Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
Using automatic group membership, you can assign users and hosts to groups automatically based on their attributes. For example, you can:
- Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
- Divide hosts based on their class, location, or any other attribute.
- Add all users or all hosts to a single global group.
13.6.1.2. Benefits of Automatic Group Membership
- Reduced overhead of managing group membership manually
- With automatic group membership, the administrator no longer assigns users and hosts to groups manually.
- Improved consistency in user and host management
- With automatic group membership, users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.
- Easier management of group-based settings
- Various settings are defined for groups and then applied to individual group members, for example
sudo
rules,automount
, or access control. When using automatic group membership, users and hosts are automatically added to specified groups, which makes managing group-based settings easier.
13.6.1.3. Automember Rules
When configuring automatic group membership, the administrator defines automember rules. An automember rule applies to a specific user or host group. It includes conditions that the user or host must meet to be included or excluded from the group:
- Inclusive conditions
- When a user or host entry meets an inclusive condition, it will be included in the group.
- Exclusive conditions
- When a user or host entry meets an exclusive condition, it will not be included in the group.
The conditions are specified as regular expressions in the Perl-compatible regular expressions (PCRE) format. For more information on PCRE, see the pcresyntax(3) man page.
IdM evaluates exclusive conditions before inclusive conditions. In case of a conflict, exclusive conditions take precedence over inclusive conditions.
13.6.2. Adding an Automember Rule
To add an automember rule using:
- The IdM web UI, see the section called “Web UI: Add an Automember Rule”
- The command line, see the section called “Command Line: Add an Automember Rule”
After you add an automember rule:
- All entries created in the future will become members of the specified group. If an entry meets conditions specified in multiple automember rules, it will be added to all the corresponding groups.
- Existing entries will not become members of the specified group. See Section 13.6.3, “Applying Automember Rules to Existing Users and Hosts” for more information.
Web UI: Add an Automember Rule
- Select Identity → Automember → User group rules or Host group rules.
- Click Add.
- In the Automember rule field, select the group to which the rule will apply. Click Add and Edit.
- Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
- In the Inclusive or Exclusive sections, click Add.
- In the Attribute field, select the required attribute.
- In the Expression field, define the regular expression.
- Click Add.
For example, the following condition targets all users with any value (.*
) in their user login attribute (uid
).Figure 13.5. Adding Automember Rule Conditions
Command Line: Add an Automember Rule
- Use the ipa automember-add command to add an automember rule. When prompted, specify:
Automember rule
, which matches the target group name.Grouping Type
, which specifies whether the rule targets a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.
For example, to add an automember rule for a user group nameduser_group
:$ ipa automember-add Automember Rule:
user_group
Grouping Type:group
-------------------------------- Added automember rule "user_group" -------------------------------- Automember Rule: user_group - Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
- To add a condition, use the ipa automember-add-condition command. When prompted, specify:
Automember rule
, which matches the target group name.Attribute Key
, which specifies the entry attribute to which the filter will apply. For example,manager
for users.Grouping Type
, which specifies whether the rule targets a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.Inclusive regex
andExclusive regex
, which specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.
For example, the following condition targets all users with any value (.*
) in their user login attribute (uid
).$ ipa automember-add-condition Automember Rule:
user_group
Attribute Key:uid
Grouping Type:group
[Inclusive Regex]:.*
[Exclusive Regex]: ---------------------------------- Added condition(s) to "user_group" ---------------------------------- Automember Rule: user_group Inclusive Regex: uid=.* ---------------------------- Number of conditions added 1 ---------------------------- - To remove a condition, use the ipa automember-remove-condition command.
Example 13.5. Command Line: Creating an Automember Rule to Add All Entries to a Single Group
By creating an inclusive condition for an attribute that all user or host entries contain, such as
cn
or fqdn
, you can ensure that all users or hosts created in the future will be added to a single group.
