-install
  3. 3.3. Example: Running the Script Interactively and Silently
    
    Expand section "3.3. Example: Running the Script Interactively and Silently" Collapse section "3.3. Example: Running the Script Interactively and Silently"
    
    3.3.1. Basic Interactive Installation
    
    3.3.2. Silent (Non-Interactive) Installation
  4. 3.4. Examples: Installing with Different CA Configurations
    
    Expand section "3.4. Examples: Installing with Different CA Configurations" Collapse section "3.4. Examples: Installing with Different CA Configurations"
    
    3.4.1. Installing with an Internal Root CA
    
    3.4.2. Installing Using an External CA
    
    3.4.3. Installing without a CA
  5. 3.5. Example: Configuring DNS Services within the IdM Domain
    
    Expand section "3.5. Example: Configuring DNS Services within the IdM Domain" Collapse section "3.5. Example: Configuring DNS Services within the IdM Domain"
    
    3.5.1. DNS Notes
    
    3.5.2. Installing with an Integrated DNS
3. 4. Setting up IdM Replicas
  Expand section "4. Setting up IdM Replicas" Collapse section "4. Setting up IdM Replicas"
  1. 4.1. Planning the Server/Replica Topologies
  2. 4.2. Prerequisites for Installing a Replica Server
  3. 4.3. Installing the Replica Packages
  4. 4.4. Creating the Replica
  5. 4.5. Alternate Options for Creating a Replica
    
    Expand section "4.5. Alternate Options for Creating a Replica" Collapse section "4.5. Alternate Options for Creating a Replica"
    
    4.5.1. Different DNS Settings
    
    4.5.2. Different CA Settings
    
    4.5.3. Different Services
4. 5. Setting up Systems as IdM Clients
  Expand section "5. Setting up Systems as IdM Clients" Collapse section "5. Setting up Systems as IdM Clients"
  1. 5.1. What Happens in Client Setup
  2. 5.2. System Ports
  3. 5.3. Configuring a Linux System as an IdM Client
    
    Expand section "5.3. Configuring a Linux System as an IdM Client" Collapse section "5.3. Configuring a Linux System as an IdM Client"
    
    5.3.1. Installing the Client (Full Example)
    
    5.3.2. Examples of Other Client Installation Options
  4. 5.4. Manually Configuring a Linux Client
    
    Expand section "5.4. Manually Configuring a Linux Client" Collapse section "5.4. Manually Configuring a Linux Client"
    
    5.4.1. Setting up an IdM Client (Full Procedure)
    
    5.4.2. Other Examples of Adding a Host Entry
    
    Expand section "5.4.2. Other Examples of Adding a Host Entry" Collapse section "5.4.2. Other Examples of Adding a Host Entry"
    
    5.4.2.1. Adding Host Entries from the Web UI
    
    5.4.2.2. Adding Host Entries from the Command Line
  5. 5.5. Setting up a Linux Client Through Kickstart
  6. 5.6. Performing a Two-Administrator Enrollment
  7. 5.7. Manually Unconfiguring Client Machines
5. 6. Upgrading Identity Management
  Expand section "6. Upgrading Identity Management" Collapse section "6. Upgrading Identity Management"
6. 7. Uninstalling IdM Servers and Replicas
8. The Basics of Managing the IdM Server and Services
Expand section "8. The Basics of Managing the IdM Server and Services" Collapse section "8. The Basics of Managing the IdM Server and Services"
1. 8.1. Starting and Stopping the IdM Domain
2. 8.2. About the IdM Client Tools
  Expand section "8.2. About the IdM Client Tools" Collapse section "8.2. About the IdM Client Tools"
  1. 8.2.1. The Structure of the ipa Command
    
    Expand section "8.2.1. The Structure of the ipa Command" Collapse section "8.2.1. The Structure of the ipa Command"
    
    8.2.1.1. Adding, Editing, and Deleting Entries with ipa
    
    8.2.1.2. Finding and Displaying Entries with ipa
    
    8.2.1.3. Adding Members to Groups and Containers with ipa
  2. 8.2.2. Positional Elements in ipa Commands
  3. 8.2.3. Managing Entry Attributes with --setattr, --addattr, and --delattr
  4. 8.2.4. Using Special Characters with IdM Tools
  5. 8.2.5. Logging into the IdM Domain Before Running
3. 8.3. Logging into IdM
  Expand section "8.3. Logging into IdM" Collapse section "8.3. Logging into IdM"
4. 8.4. Using the IdM Web UI
  Expand section "8.4. Using the IdM Web UI" Collapse section "8.4. Using the IdM Web UI"
  1. 8.4.1. About the Web UI
  2. 8.4.2. Opening the IdM Web UI
  3. 8.4.3. Configuring the Browser
    
    Expand section "8.4.3. Configuring the Browser" Collapse section "8.4.3. Configuring the Browser"
    
    8.4.3.1. Configuring Firefox
    
    8.4.3.2. Configuring Chrome
  4. 8.4.4. Using a Browser on Another System
  5. 8.4.5. Logging in with Simple Username/Password Credentials
  6. 8.4.6. Using the UI with Proxy Servers
5. 8.5. Configuring an IdM Server to Run in a TLS 1.2 Environment
9. Identity: Managing Users and User Groups
Expand section "9. Identity: Managing Users and User Groups" Collapse section "9. Identity: Managing Users and User Groups"
1. 9.1. Setting up User Home Directories
  Expand section "9.1. Setting up User Home Directories" Collapse section "9.1. Setting up User Home Directories"
2. 9.2. Managing User Entries
  Expand section "9.2. Managing User Entries" Collapse section "9.2. Managing User Entries"
  1. 9.2.1. About Username Formats
  2. 9.2.2. Adding Users
    
    Expand section "9.2.2. Adding Users" Collapse section "9.2.2. Adding Users"
    
    9.2.2.1. From the Web UI
    
    9.2.2.2. From the Command Line
  3. 9.2.3. Editing Users
    
    Expand section "9.2.3. Editing Users" Collapse section "9.2.3. Editing Users"
    
    9.2.3.1. From the Web UI
    
    9.2.3.2. From the Command Line
  4. 9.2.4. Deleting Users
    
    Expand section "9.2.4. Deleting Users" Collapse section "9.2.4. Deleting Users"
    
