13.6. Defining Automatic Group Membership for Users and Hosts

13.6.1. How Automatic Group Membership Works in IdM

13.6.1.1. What Automatic Group Membership Is

Using automatic group membership, you can assign users and hosts to groups automatically based on their attributes. For example, you can:
  • Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
  • Divide hosts based on their class, location, or any other attribute.
  • Add all users or all hosts to a single global group.

13.6.1.2. Benefits of Automatic Group Membership

Reduced overhead of managing group membership manually
With automatic group membership, the administrator no longer assigns users and hosts to groups manually.
Improved consistency in user and host management
With automatic group membership, users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.
Easier management of group-based settings
Various settings are defined for groups and then applied to individual group members, for example sudo rules, automount, or access control. When using automatic group membership, users and hosts are automatically added to specified groups, which makes managing group-based settings easier.

13.6.1.3. Automember Rules

When configuring automatic group membership, the administrator defines automember rules. An automember rule applies to a specific user or host group. It includes conditions that the user or host must meet to be included or excluded from the group:
Inclusive conditions
When a user or host entry meets an inclusive condition, it will be included in the group.
Exclusive conditions
When a user or host entry meets an exclusive condition, it will not be included in the group.
The conditions are specified as regular expressions in the Perl-compatible regular expressions (PCRE) format. For more information on PCRE, see the pcresyntax(3) man page.
IdM evaluates exclusive conditions before inclusive conditions. In case of a conflict, exclusive conditions take precedence over inclusive conditions.

13.6.2. Adding an Automember Rule

To add an automember rule using:
After you add an automember rule:

Web UI: Add an Automember Rule

  1. Select IdentityAutomemberUser group rules or Host group rules.
  2. Click Add.
  3. In the Automember rule field, select the group to which the rule will apply. Click Add and Edit.
  4. Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
    1. In the Inclusive or Exclusive sections, click Add.
    2. In the Attribute field, select the required attribute.
    3. In the Expression field, define the regular expression.
    4. Click Add.
    For example, the following condition targets all users with any value (.*) in their user login attribute (uid).
    Adding Automember Rule Conditions

    Figure 13.5. Adding Automember Rule Conditions

Command Line: Add an Automember Rule

  1. Use the ipa automember-add command to add an automember rule. When prompted, specify:
    • Automember rule, which matches the target group name.
    • Grouping Type, which specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
    For example, to add an automember rule for a user group named user_group:
    $ ipa automember-add
    Automember Rule: user_group
    Grouping Type: group
    --------------------------------
    Added automember rule "user_group"
    --------------------------------
      Automember Rule: user_group
  2. Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
    1. To add a condition, use the ipa automember-add-condition command. When prompted, specify:
      • Automember rule, which matches the target group name.
      • Attribute Key, which specifies the entry attribute to which the filter will apply. For example, manager for users.
      • Grouping Type, which specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
      • Inclusive regex and Exclusive regex, which specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.
      For example, the following condition targets all users with any value (.*) in their user login attribute (uid).
      $ ipa automember-add-condition
      Automember Rule: user_group
      Attribute Key: uid
      Grouping Type: group
      [Inclusive Regex]: .*
      [Exclusive Regex]:
      ----------------------------------
      Added condition(s) to "user_group"
      ----------------------------------
        Automember Rule: user_group
        Inclusive Regex: uid=.*
      ----------------------------
      Number of conditions added 1
      ----------------------------
    2. To remove a condition, use the ipa automember-remove-condition command.

Example 13.5. Command Line: Creating an Automember Rule to Add All Entries to a Single Group

By creating an inclusive condition for an attribute that all user or host entries contain, such as cn or fqdn, you can ensure that all users or hosts created in the future will be added to a single group.
  1. Create the group, such as a host group named all_hosts. See Section 13.2, “Adding and Removing User or Host Groups”.
  2. Add an automember rule for the new host group. For example:
    $ ipa automember-add
    Automember Rule: all_hosts
    Grouping Type: hostgroup
    -------------------------------------
    Added automember rule "all_hosts"
    -------------------------------------
      Automember Rule: all_hosts
  3. Add an inclusive condition that targets all hosts. In the following example, the inclusive condition targets hosts that have any value (.*) in the fqdn attribute:
    $ ipa automember-add-condition
    Automember Rule: all_hosts
    Attribute Key: fqdn
    Grouping Type: hostgroup
    [Inclusive Regex]: .*
    [Exclusive Regex]:
    ---------------------------------
    Added condition(s) to "all_hosts"
    ---------------------------------
      Automember Rule: all_hosts
      Inclusive Regex: fqdn=.*
    ----------------------------
    Number of conditions added 1
    ----------------------------
All hosts added in the future will automatically become members of the all_hosts group.

