Procedure

1. To log in to IdM

   • under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as example_user on the local system:

     [example_user@server ~]$ kinit
     Password for example_user@EXAMPLE.COM:
     [example_user@server ~]$

     If the user name of the local user does not match any user entry in IdM, the authentication attempt fails:

     [example_user@server ~]$ kinit
     kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials

   • using a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user:

     [example_user@server ~]$ kinit admin
     Password for admin@EXAMPLE.COM:
     [example_user@server ~]$

2. Optionally, to verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services:

   $ klist
   Ticket cache: KEYRING:persistent:0:0
   Default principal: example_user@EXAMPLE.COM
   
   Valid starting     	Expires            	Service principal
   11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM

Procedure

1. To destroy your Kerberos ticket:

   [example_user@server ~]$ kdestroy

2. Optionally, to check that the Kerberos ticket has been destroyed:

   [example_user@server ~]$ klist
   klist: Credentials cache keyring 'persistent:0:0' not found

Procedure

1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example:

   # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf

   Warning

   Do not overwrite the existing krb5.conf file on the external system.

2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file:

   $ export KRB5_CONFIG=/etc/krb5_ipa.conf

   The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter ipa help topics to display a list of topics covered by help.

   $ ipa help topics

3. Select one of the topics and create a command according to the following pattern: ipa help [topic_name], instead of the topic_name string, add one of the topics you listed in the previous step.

   In the example, we use the following topic: user

   $ ipa help user

4. If the IPA help command is too long and you cannot see the whole text, use the following syntax:

   $ ipa help user | less

   You can then scroll down and read the whole help.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter ipa help commands to display a list of commands covered by help.

   $ ipa help commands

3. Select one of the commands and create a help command according to the following pattern: ipa help <COMMAND>, instead of the <COMMAND> string, add one of the commands you listed in the previous step.

   $ ipa help user-add

Procedure

1. Open terminal and connect to the IdM server.

2. Enter the command for adding a new user:

   $ ipa user-add

   The command runs a script where you can add basic data necessary for creating a user account.

3. In the First name: field, enter the first name of the new user and press the Enter key.
4. In the Last name: field, enter the last name of the new user and press the Enter key.

5. In the User login [suggested user name]: enter the user name or just press the Enter key if the suggested user name works for you.

   User name must be unique for the whole IdM database. If an error occurs, that the user already exists, you need to start from the beginning with the ipa user-add command and try a different user name.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter the command for adding a password:

   $ ipa user-mod euser --password

   The command runs a script where you can add the new password.

3. Enter the new password and press the Enter key.

Procedure

1. Type an IdM server URL into the browser address bar. The name will look similarly to the following example:

   https://server.example.com

   You just need to change server.example.com with a DNS name of your IdM server.

   This opens the IdM Web UI login screen in your browser.

   

   • If the server does not respond or the login screen does not open, check the DNS settings on the IdM server to which you are connecting.

   • If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

     To avoid security exceptions, install a certificate signed by a certificate authority.

2. On the Web UI login screen, enter the administrator account credentials you added during the IdM server installation.

   For details, see Installing an Identity Management server: With integrated DNS, with an integrated CA.

   You can enter your personal account credentials as well if they are already entered in the IdM server.

   

3. Click Log in.

Procedure

1. To log in to IdM

   • under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as example_user on the local system:

     [example_user@server ~]$ kinit
     Password for example_user@EXAMPLE.COM:
     [example_user@server ~]$

     If the user name of the local user does not match any user entry in IdM, the authentication attempt fails:

     [example_user@server ~]$ kinit
     kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials

   • using a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user:

     [example_user@server ~]$ kinit admin
     Password for admin@EXAMPLE.COM:
     [example_user@server ~]$

2. Optionally, to verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services:

   $ klist
   Ticket cache: KEYRING:persistent:0:0
   Default principal: example_user@EXAMPLE.COM
   
   Valid starting     	Expires            	Service principal
   11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM

Procedure

1. Open the IdM Web UI login dialog in your web browser.

2. Click the link for browser configuration on the Web UI login screen.

   

3. Follow the steps on the configuration page.

   

Procedure

1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example:

   # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf

   Warning

   Do not overwrite the existing krb5.conf file on the external system.