    9.2.4.1. With the Web UI
    
    9.2.4.2. From the Command Line
3. 9.3. Managing Public SSH Keys for Users
  Expand section "9.3. Managing Public SSH Keys for Users" Collapse section "9.3. Managing Public SSH Keys for Users"
4. 9.4. Changing Passwords
  Expand section "9.4. Changing Passwords" Collapse section "9.4. Changing Passwords"
  1. 9.4.1. From the Web UI
  2. 9.4.2. From the Command Line
5. 9.5. Enabling and Disabling User Accounts
  Expand section "9.5. Enabling and Disabling User Accounts" Collapse section "9.5. Enabling and Disabling User Accounts"
  1. 9.5.1. From the Web UI
  2. 9.5.2. From the Command Line
6. 9.6. Unlocking User Accounts After Password Failures
7. 9.7. Smart Cards
  Expand section "9.7. Smart Cards" Collapse section "9.7. Smart Cards"
  1. 9.7.1. Smart Card and Smart Card Reader Support in Identity Management
  2. 9.7.2. Exporting a Certificate From a Smart Card
  3. 9.7.3. Storing Smart Card Certificates for IdM Users
  4. 9.7.4. Smart Card Authentication on Identity Management Clients
    
    Expand section "9.7.4. Smart Card Authentication on Identity Management Clients" Collapse section "9.7.4. Smart Card Authentication on Identity Management Clients"
    
    9.7.4.1. Configuring Smart Card Authentication on an IdM Client
    
    9.7.4.2. SSH Log in Using a Smart Card
8. 9.8. Managing User Private Groups
  Expand section "9.8. Managing User Private Groups" Collapse section "9.8. Managing User Private Groups"
9. 9.9. Managing Unique UID and GID Number Assignments
  Expand section "9.9. Managing Unique UID and GID Number Assignments" Collapse section "9.9. Managing Unique UID and GID Number Assignments"
10. 9.10. Managing User and Group Schema
  Expand section "9.10. Managing User and Group Schema" Collapse section "9.10. Managing User and Group Schema"
  1. 9.10.1. About Changing the Default User and Group Schema
  2. 9.10.2. Applying Custom Object Classes to New User Entries
    
    Expand section "9.10.2. Applying Custom Object Classes to New User Entries" Collapse section "9.10.2. Applying Custom Object Classes to New User Entries"
    
    9.10.2.1. From the Web UI
    
    9.10.2.2. From the Command Line
  3. 9.10.3. Applying Custom Object Classes to New Group Entries
    
    Expand section "9.10.3. Applying Custom Object Classes to New Group Entries" Collapse section "9.10.3. Applying Custom Object Classes to New Group Entries"
    
    9.10.3.1. From the Web UI
    
    9.10.3.2. From the Command Line
  4. 9.10.4. Specifying Default User and Group Attributes
    
    Expand section "9.10.4. Specifying Default User and Group Attributes" Collapse section "9.10.4. Specifying Default User and Group Attributes"
    
    9.10.4.1. Viewing Attributes from the Web UI
    
    9.10.4.2. Viewing Attributes from the Command Line
11. 9.11. Managing User Groups
  Expand section "9.11. Managing User Groups" Collapse section "9.11. Managing User Groups"
  1. 9.11.1. Types of Groups in IdM
  2. 9.11.2. Group Object Classes
    
    Expand section "9.11.2. Group Object Classes" Collapse section "9.11.2. Group Object Classes"
    
    9.11.2.1. Creating User Groups
    
    Expand section "9.11.2.1. Creating User Groups" Collapse section "9.11.2.1. Creating User Groups"
    
    9.11.2.1.1. With the Web UI
    
    9.11.2.1.2. With the Command Line
    
    9.11.2.2. Adding Group Members
    
    Expand section "9.11.2.2. Adding Group Members" Collapse section "9.11.2.2. Adding Group Members"
    
    9.11.2.2.1. With the Web UI (Group Page)
    
    9.11.2.2.2. With the Web UI (User's Page)
    
    9.11.2.2.3. With the Command Line
    
    9.11.2.2.4. Viewing Direct and Indirect Members of a Group
    
    9.11.2.3. Deleting User Groups
    
    Expand section "9.11.2.3. Deleting User Groups" Collapse section "9.11.2.3. Deleting User Groups"
    
    9.11.2.3.1. With the Web UI
    
    9.11.2.3.2. With the Command Line
  3. 9.11.3. Searching for Users and Groups
    
    Expand section "9.11.3. Searching for Users and Groups" Collapse section "9.11.3. Searching for Users and Groups"
    
    9.11.3.1. Setting Search Limits
    
    Expand section "9.11.3.1. Setting Search Limits" Collapse section "9.11.3.1. Setting Search Limits"
    
    9.11.3.1.1. Types of Search Limits and Where They Apply
    
    9.11.3.1.2. Setting IdM Search Limits
    
    Expand section "9.11.3.1.2. Setting IdM Search Limits" Collapse section "9.11.3.1.2. Setting IdM Search Limits"
    
    9.11.3.1.2.1. With the Web UI
    
    9.11.3.1.2.2. With the Command Line
    
    9.11.3.1.3. Overriding the Search Defaults
    
    9.11.3.2. Setting Search Attributes
    
    Expand section "9.11.3.2. Setting Search Attributes" Collapse section "9.11.3.2. Setting Search Attributes"
    
    9.11.3.2.1. Default Attributes Checked by Searches
    
    9.11.3.2.2. Changing User Search Attributes
    
    Expand section "9.11.3.2.2. Changing User Search Attributes" Collapse section "9.11.3.2.2. Changing User Search Attributes"
    
    9.11.3.2.2.1. From the Web UI
    
    9.11.3.2.2.2. From the Command Line
    
    9.11.3.2.3. Changing Group Search Attributes
    
    Expand section "9.11.3.2.3. Changing Group Search Attributes" Collapse section "9.11.3.2.3. Changing Group Search Attributes"
    
    9.11.3.2.3.1. From the Web UI
    
    9.11.3.2.3.2. From the Command Line
    
    9.11.3.2.4. Limits on Attributes Returned in Search Results
    
    9.11.3.3. Searching for Groups Based on Type
10. Identity: Managing Hosts
Expand section "10. Identity: Managing Hosts" Collapse section "10. Identity: Managing Hosts"
1. 10.1. About Hosts, Services, and Machine Identity and Authentication
2. 10.2. About Host Entry Configuration Properties
3. 10.3. Disabling and Re-enabling Host Entries
  Expand section "10.3. Disabling and Re-enabling Host Entries" Collapse section "10.3. Disabling and Re-enabling Host Entries"
  1. 10.3.1. Disabling Host Entries
  2. 10.3.2. Re-enabling Hosts
4. 10.4. Managing Public SSH Keys for Hosts
  Expand section "10.4. Managing Public SSH Keys for Hosts" Collapse section "10.4. Managing Public SSH Keys for Hosts"
5. 10.5. Setting Ethers Information for a Host
6. 10.6. Renaming Machines and Reconfiguring IdM Client Configuration
7. 10.7. Managing Host Groups
  Expand section "10.7. Managing Host Groups" Collapse section "10.7. Managing Host Groups"
  1. 10.7.1. Creating Host Groups
    
