11.2. User Life Cycle
Stage
users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users might not yet be set.Active
users are allowed to authenticate. All required user account properties must be set in this state.Preserved
users are formeractive
users. They are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.Note
The list of users in thepreserved
state can provide a history of past user accounts.
Important
admin
user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.
User Life Cycle Management Operations
active
or stage
, but not as preserved
.
- stage → active
- When an account in the
stage
state is ready to be properly activated, the administrator moves it to theactive
state. - active → preserved
- After the user leaves the company, the administrator moves the account to the
preserved
state. - preserved → active
- A former user joins the company again. The administrator restores the user account by moving it from the
preserved
state back to theactive
state. - preserved → stage
- A former user is planning to join the company again. The administrator moves the account from the
preserved
state to thestage
state to prepare the account for later reactivation.
preserved
state, you can only delete them permanently.

Figure 11.1. User Life Cycle Operations
11.2.1. Adding Stage or Active Users
Adding Users in the Web UI
- Select the→ tab.
- Select the Active users or Stage users category, depending on whether you want to add a user in the
active
orstage
state.Figure 11.2. Selecting User Category
For more information about theactive
orstage
user life cycle states, see Section 11.2, “User Life Cycle”. - Click Add at the top of the users list.
Figure 11.3. Adding a User
- Fill in the Add User form.Note that if you do not set a user login manually, IdM generates the login automatically based on the specified first name and last name.
- Click.Alternatively, click Section 11.3, “Editing Users”.to start adding another user or to start editing the new user entry. For information on editing user entries, see
Adding Users from the Command Line
active
state, use the ipa user-add
command. To add a new user in the stage
state, use the ipa stageuser-add
command.
Note
active
or stage
user life cycle states, see Section 11.2, “User Life Cycle”.
ipa user-add
and ipa stageuser-add
prompt you for the minimum required user attributes and use default values for the other attributes. Alternatively, you can add options specifying various attributes directly to the commands.
$ ipa user-add First name: first_name Last name: last_name User login [default_login]: custom_login
ipa user-add
and ipa stageuser-add
enables you to define custom values for many of the user attributes. This means that you can specify more information than in the interactive session. For example, to add a stage user:
$ ipa stageuser-add stage_user_login --first=first_name --last=last_name --email=email_address
ipa user-add
and ipa stageuser-add
, run the commands with the --help
option added.
11.2.1.1. User Name Requirements
[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?
Note
user
and User
.
ipa config-mod --maxusername
command. For example, to increase the maximum user name length to 64 characters:
$ ipa config-mod --maxusername=64 Maximum username length: 64 ...
11.2.1.2. Defining a Custom UID or GID Number
11.2.2. Listing Users and Searching for Users
Listing Users in the Web UI
- Select the→ tab.
- Select the Active users, Stage users, or Preserved users category.
Figure 11.4. Listing Users
Displaying Information About a User in the Web UI

Figure 11.5. Displaying User Information
Listing Users from the Command Line
ipa user-find
command. To list all stage users, use the ipa stageuser-find
command. To list preserved users, run the ipa user-find --preserved=true
command.
$ ipa user-find --------------- 23 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 1453200000 GID: 1453200000 Account disabled: False Password: True Kerberos keys available: True User login: user ...
ipa user-find
and ipa stageuser-find
, you can define the search criteria and filter the search results. For example, to display all active users with a specific title defined:
$ ipa user-find --title=user_title --------------- 2 users matched --------------- User login: user ... Job Title: Title ... User login: user2 ... Job Title: Title ...
user
:
$ ipa user-find user --------------- 3 users matched --------------- User login: user ... User login: user2 ... User login: user3 ...
ipa user-find
and ipa stageuser-find
, run the commands with the --help
option added.
Displaying Information about a User from the Command Line
ipa user-show
command:
$ ipa user-show user_login User login: user_login First name: first_name Last name: last_name ...
ipa stageuser-show
command:
11.2.3. Activating, Preserving, Deleting, and Restoring Users
Managing User Life Cycle in the Web UI
- In the Stage users list, select the user to activate, and click .
Figure 11.6. Activating a User
- In the Active users or Stage users lists, select the user. Click .
Figure 11.7. Deleting a User
- If you selected an active user, select delete or preserve. If you selected a stage user, you can only delete the user. The default UI option is delete.For example, to preserve an active user:
Figure 11.8. Selecting the Delete Mode in the Web UI
To confirm, click thebutton.
- In the Preserved users list, select the user to restore, and click .
Figure 11.9. Restoring a User
Note
preserved
state to the stage
state.
Managing User Life Cycle from the Command Line
stage
to active
, use the ipa stageuser-activate
command.
$ ipa stageuser-activate user_login ------------------------- Stage user user_login activated ------------------------- ...
ipa user-del
or ipa stageuser-del
commands.
- To remove an active user permanently from the IdM database, run
ipa user-del
without any options.$ ipa user-del user_login -------------------- Deleted user "user3" --------------------
- To preserve an active user account, run
ipa user-del
with the--preserve
option.$ ipa user-del --preserve user_login -------------------- Deleted user "user_login" --------------------
- To remove a stage user permanently from the IdM database, run
ipa stageuser-del
.$ ipa stageuser-del user_login -------------------------- Deleted stage user "user_login" --------------------------
Note
--continue
option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to the stdout
standard output stream when the command completes.
$ ipa user-del --continue user1 user2 user3
--continue
is not used, the command proceeds with deleting users until it encounters an error, after which it stops and exits.
preserved
to active
, use the ipa user-undel
command.
$ ipa user-undel user_login ------------------------------ Undeleted user account "user_login" ------------------------------
preserved
to stage
, use the ipa user-stage
command.
$ ipa user-stage user_login ------------------------------ Staged user account "user_login" ------------------------------
Note
--help
option added.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.