2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file:

   $ export KRB5_CONFIG=/etc/krb5_ipa.conf

   The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.
4. Configure the browser on the external system, as described in Section 6.3, “Configuring the browser for Kerberos authentication”.

Procedure

1. Log in to the IdM Web UI with your username and password.

2. Open the Identity → Users → Active users tab.

   

3. Click your username to open the user settings.
4. In the User authentication types, select Two factor authentication (password + OTP).
5. Click Save.

Procedure

1. Log in to the IdM Web UI with your user name and password.
2. To create the token in your mobile phone, open the Authentication → OTP Tokens tab.

3. Click Add.

   

4. In the Add OTP token dialog box, leave everything unfilled and click Add.

   At this stage, the IdM server creates a token with default parameters at the server and opens a page with a QR code.

5. Copy the QR code into your mobile phone.
6. Click OK to close the QR code.

Procedure

1. In the Identity Management login screen, enter your user name or a user name of the IdM server administrator account.
2. Add the password for the user name entered above.
3. Generate a one time password on your device.
4. Enter the one time password right after the password (without space).

5. Click Log in.

   If the authentication fails, synchronize OTP tokens.

   If your CA uses a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

   If the the IdM Web UI does not open, verify the DNS configuration of your Identity Management server.

Procedure

1. On the IdM Web UI login screen, click Sync OTP Token.

   

2. In the login screen, enter your username and the Identity Management password.
3. Generate one time password and enter it in the First OTP field.
4. Generate another one time password and enter it in the Second OTP field.

5. Optionally, enter the token ID.

   

6. Click Sync OTP Token.

Procedure

1. In the password expiration login screen, enter the user name.
2. Add the password for the user name entered above.

3. In the OTP field, generate a one time password, if you use the one time password authentication.

   If you do not have enabled the OTP authentication, leave the field empty.

4. Enter the new password twice for verification.

5. Click Reset Password.

   

1. The getent command triggers the getpwnam call from the libc library.
2. The libc library references the /etc/nsswitch.conf configuration file to check which service is responsible for providing user information, and discovers the entry sss for the SSSD service.
3. The libc library opens the nss_sss module.
4. The nss_sss module checks the memory-mapped cache for the user information. If the data is present in the cache, the nss_sss module returns it.
5. If the user information is not in the memory-mapped cache, the request is passed to the SSSD sssd_nss responder process.
6. The SSSD service checks its cache. If the data is present in the cache and valid, the sssd_nss responder reads the data from the cache and returns it to the application.
7. If the data is not present in the cache or it is expired, the sssd_nss responder queries the appropriate back-end process and waits for a reply. The SSSD service uses the IPA backend in an IdM environment, enabled by the setting id_provider=ipa in the sssd.conf configuration file.
8. The sssd_be back-end process connects to the IdM server and requests the information from the IdM LDAP Directory Server.
9. The SSSD back-end on the IdM server responds to the SSSD back-end process on the IdM client.
10. The SSSD back-end on the client stores the resulting data in the SSSD cache and alerts the responder process that the cache has been updated.
11. The sssd_nss front-end responder process retrieves the information from the SSSD cache.
12. The sssd_nss responder sends the user information to the nss_sss responder, completing the request.
13. The libc library returns the user information to the application that requested it.

1. The IdM client looks to its local SSSD cache for AD user information.
2. If the IdM client does not have the user information, or the information is stale, the SSSD service on the client contacts the extdom_extop plugin on the IdM server to perform an LDAP extended operation and requests the information.
3. The SSSD service on the IdM server looks for the AD user information in its local cache.
4. If the IdM server does not have the user information in its SSSD cache, or its information is stale, it performs an LDAP search to request the user information from an AD Domain Controller.
5. The SSSD service on the IdM server receives the AD user information from the AD domain controller and stores it in its cache.
6. The extdom_extop plugin receives the information from the SSSD service on the IdM server, which completes the LDAP extended operation.
7. The SSSD service on the IdM client receives the AD user information from the LDAP extended operation.
8. The IdM client stores the AD user information in its SSSD cache and returns the information to the application that requested it.