    Expand section "10.7.1. Creating Host Groups" Collapse section "10.7.1. Creating Host Groups"
    
    10.7.1.1. Creating Host Groups from the Web UI
    
    10.7.1.2. Creating Host Groups from the Command Line
  2. 10.7.2. Adding Host Group Members
    
    Expand section "10.7.2. Adding Host Group Members" Collapse section "10.7.2. Adding Host Group Members"
    
    10.7.2.1. Showing and Changing Group Members
    
    10.7.2.2. Adding Host Group Members from the Web UI
    
    10.7.2.3. Adding Host Group Members from the Command Line
11. Identity: Managing Services
Expand section "11. Identity: Managing Services" Collapse section "11. Identity: Managing Services"
1. 11.1. Adding and Editing Service Entries and Keytabs
  Expand section "11.1. Adding and Editing Service Entries and Keytabs" Collapse section "11.1. Adding and Editing Service Entries and Keytabs"
  1. 11.1.1. Adding Services and Keytabs from the Web UI
  2. 11.1.2. Adding Services and Keytabs from the Command Line
2. 11.2. Adding Services and Certificates for Services
  Expand section "11.2. Adding Services and Certificates for Services" Collapse section "11.2. Adding Services and Certificates for Services"
  1. 11.2.1. Adding Services and Certificates from the Web UI
  2. 11.2.2. Adding Services and Certificates from the Command Line
3. 11.3. Storing Certificates in NSS Databases
4. 11.4. Configuring Clustered Services
5. 11.5. Using the Same Service Principal for Multiple Services
6. 11.6. Disabling and Re-enabling Service Entries
  Expand section "11.6. Disabling and Re-enabling Service Entries" Collapse section "11.6. Disabling and Re-enabling Service Entries"
  1. 11.6.1. Disabling Service Entries
  2. 11.6.2. Re-enabling and Services
12. Identity: Delegating Access to Hosts and Services
Expand section "12. Identity: Delegating Access to Hosts and Services" Collapse section "12. Identity: Delegating Access to Hosts and Services"
13. Identity: Integrating with NIS Domains and Netgroups
Expand section "13. Identity: Integrating with NIS Domains and Netgroups" Collapse section "13. Identity: Integrating with NIS Domains and Netgroups"
1. 13.1. About NIS and Identity Management
2. 13.2. Setting the NIS Port for Identity Management
3. 13.3. Creating Netgroups
  Expand section "13.3. Creating Netgroups" Collapse section "13.3. Creating Netgroups"
  1. 13.3.1. Adding Netgroups
    
    Expand section "13.3.1. Adding Netgroups" Collapse section "13.3.1. Adding Netgroups"
    
    13.3.1.1. With the Web UI
    
    13.3.1.2. With the Command Line
  2. 13.3.2. Adding Netgroup Members
    
    Expand section "13.3.2. Adding Netgroup Members" Collapse section "13.3.2. Adding Netgroup Members"
    
    13.3.2.1. With the Web UI
    
    13.3.2.2. With the Command Line
4. 13.4. Exposing Automount Maps to NIS Clients
5. 13.5. Migrating from NIS to IdM
  Expand section "13.5. Migrating from NIS to IdM" Collapse section "13.5. Migrating from NIS to IdM"
  1. 13.5.1. Preparing Netgroup Entries in IdM
  2. 13.5.2. Enabling the NIS Listener in Identity Management
  3. 13.5.3. Exporting and Importing the Existing NIS Data
    
    Expand section "13.5.3. Exporting and Importing the Existing NIS Data" Collapse section "13.5.3. Exporting and Importing the Existing NIS Data"
    
    13.5.3.1. Importing User Entries
    
    13.5.3.2. Importing Group Entries
    
    13.5.3.3. Importing Host Entries
    
    13.5.3.4. Importing Netgroup Entries
    
    13.5.3.5. Importing Automount Maps
  4. 13.5.4. Setting Weak Password Encryption for NIS User Authentication to IdM
14. Identity: Integrating with Active Directory Through Cross-forest Trust (Technology Preview)
15. Identity: Integrating with Microsoft Active Directory Through Synchronization
Expand section "15. Identity: Integrating with Microsoft Active Directory Through Synchronization" Collapse section "15. Identity: Integrating with Microsoft Active Directory Through Synchronization"
1. 15.1. Supported Windows Platforms
2. 15.2. About Active Directory and Identity Management
3. 15.3. About Synchronized Attributes
  Expand section "15.3. About Synchronized Attributes" Collapse section "15.3. About Synchronized Attributes"
  1. 15.3.1. User Schema Differences between Identity Management and Active Directory
    
    Expand section "15.3.1. User Schema Differences between Identity Management and Active Directory" Collapse section "15.3.1. User Schema Differences between Identity Management and Active Directory"
    
    15.3.1.1. Values for cn Attributes
    
    15.3.1.2. Values for street and streetAddress
    
    15.3.1.3. Constraints on the initials Attribute
    
    15.3.1.4. Requiring the surname (sn) Attribute
  2. 15.3.2. Active Directory Entries and RFC 2307 Attributes
4. 15.4. Setting up Active Directory for Synchronization
  Expand section "15.4. Setting up Active Directory for Synchronization" Collapse section "15.4. Setting up Active Directory for Synchronization"
  1. 15.4.1. Creating an Active Directory User for Sync
  2. 15.4.2. Setting up an Active Directory Certificate Authority
5. 15.5. Managing Synchronization Agreements
  Expand section "15.5. Managing Synchronization Agreements" Collapse section "15.5. Managing Synchronization Agreements"
6. 15.6. Managing Password Synchronization
  Expand section "15.6. Managing Password Synchronization" Collapse section "15.6. Managing Password Synchronization"
16. Identity: ID Views and Migrating Existing Environments to Trust
Expand section "16. Identity: ID Views and Migrating Existing Environments to Trust" Collapse section "16. Identity: ID Views and Migrating Existing Environments to Trust"
17. Identity: Managing DNS
Expand section "17. Identity: Managing DNS" Collapse section "17. Identity: Managing DNS"
1. 17.1. About DNS in IdM
2. 17.2. Using IdM and DNS Service Discovery with an Existing DNS Configuration
3. 17.3. DNS Notes
4. 17.4. Adding or Updating DNS Services After Installation
5. 17.5. Setting up the rndc Service
6. 17.6. Managing DNS Zone Entries
  Expand section "17.6. Managing DNS Zone Entries" Collapse section "17.6. Managing DNS Zone Entries"
  1. 17.6.1. Adding Forward DNS Zones
    
