11.2. User Life Cycle

Identity Management supports three user account states: stage, active, and preserved.
  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users might not yet be set.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users. They are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

    Note

    The list of users in the preserved state can provide a history of past user accounts.
User entries can also be permanently deleted from the IdM database. Deleting a user entry permanently removes the entry itself and all its information from IdM, including group memberships and passwords. Any external configuration for the user, such as the system account and home directory, is not deleted, but is no longer accessible through IdM.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is lost permanently.
A new administrator user can only be created by another administrator, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Warning

Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, rather disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.

User Life Cycle Management Operations

To manage user provisioning, the administrator can move user accounts from one state to another. New user accounts can be added as either active or stage, but not as preserved.
IdM supports the following operations for user life cycle management:
stage → active
When an account in the stage state is ready to be properly activated, the administrator moves it to the active state.
active → preserved
After the user leaves the company, the administrator moves the account to the preserved state.
preserved → active
A former user joins the company again. The administrator restores the user account by moving it from the preserved state back to the active state.
preserved → stage
A former user is planning to join the company again. The administrator moves the account from the preserved state to the stage state to prepare the account for later reactivation.
You can also permanently delete active, stage, and preserved users from IdM. Note that you cannot move stage users to the preserved state, you can only delete them permanently.
User Life Cycle Operations

Figure 11.1. User Life Cycle Operations

11.2.1. Adding Stage or Active Users

Adding Users in the Web UI

  1. Select the IdentityUsers tab.
  2. Select the Active users or Stage users category, depending on whether you want to add a user in the active or stage state.
    Selecting User Category

    Figure 11.2. Selecting User Category

    For more information about the active or stage user life cycle states, see Section 11.2, “User Life Cycle”.
  3. Click Add at the top of the users list.
    Adding a User

    Figure 11.3. Adding a User

  4. Fill in the Add User form.
    Note that if you do not set a user login manually, IdM generates the login automatically based on the specified first name and last name.
  5. Click Add.
    Alternatively, click Add and Add Another to start adding another user or Add and Edit to start editing the new user entry. For information on editing user entries, see Section 11.3, “Editing Users”.

Adding Users from the Command Line

To add a new user in the active state, use the ipa user-add command. To add a new user in the stage state, use the ipa stageuser-add command.

Note

For more information about the active or stage user life cycle states, see Section 11.2, “User Life Cycle”.
When run without any options, ipa user-add and ipa stageuser-add prompt you for the minimum required user attributes and use default values for the other attributes. Alternatively, you can add options specifying various attributes directly to the commands.
In the interactive session, after you run the command without any options, IdM proposes an automatically generated user login based on the provided first name and last name and displays it in brackets ([ ]). To accept the default login, confirm by pressing Enter. To specify a custom login, do not confirm the default and specify the custom login instead. 
$ ipa user-add
First name: first_name
Last name: last_name
User login [default_login]: custom_login
Adding options to ipa user-add and ipa stageuser-add enables you to define custom values for many of the user attributes. This means that you can specify more information than in the interactive session. For example, to add a stage user: 
$ ipa stageuser-add stage_user_login --first=first_name --last=last_name --email=email_address
For a complete list of options accepted by ipa user-add and ipa stageuser-add, run the commands with the --help option added.

11.2.1.1. User Name Requirements

IdM supports user names that can be described by the following regular expression: 
[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?

Note

User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support.
If you add a user whose user name contains uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires users to enter their user names all lowercase when logging in. Additionally, it is not possible to add users whose user names only differ in letter casing, such as user and User.
The default maximum length for user names is 32 characters. To change it, use the ipa config-mod --maxusername command. For example, to increase the maximum user name length to 64 characters: 
$ ipa config-mod --maxusername=64
  Maximum username length: 64
  ...

11.2.1.2. Defining a Custom UID or GID Number

If you add a new user entry without specifying a custom UID or GID number, IdM automatically assigns an ID number that is next available in the ID range. This means that users' ID numbers are always unique. For more information about ID ranges, see Chapter 14, Unique UID and GID Number Assignments.
When you specify a custom ID number, the server does not validate whether the custom ID number is unique. Due to this, multiple user entries might have the same ID number assigned. Red Hat recommends to prevent having multiple entries with the same ID number.