1. The authentication attempt with the ssh command triggers the libpam library.

2. The libpam library references the PAM file in the /etc/pam.d/ directory that corresponds to the service requesting the authentication attempt. In this example involving authenticating via the SSH service on the local host, the libpam library checks the /etc/pam.d/system-auth configuration file and discovers the pam_sss.so entry for the SSSD PAM:

   auth    sufficient    pam_sss.so

3. To determine which authentication methods are available, the libpam library opens the pam_sss module and sends an SSS_PAM_PREAUTH request to the sssd_pam PAM responder of the SSSD service.
4. If smart card authentication is configured, the SSSD service spawns a temporary p11_child process to check for a smart card and retrieve certificates from it.
5. If smart card authentication is configured for the user, the sssd_pam responder attempts to match the certificate from the smart card with the user. The sssd_pam responder also performs a search for the groups that the user belongs to, since group membership might affect access control.
6. The sssd_pam responder sends an SSS_PAM_PREAUTH request to the sssd_be back-end responder to see which authentication methods the server supports, such as passwords or 2-factor authentication. In an IdM environment, where the SSSD service uses the IPA responder, the default authentication method is Kerberos. For this example, the user authenticates with a simple Kerberos password.
7. The sssd_be responder spawns a temporary krb5_child process.
8. The krb5_child process contacts the KDC on the IdM server and checks for available authentication methods.

9. The KDC responds to the request:

   1. The krb5_child process evaluates the reply and sends the results back to the sssd_be backend process.
   2. The sssd_be backend process receives the result.
   3. The sssd_pam responder receives the result.
   4. The pam_sss module receives the result.
10. If password authentication is configured for the user, the pam_sss module prompts the user for their password. If smart card authentication is configured, the pam_sss module prompts the user for their smart card PIN.

11. The module sends an SSS_PAM_AUTHENTICATE request with the user name and password, which travels to:

    1. The sssd_pam responder.
    2. The sssd_be back-end process.
12. The sssd_be process spawns a temporary krb5_child process to contact the KDC.
13. The krb5_child process attempts to retrieve a Kerberos Ticket Granting Ticket (TGT) from the KDC with the user name and password the user provided.
14. The krb5_child process receives the result of the authentication attempt.

15. The krb5_child process:

    1. Stores the TGT in a credential cache.
    2. Returns the authentication result to the sssd_be back-end process.

16. The authentication result travels from the sssd_be process to:

    1. The sssd_pam responder.
    2. The pam_sss module.
17. The pam_sss module sets an environment variable with the location of the user’s TGT so other applications can reference it.

Procedure

1. Verify that the SSSD service and its processes are running.

   [root@client ~]# pstree -a | grep sssd
     |-sssd -i --logger=files
     |   |-sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
     |   |-sssd_be --domain example.com --uid 0 --gid 0 --logger=files
     |   |-sssd_ifp --uid 0 --gid 0 --logger=files
     |   |-sssd_nss --uid 0 --gid 0 --logger=files
     |   |-sssd_pac --uid 0 --gid 0 --logger=files
     |   |-sssd_pam --uid 0 --gid 0 --logger=files
     |   |-sssd_ssh --uid 0 --gid 0 --logger=files
     |   `-sssd_sudo --uid 0 --gid 0 --logger=files
     |-sssd_kcm --uid 0 --gid 0 --logger=files

2. Verify that the client can contact the user database server via the IP address.

   [user@client ~]$ ping <IP_address_of_the_database_server>

   If this step fails, check that your network and firewall settings allow direct communication between IdM clients and servers. See Using and configuring firewalld.

3. Verify that the client can discover and contact the IdM LDAP server (for IdM users) or AD domain controller (for AD users) via the fully qualified host name.

   [user@client ~]$ dig -t SRV _ldap._tcp.example.com @<name_server>
   [user@client ~]$ ping <fully_qualified_host_name_of_the_server>

   If this step fails, check your Dynamic Name Service (DNS) settings, including the /etc/resolv.conf file. See Configuring the order of DNS servers.