    Expand section "17.6.1. Adding Forward DNS Zones" Collapse section "17.6.1. Adding Forward DNS Zones"
    
    17.6.1.1. From the Web UI
    
    17.6.1.2. From the Command Line
  2. 17.6.2. Adding Additional Configuration for DNS Zones
    
    Expand section "17.6.2. Adding Additional Configuration for DNS Zones" Collapse section "17.6.2. Adding Additional Configuration for DNS Zones"
    
    17.6.2.1. DNS Zone Configuration Attributes
    
    17.6.2.2. Editing the Zone Configuration in the Web UI
    
    17.6.2.3. Editing the Zone Configuration in the Command Line
  3. 17.6.3. Adding Reverse DNS Zones
  4. 17.6.4. Enabling and Disabling Zones
    
    Expand section "17.6.4. Enabling and Disabling Zones" Collapse section "17.6.4. Enabling and Disabling Zones"
    
    17.6.4.1. Disabling Zones in the Web UI
    
    17.6.4.2. Disabling Zones in the Command Line
  5. 17.6.5. Enabling Dynamic DNS Updates
    
    Expand section "17.6.5. Enabling Dynamic DNS Updates" Collapse section "17.6.5. Enabling Dynamic DNS Updates"
    
    17.6.5.1. Enabling Dynamic DNS Updates in the Web UI
    
    17.6.5.2. Enabling Dynamic DNS Updates in the Command Line
  6. 17.6.6. Configuring Forwarders and Forward Policy
    
    Expand section "17.6.6. Configuring Forwarders and Forward Policy" Collapse section "17.6.6. Configuring Forwarders and Forward Policy"
    
    17.6.6.1. Configuring Forwarders in the UI
    
    17.6.6.2. Configuring Forwarders in the Command Line
  7. 17.6.7. Enabling Zone Transfers
    
    Expand section "17.6.7. Enabling Zone Transfers" Collapse section "17.6.7. Enabling Zone Transfers"
    
    17.6.7.1. Enabling Zone Transfers in the UI
    
    17.6.7.2. Enabling Zone Transfers in the Command Line
  8. 17.6.8. Defining DNS Queries
  9. 17.6.9. Synchronizing Forward and Reverse Zone Entries
    
    Expand section "17.6.9. Synchronizing Forward and Reverse Zone Entries" Collapse section "17.6.9. Synchronizing Forward and Reverse Zone Entries"
    
    17.6.9.1. Configuring Zone Entry Sync in the UI
    
    17.6.9.2. Configuring Zone Entry Sync in the Command Line
  10. 17.6.10. Setting DNS Access Policies
    
    Expand section "17.6.10. Setting DNS Access Policies" Collapse section "17.6.10. Setting DNS Access Policies"
    
    17.6.10.1. Setting DNS Access Policies in the UI
    
    17.6.10.2. Setting DNS Access Policies in the Command Line
7. 17.7. Managing DNS Record Entries
  Expand section "17.7. Managing DNS Record Entries" Collapse section "17.7. Managing DNS Record Entries"
  1. 17.7.1. Adding Records to DNS Zones
    
    Expand section "17.7.1. Adding Records to DNS Zones" Collapse section "17.7.1. Adding Records to DNS Zones"
    
    17.7.1.1. Adding DNS Resource Records from the Web UI
    
    17.7.1.2. Adding DNS Resource Records from the Command Line
    
    Expand section "17.7.1.2. Adding DNS Resource Records from the Command Line" Collapse section "17.7.1.2. Adding DNS Resource Records from the Command Line"
    
    17.7.1.2.1. About the Commands to Add DNS Records
    
    17.7.1.2.2. Examples of Adding DNS Resource Records
  2. 17.7.2. Deleting Records from DNS Zones
    
    Expand section "17.7.2. Deleting Records from DNS Zones" Collapse section "17.7.2. Deleting Records from DNS Zones"
    
    17.7.2.1. Deleting Records with the Web UI
    
    17.7.2.2. Deleting Records with the Command Line
8. 17.8. Configuring the bind-dyndb-ldap Plug-in
  Expand section "17.8. Configuring the bind-dyndb-ldap Plug-in" Collapse section "17.8. Configuring the bind-dyndb-ldap Plug-in"
  1. 17.8.1. Changing the DNS Cache Setting
  2. 17.8.2. Disabling Persistent Searches
9. 17.9. Changing Recursive Queries Against Forwarders
10. 17.10. Resolving Hostnames in the IdM Domain
18. Policy: Using Automount
Expand section "18. Policy: Using Automount" Collapse section "18. Policy: Using Automount"
1. 18.1. About Automount and IdM
2. 18.2. Configuring Automount
  Expand section "18.2. Configuring Automount" Collapse section "18.2. Configuring Automount"
3. 18.3. Setting up a Kerberized NFS Server
  Expand section "18.3. Setting up a Kerberized NFS Server" Collapse section "18.3. Setting up a Kerberized NFS Server"
  1. 18.3.1. Setting up a Kerberized NFS Server
  2. 18.3.2. Setting up a Kerberized NFS Client
4. 18.4. Configuring Locations
  Expand section "18.4. Configuring Locations" Collapse section "18.4. Configuring Locations"
  1. 18.4.1. Configuring Locations through the Web UI
  2. 18.4.2. Configuring Locations through the Command Line
5. 18.5. Configuring Maps
  Expand section "18.5. Configuring Maps" Collapse section "18.5. Configuring Maps"
  1. 18.5.1. Configuring Direct Maps
    
    Expand section "18.5.1. Configuring Direct Maps" Collapse section "18.5.1. Configuring Direct Maps"
    
    18.5.1.1. Configuring Direct Maps from the Web UI
    
    18.5.1.2. Configuring Direct Maps from the Command Line
  2. 18.5.2. Configuring Indirect Maps
    
    Expand section "18.5.2. Configuring Indirect Maps" Collapse section "18.5.2. Configuring Indirect Maps"
    