- Create the group, such as a host group named
all_hosts
. See Section 13.2, “Adding and Removing User or Host Groups”. - Add an automember rule for the new host group. For example:
$ ipa automember-add Automember Rule:
all_hosts
Grouping Type:hostgroup
------------------------------------- Added automember rule "all_hosts" ------------------------------------- Automember Rule: all_hosts - Add an inclusive condition that targets all hosts. In the following example, the inclusive condition targets hosts that have any value (
.*
) in thefqdn
attribute:$ ipa automember-add-condition Automember Rule:
all_hosts
Attribute Key:fqdn
Grouping Type:hostgroup
[Inclusive Regex]:.*
[Exclusive Regex]: --------------------------------- Added condition(s) to "all_hosts" --------------------------------- Automember Rule: all_hosts Inclusive Regex: fqdn=.* ---------------------------- Number of conditions added 1 ----------------------------
All hosts added in the future will automatically become members of the
all_hosts
group.
Example 13.6. Command Line: Creating an Automember Rule for Synchronized AD Users
Windows users synchronized from Active Directory (AD) share the
ntUser
object class. By creating an automember condition that targets all users with ntUser
in their objectclass
attribute, you can ensure that all synchronized AD users created in the future will be included in a common group for AD users.
- Create a user group for the AD users, such as
ad_users
. See Section 13.2, “Adding and Removing User or Host Groups”. - Add an automember rule for the new user group. For example:
$ ipa automember-add Automember Rule:
ad_users
Grouping Type:group
------------------------------------- Added automember rule "ad_users" ------------------------------------- Automember Rule: ad_users - Add an inclusive condition to filter the AD users. In the following example, the inclusive condition targets all users that have the
ntUser
value in theobjectclass
attribute:$ ipa automember-add-condition Automember Rule:
ad_users
Attribute Key:objectclass
Grouping Type:group
[Inclusive Regex]:ntUser
[Exclusive Regex]: ------------------------------------- Added condition(s) to "ad_users" ------------------------------------- Automember Rule: ad_users Inclusive Regex: objectclass=ntUser ---------------------------- Number of conditions added 1 ----------------------------
All AD users added in the future will automatically become members of the
ad_users
user group.
13.6.3. Applying Automember Rules to Existing Users and Hosts
Automember rules apply automatically to user and hosts entries created after the rules were added. They are not applied retrospectively to entries that existed before the rules were added.
To apply automember rules to entries that existed before you added the rules, manually rebuild automatic membership. Rebuilding automatic membership re-evaluates all existing automember rules and applies them either to all entries or to specific entries.
Web UI: Rebuild Automatic Membership for Existing Entries
To rebuild automatic membership for all users or all hosts:
- Select Identity → Users or Hosts.
- Click Actions → Rebuild auto membership.
Figure 13.6. Rebuilding Automatic Membership for All Users or Hosts
To rebuild automatic membership for a single user or host only:
- Select Identity → Users or Hosts, and click on the required user login or host name.
- Click Actions → Rebuild auto membership.
Figure 13.7. Rebuilding Automatic Membership for a Single User or Host
Command Line: Rebuild Automatic Memberhips for Existing Entries
To rebuild automatic membership for all users, use the ipa automember-rebuild --type=group command:
$ ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (9) entries.
--------------------------------------------------------
To rebuild automatic membership for all users, use the ipa automember-rebuild --type=hostgroup command.
To rebuild automatic membership for a specified user or users, use the ipa automember-rebuild --users=user command:
$ ipa automember-rebuild --users=user1 --users=user2 -------------------------------------------------------- Automember rebuild task finished. Processed (2) entries. --------------------------------------------------------
To rebuild automatic membership for a specified host or hosts, use the ipa automember-rebuild --hosts=example.com command.
13.6.4. Configuring a Default Automember Group
When a default automember group is configured, user or host entries that do not match any automember rule are automatically added to the default group.
- Use the ipa automember-default-group-set command to configure a default automember group. When prompted, specify:
Default (fallback) Group
, which specifies the target group name.Grouping Type
, which specifies whether the target is a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.
For example:$ ipa automember-default-group-set Default (fallback) Group:
default_user_group
Grouping Type:group
--------------------------------------------------- Set default (fallback) group for automember "default_user_group" --------------------------------------------------- Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com - To verify that the group is set correctly, use the ipa automember-default-group-show command. The command displays the current default automember group. For example:
$ ipa automember-default-group-show Grouping Type:
group
Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
To remove the current default automember group, use the ipa automember-default-group-remove command.