   Note

   By default, the SSSD service attempts to automatically discover LDAP servers and AD DCs through DNS service (SRV) records. Alternatively, you can restrict the SSSD service to use specific servers by setting the following options in the sssd.conf configuration file:

   • ipa_server = <fully_qualified_host_name_of_the_server>
   • ad_server = <fully_qualified_host_name_of_the_server>
   • ldap_uri = <fully_qualified_host_name_of_the_server>

   If you use these options, verify you can contact the servers listed in them.

4. Verify that the client can authenticate to the LDAP server and retrieve user information with ldapsearch commands.

   1. If your LDAP server is an IdM server, like server.example.com, retrieve a Kerberos ticket for the host and perform the database search authenticating with the host Kerberos principal:

      [user@client ~]$ kinit -t 'host/client.example.com@EXAMPLE.COM'
      [user@client ~]$ ldapsearch -LLL -Y GSSAPI -h server.example.com -b “dc=example,dc=com” uid=<user_name>

   2. If your LDAP server is an Active Directory (AD) Domain Controller (DC), like server.ad.example.com, retrieve a Kerberos ticket for the host and perform the database search authenticating with the host Kerberos principal:

      [user@client ~]$ kinit -t 'CLIENT$@AD.EXAMPLE.COM'
      [user@client ~]$ ldapsearch -LLL -Y GSSAPI -h server.ad.example.com -b “dc=example,dc=com” sAMAccountname=<user_name>

   3. If your LDAP server is a plain LDAP server, and you have set the ldap_default_bind_dn and ldap_default_authtok options in the sssd.conf file, authenticate as the same ldap_default_bind_dn account:

      [user@client ~]$ ldapsearch -xLLL -D "cn=ldap_default_bind_dn_value" -W -h ldapserver.example.com -b “dc=example,dc=com” uid=<user_name>

   If this step fails, verify that your database settings allow your host to search the LDAP server.

5. Since the SSSD service uses Kerberos encryption, verify you can obtain a Kerberos ticket as the user that is unable to log in.

   1. If your LDAP server is an IdM server:

      [user@client ~]$ kinit <user_name>

   2. If LDAP server database is an AD server:

      [user@client ~]$ kinit <user_name@AD.EXAMPLE.COM>

   If this step fails, verify that your Kerberos server is operating properly, all servers have their times synchronized, and that the user account is not locked.

6. Verify you can retrieve user information on the command line.

   [user@client ~]$ getent passwd <user_name>
   [user@client ~]$ id <user_name>

   If this step fails, verify that the SSSD service on the client can receive information from the user database. .. Review errors in the /var/log/messages log file. .. Enable detailed logging in the SSSD service, collect debugging logs, and review the logs for indications to the source of the issue. .. (Optional) Open a Red Hat Technical Support case and provide the troubleshooting information you have gathered.

7. Use the sssctl utility to verify the user is allowed to log in.

   [user@client ~]$ sssctl user-checks -a auth -s ssh <user_name>

   If this step fails, verify your authorization settings, such as your PAM configuration, IdM HBAC rules, and IdM RBAC rules. .. Review authorization errors in the /var/log/secure and /var/log/messages log files. .. Enable detailed logging in the SSSD service, collect debugging logs, and review the logs for indications to the source of the issue. .. (Optional) Open a Red Hat Technical Support case and provide the troubleshooting information you have gathered.

Procedure

1. Open the /etc/sssd/sssd.conf file in a text editor.

2. Add the debug_level option to every section of the file, and set the debug level to the verbosity of your choice.

   [domain/example.com]
   debug_level = 6
   id_provider = ipa
   ...
   
   [sssd]
   debug_level = 6
   services = nss, pam, ifp, ssh, sudo
   domains = example.com
   
   [nss]
   debug_level = 6
   
   [pam]
   debug_level = 6
   
   [sudo]
   debug_level = 6
   
   [ssh]
   debug_level = 6
   
   [pac]
   debug_level = 6
   
   [ifp]
   debug_level = 6

3. Save and close the sssd.conf file.

4. Restart the SSSD service to load the new configuration settings.

   [root@server ~]# systemctl restart sssd

Procedure

1. Enable detailed SSSD debug logging on the IdM server.

   [root@server ~]# sssctl debug-level 6

2. Invalidate objects in the SSSD cache for the user that is experiencing authentication issues, so you do not bypass the LDAP server and retrieve information SSSD has already cached.