    18.5.2.1. Configuring Indirect Maps from the Web UI
    
    18.5.2.2. Configuring Indirect Maps from the Command Line
  3. 18.5.3. Importing Automount Maps
19. Policy: Defining Password Policies
Expand section "19. Policy: Defining Password Policies" Collapse section "19. Policy: Defining Password Policies"
1. 19.1. About Password Policies and Policy Attributes
2. 19.2. Viewing Password Policies
  Expand section "19.2. Viewing Password Policies" Collapse section "19.2. Viewing Password Policies"
  1. 19.2.1. Viewing the Global Password Policy
    
    Expand section "19.2.1. Viewing the Global Password Policy" Collapse section "19.2.1. Viewing the Global Password Policy"
    
    19.2.1.1. With the Web UI
    
    19.2.1.2. With the Command Line
  2. 19.2.2. Viewing Group-Level Password Policies
    
    Expand section "19.2.2. Viewing Group-Level Password Policies" Collapse section "19.2.2. Viewing Group-Level Password Policies"
    
    19.2.2.1. With the Web UI
    
    19.2.2.2. With the Command Line
  3. 19.2.3. Viewing the Password Policy in Effect for a User
3. 19.3. Creating and Editing Password Policies
  Expand section "19.3. Creating and Editing Password Policies" Collapse section "19.3. Creating and Editing Password Policies"
4. 19.4. Managing Password Expiration Limits
5. 19.5. Changing the Priority of Group Password Policies
6. 19.6. Setting Account Lockout Policies
  Expand section "19.6. Setting Account Lockout Policies" Collapse section "19.6. Setting Account Lockout Policies"
  1. 19.6.1. In the UI
  2. 19.6.2. In the CLI
7. 19.7. Enabling a Password Change Dialog
20. Policy: Managing the Kerberos Domain
Expand section "20. Policy: Managing the Kerberos Domain" Collapse section "20. Policy: Managing the Kerberos Domain"
1. 20.1. About Kerberos
  Expand section "20.1. About Kerberos" Collapse section "20.1. About Kerberos"
  1. 20.1.1. About Principal Names
  2. 20.1.2. About Protecting Keytabs
2. 20.2. Setting Kerberos Ticket Policies
  Expand section "20.2. Setting Kerberos Ticket Policies" Collapse section "20.2. Setting Kerberos Ticket Policies"
  1. 20.2.1. Setting Global Ticket Policies
    
    Expand section "20.2.1. Setting Global Ticket Policies" Collapse section "20.2.1. Setting Global Ticket Policies"
    
    20.2.1.1. From the Web UI
    
    20.2.1.2. From the Command Line
  2. 20.2.2. Setting User-Level Ticket Policies
3. 20.3. Refreshing Kerberos Tickets
4. 20.4. Caching Kerberos Passwords
5. 20.5. Removing Keytabs
21. Policy: Using sudo
Expand section "21. Policy: Using sudo" Collapse section "21. Policy: Using sudo"
1. 21.1. About sudo and IPA
  Expand section "21.1. About sudo and IPA" Collapse section "21.1. About sudo and IPA"
2. 21.2. Setting up sudo Commands and Command Groups
  Expand section "21.2. Setting up sudo Commands and Command Groups" Collapse section "21.2. Setting up sudo Commands and Command Groups"
  1. 21.2.1. Adding sudo Commands
    
    Expand section "21.2.1. Adding sudo Commands" Collapse section "21.2.1. Adding sudo Commands"
    
    21.2.1.1. Adding sudo Commands with the Web UI
    
    21.2.1.2. Adding sudo Commands with the Command Line
  2. 21.2.2. Adding sudo Command Groups
    
    Expand section "21.2.2. Adding sudo Command Groups" Collapse section "21.2.2. Adding sudo Command Groups"
    
    21.2.2.1. Adding sudo Command Groups with the Web UI
    
    21.2.2.2. Adding sudo Command Groups with the Command Line
3. 21.3. Defining sudo Rules
  Expand section "21.3. Defining sudo Rules" Collapse section "21.3. Defining sudo Rules"
4. 21.4. Configuring Hosts to Use IdM sudo Policies
  Expand section "21.4. Configuring Hosts to Use IdM sudo Policies" Collapse section "21.4. Configuring Hosts to Use IdM sudo Policies"
  1. 21.4.1. Applying the sudo Policies to Hosts Using SSSD
  2. 21.4.2. Applying the sudo Policies to Hosts Using LDAP
22. Policy: Configuring Host-Based Access Control
Expand section "22. Policy: Configuring Host-Based Access Control" Collapse section "22. Policy: Configuring Host-Based Access Control"
1. 22.1. About Host-Based Access Control
2. 22.2. Creating Host-Based Access Control Entries for Services and Service Groups
  Expand section "22.2. Creating Host-Based Access Control Entries for Services and Service Groups" Collapse section "22.2. Creating Host-Based Access Control Entries for Services and Service Groups"
  1. 22.2.1. Adding HBAC Services
    
    Expand section "22.2.1. Adding HBAC Services" Collapse section "22.2.1. Adding HBAC Services"
    
    22.2.1.1. Adding HBAC Services in the Web UI
    
    22.2.1.2. Adding Services in the Command Line
  2. 22.2.2. Adding Service Groups
    
    Expand section "22.2.2. Adding Service Groups" Collapse section "22.2.2. Adding Service Groups"
    