Example 13.6. Command Line: Creating an Automember Rule for Synchronized AD Users

Windows users synchronized from Active Directory (AD) share the ntUser object class. By creating an automember condition that targets all users with ntUser in their objectclass attribute, you can ensure that all synchronized AD users created in the future will be included in a common group for AD users.
  1. Create a user group for the AD users, such as ad_users. See Section 13.2, “Adding and Removing User or Host Groups”.
  2. Add an automember rule for the new user group. For example:
    $ ipa automember-add
    Automember Rule: ad_users
    Grouping Type: group
    -------------------------------------
    Added automember rule "ad_users"
    -------------------------------------
      Automember Rule: ad_users
  3. Add an inclusive condition to filter the AD users. In the following example, the inclusive condition targets all users that have the ntUser value in the objectclass attribute:
    $ ipa automember-add-condition
    Automember Rule: ad_users
    Attribute Key: objectclass
    Grouping Type: group
    [Inclusive Regex]: ntUser
    [Exclusive Regex]:
    -------------------------------------
    Added condition(s) to "ad_users"
    -------------------------------------
      Automember Rule: ad_users
      Inclusive Regex: objectclass=ntUser
    ----------------------------
    Number of conditions added 1
    ----------------------------
All AD users added in the future will automatically become members of the ad_users user group.

13.6.3. Applying Automember Rules to Existing Users and Hosts

Automember rules apply automatically to user and hosts entries created after the rules were added. They are not applied retrospectively to entries that existed before the rules were added.
To apply automember rules to entries that existed before you added the rules, manually rebuild automatic membership. Rebuilding automatic membership re-evaluates all existing automember rules and applies them either to all entries or to specific entries.

Web UI: Rebuild Automatic Membership for Existing Entries

To rebuild automatic membership for all users or all hosts:
  1. Select IdentityUsers or Hosts.
  2. Click ActionsRebuild auto membership.
    Rebuilding Automatic Membership for All Users or Hosts

    Figure 13.6. Rebuilding Automatic Membership for All Users or Hosts

To rebuild automatic membership for a single user or host only:
  1. Select IdentityUsers or Hosts, and click on the required user login or host name.
  2. Click ActionsRebuild auto membership.
    Rebuilding Automatic Membership for a Single User or Host

    Figure 13.7. Rebuilding Automatic Membership for a Single User or Host

Command Line: Rebuild Automatic Memberhips for Existing Entries

To rebuild automatic membership for all users, use the ipa automember-rebuild --type=group command:
$ ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (9) entries.
--------------------------------------------------------
To rebuild automatic membership for all users, use the ipa automember-rebuild --type=hostgroup command.
To rebuild automatic membership for a specified user or users, use the ipa automember-rebuild --users=user command:
$ ipa automember-rebuild --users=user1 --users=user2
--------------------------------------------------------
Automember rebuild task finished. Processed (2) entries.
--------------------------------------------------------
To rebuild automatic membership for a specified host or hosts, use the ipa automember-rebuild --hosts=example.com command.

13.6.4. Configuring a Default Automember Group

When a default automember group is configured, user or host entries that do not match any automember rule are automatically added to the default group.
  1. Use the ipa automember-default-group-set command to configure a default automember group. When prompted, specify:
    • Default (fallback) Group, which specifies the target group name.
    • Grouping Type, which specifies whether the target is a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
    For example:
    $ ipa automember-default-group-set
    Default (fallback) Group: default_user_group
    Grouping Type: group
    ---------------------------------------------------
    Set default (fallback) group for automember "default_user_group"
    ---------------------------------------------------
      Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
  2. To verify that the group is set correctly, use the ipa automember-default-group-show command. The command displays the current default automember group. For example:
    $ ipa automember-default-group-show
    Grouping Type: group
      Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
To remove the current default automember group, use the ipa automember-default-group-remove command.