   [root@server ~]# sssctl cache-expire -u idmuser

3. Minimize the troubleshooting dataset by removing older SSSD logs.

   [root@server ~]# sssctl logs-remove

4. Attempt to switch to the user experiencing authentication problems, while gathering timestamps before and after the attempt. These timestamps further narrow the scope of the dataset.

   [root@server sssd]# date; su idmuser; date
   Mon Mar 29 15:33:48 EDT 2021
   su: user idmuser does not exist
   Mon Mar 29 15:33:49 EDT 2021

5. (Optional) Lower the debug level if you do not wish to continue gathering detailed SSSD logs.

   [root@server ~]# sssctl debug-level 2

6. Review SSSD logs for information about the failed request. For example, reviewing the /var/log/sssd/sssd_example.com.log file shows that the SSSD service did not find the user in the cn=accounts,dc=example,dc=com LDAP subtree. This might indicate that the user does not exist, or exists in another location.

   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=idmuser@example.com]
   ...
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=idmuser)(objectclass=posixAccount)(uid=)(&(uidNumber=)(!(uidNumber=0))))][cn=accounts,dc=example,dc=com].
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_search_by_name] (0x0400): No such entry
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
   (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_search_by_name] (0x0400): No such entry
   (Mon Mar 29 15:33:49 2021) [sssd[be[example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request

7. If you are unable to determine the cause of the authentication issue:

   1. Collect the SSSD logs you recently generated.

      [root@server ~]# sssctl logs-fetch sssd-logs-Mar29.tar

   2. Open a Red Hat Technical Support case and provide:

      1. The SSSD logs: sssd-logs-Mar29.tar

      2. The console output, including the time stamps and user name, of the request that corresponds to the logs:

         [root@server sssd]# date; id idmuser; date
         Mon Mar 29 15:33:48 EDT 2021
         id: ‘idmuser’: no such user
         Mon Mar 29 15:33:49 EDT 2021

Procedure

1. On the client: Open the /etc/sssd/sssd.conf file in a textn editor.

2. On the client: Add the ipa_server option to the [domain] section of the file and set it to an IdM server. This avoids the IdM client autodiscovering other IdM servers, thus limiting this test to just one client and one server.

   [domain/example.com]
   ipa_server = server.example.com
   ...

3. On the client: Save and close the sssd.conf file.

4. On the client: Restart the SSSD service to load the configuration changes.

   [root@client ~]# systemctl restart sssd

5. On the server and client: Enable detailed SSSD debug logging.

   [root@server ~]# sssctl debug-level 6

   [root@client ~]# sssctl debug-level 6

6. On the server and client: Invalidate objects in the SSSD cache for the user experiencing authentication issues, so you do not bypass the LDAP database and retrieve information SSSD has already cached.

   [root@server ~]# sssctl cache-expire -u idmuser

   [root@client ~]# sssctl cache-expire -u idmuser

7. On the server and client: Minimize the troubleshooting dataset by removing older SSSD logs.

   [root@server ~]# sssctl logs-remove

   [root@server ~]# sssctl logs-remove

8. On the client: Attempt to switch to the user experiencing authentication problems while gathering timestamps before and after the attempt. These timestamps further narrow the scope of the dataset.

   [root@client sssd]# date; su idmuser; date
   Mon Mar 29 16:20:13 EDT 2021
   su: user idmuser does not exist
   Mon Mar 29 16:20:14 EDT 2021

9. (Optional) On the server and client: Lower the debug level if you do not wish to continue gathering detailed SSSD logs.

   [root@server ~]# sssctl debug-level 0

   [root@client ~]# sssctl debug-level 0

10. On the server and client: Review SSSD logs for information about the failed request.

    1. Review the request from the client in the client logs.
    2. Review the request from the client in the server logs.
    3. Review the result of the request in the server logs.
    4. Review the outcome of the client receiving the results of the request from the server.

11. If you are unable to determine the cause of the authentication issue:

    1. Collect the SSSD logs you recently generated on the IdM server and IdM client. Label them according to their hostname or role.