    22.2.2.1. Adding Service Groups in the Web UI
    
    22.2.2.2. Adding Service Groups in the Command Line
3. 22.3. Defining Host-Based Access Control Rules
  Expand section "22.3. Defining Host-Based Access Control Rules" Collapse section "22.3. Defining Host-Based Access Control Rules"
  1. 22.3.1. Setting Host-Based Access Control Rules in the Web UI
  2. 22.3.2. Setting Host-Based Access Control Rules in the Command Line
4. 22.4. Testing Host-Based Access Control Rules
  Expand section "22.4. Testing Host-Based Access Control Rules" Collapse section "22.4. Testing Host-Based Access Control Rules"
23. Policy: Group Policy Object Access Control
Expand section "23. Policy: Group Policy Object Access Control" Collapse section "23. Policy: Group Policy Object Access Control"
1. 23.1. Configuring GPO-Based Access Control
24. Policy: Defining SELinux User Maps
Expand section "24. Policy: Defining SELinux User Maps" Collapse section "24. Policy: Defining SELinux User Maps"
1. 24.1. About Identity Management, SELinux, and Mapping Users
2. 24.2. Configuring SELinux User Map Order and Defaults
  Expand section "24.2. Configuring SELinux User Map Order and Defaults" Collapse section "24.2. Configuring SELinux User Map Order and Defaults"
  1. 24.2.1. In the Web UI
  2. 24.2.2. In the CLI
3. 24.3. Mapping SELinux Users and IdM Users
  Expand section "24.3. Mapping SELinux Users and IdM Users" Collapse section "24.3. Mapping SELinux Users and IdM Users"
  1. 24.3.1. In the Web UI
  2. 24.3.2. In the CLI
25. Policy: Defining Automatic Group Membership for Users and Hosts
Expand section "25. Policy: Defining Automatic Group Membership for Users and Hosts" Collapse section "25. Policy: Defining Automatic Group Membership for Users and Hosts"
1. 25.1. About Automembership
2. 25.2. Defining Automembership Rules (Basic Procedure)
  Expand section "25.2. Defining Automembership Rules (Basic Procedure)" Collapse section "25.2. Defining Automembership Rules (Basic Procedure)"
  1. 25.2.1. From the Web UI
  2. 25.2.2. From the CLI
3. 25.3. Examples of Using Automember Groups
  Expand section "25.3. Examples of Using Automember Groups" Collapse section "25.3. Examples of Using Automember Groups"
26. Policy: Restricting Domains for PAM services
27. Configuration: Defining Access Control for IdM Users
Expand section "27. Configuration: Defining Access Control for IdM Users" Collapse section "27. Configuration: Defining Access Control for IdM Users"
1. 27.1. About Access Controls for IdM Entries
  Expand section "27.1. About Access Controls for IdM Entries" Collapse section "27.1. About Access Controls for IdM Entries"
  1. 27.1.1. A Brief Look at Access Control Concepts
  2. 27.1.2. Access Control Methods in Identity Management
2. 27.2. Defining Self-Service Settings
  Expand section "27.2. Defining Self-Service Settings" Collapse section "27.2. Defining Self-Service Settings"
3. 27.3. Delegating Permissions over Users
  Expand section "27.3. Delegating Permissions over Users" Collapse section "27.3. Delegating Permissions over Users"
  1. 27.3.1. Delegating Access to User Groups in the Web UI
  2. 27.3.2. Delegating Access to User Groups in the Command Line
4. 27.4. Defining Role-Based Access Controls
  Expand section "27.4. Defining Role-Based Access Controls" Collapse section "27.4. Defining Role-Based Access Controls"
  1. 27.4.1. Creating Roles
    
    Expand section "27.4.1. Creating Roles" Collapse section "27.4.1. Creating Roles"
    
    27.4.1.1. Creating Roles in the Web UI
    
    27.4.1.2. Creating Roles in the Command Line
  2. 27.4.2. Creating New Permissions
    
    Expand section "27.4.2. Creating New Permissions" Collapse section "27.4.2. Creating New Permissions"
    
    27.4.2.1. Creating New Permissions from the Web UI
    
    27.4.2.2. Creating New Permissions from the Command Line
  3. 27.4.3. Creating New Privileges
    
    Expand section "27.4.3. Creating New Privileges" Collapse section "27.4.3. Creating New Privileges"
    
    27.4.3.1. Creating New Privileges from the Web UI
    
    27.4.3.2. Creating New Privileges from the Command Line
28. Configuration: Configuring IdM Servers and Replicas
Expand section "28. Configuration: Configuring IdM Servers and Replicas" Collapse section "28. Configuration: Configuring IdM Servers and Replicas"
1. 28.1. Identity Management Files and Logs
  Expand section "28.1. Identity Management Files and Logs" Collapse section "28.1. Identity Management Files and Logs"
  1. 28.1.1. A Reference of IdM Server Configuration Files and Directories
  2. 28.1.2. IdM Domain Services and Log Rotation
  3. 28.1.3. About default.conf and Context Configuration Files
  4. 28.1.4. Checking IdM Server Logs
    
    Expand section "28.1.4. Checking IdM Server Logs" Collapse section "28.1.4. Checking IdM Server Logs"
    
    28.1.4.1. Enabling Server Debug Logging
    
    28.1.4.2. Debugging Command-Line Operations
2. 28.2. Managing Certificates and Certificate Authorities
  Expand section "28.2. Managing Certificates and Certificate Authorities" Collapse section "28.2. Managing Certificates and Certificate Authorities"
  1. 28.2.1. Renewing CA Certificates Issued by External CAs
    
    Expand section "28.2.1. Renewing CA Certificates Issued by External CAs" Collapse section "28.2.1. Renewing CA Certificates Issued by External CAs"
    
    28.2.1.1. The Renewal Procedure
  2. 28.2.2. Renewing CA Certificates Issued by the IdM CA
    
    Expand section "28.2.2. Renewing CA Certificates Issued by the IdM CA" Collapse section "28.2.2. Renewing CA Certificates Issued by the IdM CA"
    
    28.2.2.1. The Renewal Procedure
  3. 28.2.3. Configuring Alternate Certificate Authorities
  4. 28.2.4. Changing Which Server Generates CRLs
  5. 28.2.5. Configuring OCSP Responders
    
    Expand section "28.2.5. Configuring OCSP Responders" Collapse section "28.2.5. Configuring OCSP Responders"
    
    28.2.5.1. Using an OSCP Responder with SELinux
    
    28.2.5.2. Changing the CRL Update Interval
    
    28.2.5.3. Changing the OCSP Responder Location
3. 28.3. Disabling Anonymous Binds
4. 28.4. Changing Domain DNS Configuration
  Expand section "28.4. Changing Domain DNS Configuration" Collapse section "28.4. Changing Domain DNS Configuration"
5. 28.5. Managing Replication Agreements Between IdM Servers
  Expand section "28.5. Managing Replication Agreements Between IdM Servers" Collapse section "28.5. Managing Replication Agreements Between IdM Servers"
  1. 28.5.1. Listing Replication Agreements
  2. 28.5.2. Creating and Removing Replication Agreements
  3. 28.5.3. Forcing Replication
  4. 28.5.4. Reinitializing IdM Servers
  5. 28.5.5. Resolving Replication Conflicts
    
    Expand section "28.5.5. Resolving Replication Conflicts" Collapse section "28.5.5. Resolving Replication Conflicts"
    
    28.5.5.1. Solving Naming Conflicts
    
    28.5.5.2. Solving Orphan Entry Conflicts
6. 28.6. Removing a Replica
7. 28.7. Renaming a Server or Replica Host System
29. Migrating from an LDAP Directory to IdM
Expand section "29. Migrating from an LDAP Directory to IdM" Collapse section "29. Migrating from an LDAP Directory to IdM"
1. 29.1. An Overview of LDAP to IdM Migration
  Expand section "29.1. An Overview of LDAP to IdM Migration" Collapse section "29.1. An Overview of LDAP to IdM Migration"
  1. 29.1.1. Planning the Client Configuration
    
