Chapter 13. Managing User and Host Groups
13.1. How User and Host Groups Work in IdM
13.1.1. What User and Host Groups Are
13.1.2. Supported Group Members
- IdM users
- other IdM user groups
- external users, which are users that exist outside IdM
- IdM servers and clients
- other IdM host groups
13.1.3. Direct and Indirect Group Members
- User 1 and User 2 are direct members of group A.
- User 3, User 4, and User 5 are indirect members of group A.
Figure 13.1. Direct and Indirect Group Membership
Example 13.1. Viewing Direct and Indirect Group Members
- Create two groups:
group_B. See Section 13.2, “Adding and Removing User or Host Groups”.
- one user as a member of
- another user as a member of
group_Bas a member of
- In the web UI: Select→ . From the individual group types which are listed in a side bar on the left, select , and click the name of
group_A. Switch between Direct Membership and Indirect Membership.
- From the command line: Use the
$ ipa group-show group_A ... Member users: user_1 Member groups: group_B Indirect Member users: user_2
13.1.4. User Group Types in IdM
- POSIX groups (the default)
- POSIX groups support POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.
- Non-POSIX groups
- All group members of this type of group must belong to the IdM domain.
- External groups
- External groups allow adding group members that exist in an identity store outside of the IdM domain. The external store can be a local system, an Active Directory domain, or a directory service.
Example 13.2. Searching for Different Types of User Groups
- Run the
ipa group-findcommand to display all user groups.
- Run the
ipa group-find --posixcommand to display all POSIX groups.
- Run the
ipa group-find --nonposixcommand to display all non-POSIX groups.
- Run the
ipa group-find --externalcommand to display all external groups.
13.1.5. User and Host Groups Created by Default
Table 13.1. User and Host Groups Created by Default
|Group Name||User or Host||Default Group Members|
| ||User group||All IdM users|
| ||User group|| Users with administrative privileges, initially the default |
| ||User group||Users allowed to edit other IdM users in the web UI, without all the rights of an administrative user|
| ||User group||Users with privileges to manage Active Directory trusts|
| ||Host group||All IdM server hosts|
adminsgroup grants the user administrative privileges.
adminsis a pre-defined group required by IdM, this operation causes problems with certain commands.
ipaservershost group. All hosts in
ipaservershave the ability to promote themselves to an IdM server.
- The user private group has the same name as the user for which it was created.
- The user is the only member of the user private group.
- GID of the private groups matches the UID of the user.
Example 13.3. Viewing User Private Groups
ipa group-find --privatecommand to display all user private groups:
$ ipa group-find --private ---------------- 2 groups matched ---------------- Group name: user1 Description: User private group for user1 GID: 830400006 Group name: user2 Description: User private group for user2 GID: 830400004 ---------------------------- Number of entries returned 2 ----------------------------