11.2.2. Listing Users and Searching for Users

Listing Users in the Web UI

  1. Select the IdentityUsers tab.
  2. Select the Active users, Stage users, or Preserved users category.
    Listing Users

    Figure 11.4. Listing Users

Displaying Information About a User in the Web UI

To display detailed information about a user, click the name of the user in the list of users:
Displaying User Information

Figure 11.5. Displaying User Information

Listing Users from the Command Line

To list all active users run the ipa user-find command. To list all stage users, use the ipa stageuser-find command. To list preserved users, run the ipa user-find --preserved=true command.
For example: 
$ ipa user-find
---------------
23 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1453200000
  GID: 1453200000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: user
...
By adding options and arguments to ipa user-find and ipa stageuser-find, you can define the search criteria and filter the search results. For example, to display all active users with a specific title defined: 
$ ipa user-find --title=user_title
---------------
2 users matched
---------------
  User login: user
...
  Job Title: Title
...

  User login: user2
...
  Job Title: Title
...
Similarly, to display all stage users whose login contains user: 
$ ipa user-find user
---------------
3 users matched
---------------
User login: user
...

User login: user2
...

User login: user3
...
For a complete list of options accepted by ipa user-find and ipa stageuser-find, run the commands with the --help option added.

Displaying Information about a User from the Command Line

To display information about an active or preserved user, use the ipa user-show command: 
$ ipa user-show user_login
  User login: user_login
  First name: first_name
  Last name: last_name
...
To display information about a stage user, use the ipa stageuser-show command:

11.2.3. Activating, Preserving, Deleting, and Restoring Users

This section describes moving user accounts between different user life cycle states. For details on the life cycle states in IdM, see Section 11.2, “User Life Cycle”.

Managing User Life Cycle in the Web UI

To activate a stage user:
  • In the Stage users list, select the user to activate, and click Activate.
    Activating a User

    Figure 11.6. Activating a User

To preserve or delete a user:
  1. In the Active users or Stage users lists, select the user. Click Delete.
    Deleting a User

    Figure 11.7. Deleting a User

  2. If you selected an active user, select delete or preserve. If you selected a stage user, you can only delete the user. The default UI option is delete.
    For example, to preserve an active user:
    Selecting the Delete Mode in the Web UI

    Figure 11.8. Selecting the Delete Mode in the Web UI

    To confirm, click the Delete button.
To restore a preserved user:
  • In the Preserved users list, select the user to restore, and click Restore.
    Restoring a User

    Figure 11.9. Restoring a User

Note

Restoring a user does not restore all of the account's previous attributes. For example, the user's password is not restored and must be defined again.
Note that in the web UI, it is not possible to move a user from the preserved state to the stage state.

Managing User Life Cycle from the Command Line

To activate a user account by moving it from stage to active, use the ipa stageuser-activate command. 
$ ipa stageuser-activate user_login
-------------------------
Stage user user_login activated
-------------------------
...
To preserve or delete a user account, use the ipa user-del or ipa stageuser-del commands.
  • To remove an active user permanently from the IdM database, run ipa user-del without any options. 
    $ ipa user-del user_login
--------------------
Deleted user "user3"
--------------------
  • To preserve an active user account, run ipa user-del with the --preserve option. 
    $ ipa user-del --preserve user_login
--------------------
Deleted user "user_login"
--------------------
  • To remove a stage user permanently from the IdM database, run ipa stageuser-del. 
    $ ipa stageuser-del user_login
--------------------------
Deleted stage user "user_login"
--------------------------

Note

When deleting multiple users, use the --continue option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to the stdout standard output stream when the command completes. 
$ ipa user-del --continue user1 user2 user3
If --continue is not used, the command proceeds with deleting users until it encounters an error, after which it stops and exits.
To restore a preserved user account by moving it from preserved to active, use the ipa user-undel command. 
$ ipa user-undel user_login
------------------------------
Undeleted user account "user_login"
------------------------------
To restore a preserved user account by moving it from preserved to stage, use the ipa user-stage command. 
$ ipa user-stage user_login
------------------------------
Staged user account "user_login"
------------------------------

Note

Restoring a user account does not restore all of the account's previous attributes. For example, the user's password is not restored and must be defined again.
For more information about these commands and the options they accept, run them with the --help option added.