    Expand section "29.1.1. Planning the Client Configuration" Collapse section "29.1.1. Planning the Client Configuration"
    
    29.1.1.1. Initial Client Configuration (Pre-Migration)
    
    29.1.1.2. Recommended Configuration for Red Hat Enterprise Linux Clients
    
    29.1.1.3. Alternative Supported Configuration
  2. 29.1.2. Planning Password Migration
    
    Expand section "29.1.2. Planning Password Migration" Collapse section "29.1.2. Planning Password Migration"
    
    29.1.2.1. Method 1: Using Temporary Passwords and Requiring a Change
    
    29.1.2.2. Method 2: Using the Migration Web Page
    
    29.1.2.3. Method 3: Using SSSD (Recommended)
    
    29.1.2.4. Migrating Cleartext LDAP Passwords
    
    29.1.2.5. Automatically Resetting Passwords That Do Not Meet Requirements
  3. 29.1.3. Migration Considerations and Requirements
    
    Expand section "29.1.3. Migration Considerations and Requirements" Collapse section "29.1.3. Migration Considerations and Requirements"
    
    29.1.3.1. LDAP Servers Supported for Migration
    
    29.1.3.2. Migration Environment Requirements
    
    29.1.3.3. Migration Tools
    
    29.1.3.4. Migration Sequence
2. 29.2. Examples for Using migrate-ds
  Expand section "29.2. Examples for Using migrate-ds" Collapse section "29.2. Examples for Using migrate-ds"
3. 29.3. Scenario 1: Using SSSD as Part of Migration
4. 29.4. Scenario 2: Migrating an LDAP Server Directly to Identity Management
A. Troubleshooting Identity Management
Expand section "A. Troubleshooting Identity Management" Collapse section "A. Troubleshooting Identity Management"
1. A.1. Installation Issues
  Expand section "A.1. Installation Issues" Collapse section "A.1. Installation Issues"
  1. A.1.1. Server Installation
    
    Expand section "A.1.1. Server Installation" Collapse section "A.1.1. Server Installation"
    
    A.1.1.1. GSS Failures When Running IPA Commands
    
    A.1.1.2. named Daemon Fails to Start
  2. A.1.2. Replica Installation
    
    Expand section "A.1.2. Replica Installation" Collapse section "A.1.2. Replica Installation"
    
    A.1.2.1. Certificate System setup failed.
    
    A.1.2.2. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
    
    A.1.2.3. The DNS forward record does not match the reverse address
  3. A.1.3. Client Installations
    
    Expand section "A.1.3. Client Installations" Collapse section "A.1.3. Client Installations"
    
    A.1.3.1. The client can't resolve reverse hostnames when using an external DNS.
    
    A.1.3.2. The client is not added to the DNS zone.
  4. A.1.4. Uninstalling an IdM Client
2. A.2. UI Connection Problems
3. A.3. IdM Server Problems
  Expand section "A.3. IdM Server Problems" Collapse section "A.3. IdM Server Problems"
  1. A.3.1. There are SASL, GSS-API, and Kerberos errors in the 389 Directory Server logs when the replica starts.
4. A.4. Host Problems
  Expand section "A.4. Host Problems" Collapse section "A.4. Host Problems"
  1. A.4.1. Certificate Not Found/Serial Number Not Found Errors
  2. A.4.2. Debugging Client Connection Problems
5. A.5. Kerberos Errors
  Expand section "A.5. Kerberos Errors" Collapse section "A.5. Kerberos Errors"
  1. A.5.1. Problems making connections with SSH when using GSS-API
  2. A.5.2. There are problems connecting to an NFS server after changing a keytab
6. A.6. SELinux Login Problems
B. Working with certmonger
Expand section "B. Working with certmonger" Collapse section "B. Working with certmonger"
Index
C. Revision History
Legal Notice

Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

9.10. Managing User and Group Schema

When a user entry is created, it is automatically assigned certain LDAP object classes which, in turn, make available certain attributes. LDAP attributes are the way that information is stored in the directory. (This is discussed in detail in the Directory Server Deployment Guide and the Directory Server Schema Reference.)

Table 9.1. Default Identity Management User Object Classes

Description

Object Classes

IdM object classes

ipaobject

ipasshuser

Person object classes

person

organizationalperson

inetorgperson

inetuser

posixaccount

Kerberos object classes

krbprincipalaux

krbticketpolicyaux

Managed entries (template) object classes

mepOriginEntry

A number of attributes are available to user entries. Some are set manually and some are set based on defaults if a specific value is not set. There is also an option to add any attributes available in the object classes in Table 9.1, “Default Identity Management User Object Classes”, even if there is not a UI or command-line argument for that attribute. Additionally, the values generated or used by the default attributes can be configured, as in Section 9.10.4, “Specifying Default User and Group Attributes”.

Table 9.2. Default Identity Management User Attributes

UI Field	Command-Line Option	Required, Optional, or Default^[a]
User login	username	Required
First name	--first	Required
Last name	--last	Required
Full name	--cn	Optional
Display name	--displayname	Optional
Initials	--initials	Default
Home directory	--homedir	Default
GECOS field	--gecos	Default
Shell	--shell	Default
Kerberos principal	--principal	Default
Email address	--email	Optional
Password	--password ^[b]	Optional
User ID number^[c]	--uid	Default
Group ID number^[c]	--gidnumber	Default
Street address	--street	Optional
City	--city	Optional
State/Province	--state	Optional
Zip code	--postalcode	Optional
Telephone number	--phone	Optional
Mobile telephone number	--mobile	Optional
Pager number	--pager	Optional
Fax number	--fax	Optional
Organizational unit	--orgunit	Optional
Job title	--title	Optional
Manager	--manager	Optional
Car license	--carlicense	Optional
	--noprivate	Optional
SSH Keys	--sshpubkey	Optional
Additional attributes	--addattr	Optional
^[a] Required attributes must be set for every entry. Optional attributes may be set, while default attributes are automatically added with a pre-defined value unless a specific value is given. ^[b] The script prompts for the new password, rather than accepting a value with the argument. ^[c] When a user is created without specifying a UID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in Section 9.9, “Managing Unique UID and GID Number Assignments”.) This means that a user always has a unique number for its UID number and, if configured, for its private group. If a number is manually assigned to a user entry, the server does not validate that the `uidNumber` is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries. If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with `ipa user-find --all`.

9.10.1. About Changing the Default User and Group Schema

It is possible to add or change the object classes and attributes used for user and group entries (Section 9.10, “Managing User and Group Schema”).

The IdM configuration provides some validation when object classes are changed:

All of the object classes and their specified attributes must be known to the LDAP server.
All default attributes that are configured for the entry must be supported by the configured object classes.

There are limits to the IdM schema validation, however. Most important, the IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject object class. However, when the user or group schema is changed, the server does not check to make sure that this object class is included; if the object class is accidentally deleted, then future entry add operations will fail.

Also, all object class changes are atomic, not incremental. The entire list of default object classes has to be defined every time there is a change. For example, a company may create a custom object class to store employee information like birthdays and employment start dates. The administrator cannot simply add the custom object class to the list; he must set the entire list of current default object classes plus the new object class. The existing default object classes must always be included when the configuration is updated. Otherwise, the current settings will be overwritten, which causes serious performance problems.

9.10.2. Applying Custom Object Classes to New User Entries

User and group accounts are created with a pre-defined set of LDAP object classes applied to the entry. Any attributes which belong to the object class can be added to the user entry.

While the standard and IdM-specific LDAP object classes will cover most deployment scenarios, administrators may have custom object classes with custom attributes which should be applied to user entries.

9.10.2.1. From the Web UI

Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
Open the IPA Server tab.
Select the Configuration subtab.
Scroll to the User Options area.
At the bottom of the users area, click the Add link to add a new field for another object class.
Important
Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
When the changes are complete, click the Update link at the top of the Configuration page.

9.10.2.2. From the Command Line

Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
Add the new object class to the list of object classes added to entries. The option for user object classes is --userobjectclasses.
Important
Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
For example:
```
[bjensen@server ~]$ ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount, krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,employeeinfo
```

9.10.3. Applying Custom Object Classes to New Group Entries

As with user entries, administrators may have custom object classes with custom attributes which should be applied to group entries. These can be added automatically by adding the object classes to the IdM server configuration.

9.10.3.1. From the Web UI

Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
Open the IPA Server tab.
Select the Configuration subtab.
Scroll to the Group Options area.
Click the Add link to add a new field for another object class.
Important
Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
When the changes are complete, click the Update link at the top of the Configuration page.

9.10.3.2. From the Command Line

Add all of the custom schema elements to the 389 Directory Server instance used by Identity Management. Adding schema elements is described in the schema chapter of the Directory Server Administrator's Guide.
Add the new object class to the list of object classes added to entries. The option for group object classes is --groupobjectclasses.
Important
Always include the existing default object classes when the configuration is updated. Otherwise, the current settings will be overwritten. If any object classes required by Identity Management are not included, then subsequent attempts to add an entry will fail with object class violations.
For example:
```
[bjensen@server ~]$ ipa config-mod --groupobjectclasses=top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup
```

9.10.4. Specifying Default User and Group Attributes

Identity Management uses a template when it creates new entries.

For users, the template is very specific. Identity Management uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes (such as the home directory location) or it can define the format of attribute values, such as the username length. These settings also define the object classes assigned to users.

For groups, the template only defines the assigned object classes.

These default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.

The configuration can be changed using the ipa config-mod command.

Table 9.3. Default User Parameters

Field	Command-Line Option	Descriptions
Maximum username length	--maxusername	Sets the maximum number of characters for usernames. The default value is eight.
Root for home directories	--homedirectory	Sets the default directory to use for user home directories. The default value is `/home`.
Default shell	--defaultshell	Sets the default shell to use for users. The default value is `/bin/sh`.
Default user group	--defaultgroup	Sets the default group to which all newly created accounts are added. The default value is `ipausers`, which is automatically created during the IdM server installation process.
Default e-mail domain	--emaildomain	Sets the email domain to use to create email addresses based on the new accounts. The default is the IdM server domain.
Search time limit	--searchtimelimit	Sets the maximum amount of time, in seconds, to spend on a search before the server returns results.
Search size limit	--searchrecordslimit	Sets the maximum number of records to return in a search.
User search fields	--usersearch	Sets the fields in a user entry that can be used as a search string. Any attribute listed has an index kept for that attribute, so setting too many attributes could affect server performance.
Group search fields	--groupsearch	Sets the fields in a group entry that can be used as a search string.
Certificate subject base		Sets the base DN to use when creating subject DNs for client certificates. This is configured when the server is set up.
Default user object classes	--userobjectclasses	Sets a list of object classes that are used to create IdM user accounts.
Default group object classes	--groupobjectclasses	Sets a list of object classes that are used to create IdM group accounts.
Password expiration notification	--pwdexpnotify	Sets how long, in days, before a password expires for the server to send a notification.
Password plug-in features		Sets the format of passwords that are allowed for users.

9.10.4.1. Viewing Attributes from the Web UI

Open the IPA Server tab.
Select the Configuration subtab.
The complete configuration entry is shown in three sections, one for all search limits, one for user templates, and one for group templates.

9.10.4.2. Viewing Attributes from the Command Line

The config-show command shows the current configuration which applies to all new user accounts. By default, only the most common attributes are displayed; use the --all option to show the complete configuration.

[bjensen@server ~]$ kinit admin
[bjensen@server ~]$ ipa config-show --all
dn: cn=ipaConfig,cn=etc,dc=example,dc=com 
Maximum username length: 32 
Home directory base: /home 
Default shell: /bin/sh 
Default users group: ipausers 
Default e-mail domain: example.com 
Search time limit: 2 
Search size limit: 100 
User search fields: uid,givenname,sn,telephonenumber,ou,title 
Group search fields: cn,description 
Enable migration mode: FALSE 
Certificate Subject base: O=EXAMPLE.COM 
Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject 
Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser 
Password Expiration Notification (days): 4 
Password plugin features: AllowNThash 
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 
Default SELinux user: unconfined_u:s0-s0:c0.c1023 
Default PAC types: MS-PAC, nfs:NONE 
cn: ipaConfig 
objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Red Hat Training

9.10. Managing User and Group Schema

9.10.1. About Changing the Default User and Group Schema

9.10.2. Applying Custom Object Classes to New User Entries

9.10.2.1. From the Web UI

9.10.2.2. From the Command Line

9.10.3. Applying Custom Object Classes to New Group Entries

9.10.3.1. From the Web UI

9.10.3.2. From the Command Line

9.10.4. Specifying Default User and Group Attributes

9.10.4.1. Viewing Attributes from the Web UI

9.10.4.2. Viewing Attributes from the Command Line