       [root@server ~]# sssctl logs-fetch sssd-logs-server-Mar29.tar

       [root@client ~]# sssctl logs-fetch sssd-logs-client-Mar29.tar

    2. Open a Red Hat Technical Support case and provide:

       1. The SSSD debug logs:

          1. sssd-logs-server-Mar29.tar from the server
          2. sssd-logs-client-Mar29.tar from the client

       2. The console output, including the time stamps and user name, of the request that corresponds to the logs:

          [root@client sssd]# date; su idmuser; date
          Mon Mar 29 16:20:13 EDT 2021
          su: user idmuser does not exist
          Mon Mar 29 16:20:14 EDT 2021

Procedure

1. Create an inventory file, for example inventory.file, and define the IdM server from which you want to retrieve the IdM configuration in the [ipaserver] section. For example, to instruct Ansible to retrieve the data from server.idm.example.com, enter:

   [ipaserver]
   server.idm.example.com

2. Open the /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml Ansible playbook file for editing:

   ---
   - name: Playbook to handle global IdM configuration
     hosts: ipaserver
     become: no
     gather_facts: no
   
     tasks:
     - name: Query IPA global configuration
       ipaconfig:
         ipaadmin_password: Secret123
       register: serverconfig
   
     - debug:
         msg: "{{ serverconfig }}"

3. Adapt the file by changing the following:

   • The password of IdM administrator.
   • Other values, if necessary.
4. Save the file.

5. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml
   [...]
   TASK [debug]
   ok: [server.idm.example.com] => {
       "msg": {
           "ansible_facts": {
               "discovered_interpreter_
           },
           "changed": false,
           "config": {
               "ca_renewal_master_server": "server.idm.example.com",
               "configstring": [
                   "AllowNThash",
                   "KDC:Disable Last Success"
               ],
               "defaultgroup": "ipausers",
               "defaultshell": "/bin/bash",
               "emaildomain": "idm.example.com",
               "enable_migration": false,
               "groupsearch": [
                   "cn",
                   "description"
               ],
               "homedirectory": "/home",
               "maxhostname": "64",
               "maxusername": "64",
               "pac_type": [
                   "MS-PAC",
                   "nfs:NONE"
               ],
               "pwdexpnotify": "4",
               "searchrecordslimit": "100",
               "searchtimelimit": "2",
               "selinuxusermapdefault": "unconfined_u:s0-s0:c0.c1023",
               "selinuxusermaporder": [
                   "guest_u:s0$xguest_u:s0$user_
               ],
               "usersearch": [
                   "uid",
                   "givenname",
                   "sn",
                   "telephonenumber",
                   "ou",
                   "title"
               ]
           },
           "failed": false
       }
   }

Procedure

1. Optional: Identify the current IdM CA renewal server:

   $ ipa config-show | grep 'CA renewal'
     IPA CA renewal master: server.idm.example.com

2. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml Ansible playbook file for editing:

   ---
   - name: Playbook to handle global DNS configuration
     hosts: ipaserver
     become: no
     gather_facts: no
   
     tasks:
     - name: set ca_renewal_master_server
       ipaconfig:
         ipaadmin_password: SomeADMINpassword
         ca_renewal_master_server: carenewal.idm.example.com

4. Adapt the file by changing:

   • The password of IdM administrator set by the ipaadmin_password variable.
   • The name of the CA renewal server set by the ca_renewal_master_server variable.
5. Save the file.

6. Run the Ansible playbook. Specify the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml

1. Log into ipaserver as IdM administrator:

   $ ssh admin@server.idm.example.com
   Password:
   [admin@server /]$

2. Request the identity of the IdM CA renewal server:

   $ ipa config-show | grep ‘CA renewal’
   IPA CA renewal master:  carenewal.idm.example.com

   The output shows the carenewal.idm.example.com server is the new CA renewal server.

Procedure

1. Optional: Use the retrieve-config.yml Ansible playbook to identify the current shell for IdM users. See Retrieving IdM configuration using an Ansible playbook for details.

2. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml Ansible playbook file for editing:

   ---
   - name: Playbook to ensure some config options are set
     hosts: ipaserver
     become: true
   
     tasks:
     # Set defaultlogin and maxusername
     - ipaconfig:
         ipaadmin_password: Secret123
         defaultshell: /bin/bash
         maxusername: 64

4. Adapt the file by changing the following:

   • The password of IdM administrator set by the ipaadmin_password variable.
   • The default shell of the IdM users set by the defaultshell variable into /bin/sh.
5. Save the file.

6. Run the Ansible playbook. Specify the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml

1. Log into ipaserver as IdM administrator:

   $ ssh admin@server.idm.example.com
   Password:
   [admin@server /]$

2. Display the current shell:

   [admin@server /]$ echo "$SHELL"
   /bin/sh

   The logged-in user is using the sh shell.

Procedure

1. Open terminal and connect to the IdM server.

2. Add user login, user’s first name, last name and optionally, you can also add their email address.

   $ ipa user-add user_login --first=first_name --last=last_name --email=email_address

   IdM supports user names that can be described by the following regular expression:

   [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?

   Note

   User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support.

   If you add a user name containing uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires to enter user names in lowercase when logging in. Additionally, it is not possible to add user names which differ only in letter casing, such as user and User.

   The default maximum length for user names is 32 characters. To change it, use the ipa config-mod --maxusername command. For example, to increase the maximum user name length to 64 characters:

   $ ipa config-mod --maxusername=64
    Maximum username length: 64
    ...

   The ipa user-add command includes a lot of parameters. To list them all, use the ipa help command:

   $ ipa help user-add

   For details about ipa help command, see What is the IPA help.

Procedure

1. Open terminal and connect to the IdM server.

2. Activate the user account with the following command:

   $ ipa stageuser-activate user_login
   -------------------------
   Stage user user_login activated
   -------------------------
   ...

Procedure

1. Open terminal and connect to the IdM server.

2. Preserve the user account with the following command:

   $ ipa user-del --preserve user_login
   --------------------
   Deleted user "user_login"
   --------------------

Procedure

1. Open terminal and connect to the IdM server.

2. Delete the user account with the following command:

   $ ipa user-del user_login
   --------------------
   Deleted user "user_login"
   --------------------

Procedure

1. Open terminal and connect to the IdM server.

2. Activate the user account with the following command:

   $ ipa user-undel user_login
   ------------------------------
   Undeleted user account "user_login"
   ------------------------------

   Alternatively, you can restore user accounts as staged:

   $ ipa user-stage user_login
   ------------------------------
   Staged user account "user_login"
   ------------------------------

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Stage Users tab.

   Alternatively, you can add the user account in the Users → Active users, however, you cannot add user groups to the account.

3. Click the + Add icon.
4. In the Add stage user dialog box, enter First name and Last name of the new user.

5. [Optional] In the User login field, add a login name.

   If you leave it empty, the IdM server creates the login name in the following pattern: The first letter of the first name and the surname. The whole login name can have up to 32 characters.

6. [Optional] In the GID drop down menu, select groups in which the user should be included.
7. [Optional] In the Password and Verify password fields,

8. Click on the Add button.

   

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Stage users tab.
3. Click the check-box of the user account you want to activate.

4. Click on the Activate button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to disable.

4. Click on the Disable button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.
2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to enable.

4. Click on the Enable button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to preserve.

4. Click on the Delete button.

   

5. In the Remove users dialog box, switch the Delete mode radio button to preserve.

6. Click on the Delete button.

   

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Preserved users tab.
3. Click the check-box at the user accounts you want to restore.

4. Click on the Restore button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.

   Alternatively, you can delete the user account in the Users → Stage users or Users → Preserved users.

3. Click the Delete icon.
4. In the Remove users dialog box, switch the Delete mode radio button to delete.
5. Click on the Delete button.

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the data of the user whose presence in IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/add-user.yml file. For example, to create user named idm_user and add Password123 as the user password:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Create user idm_user
       ipauser:
         ipaadmin_password: MySecret123
         name: idm_user
         first: Alice
         last: Acme
         uid: 1000111
         gid: 10011
         phone: "+555123457"
         email: idm_user@acme.com
         passwordexpiration: "2023-01-19 23:59:59"
         password: "Password123"
         update_password: on_create

   You must use the following options to add a user:

   • name: the login name
   • first: the first name string
   • last: the last name string

   For the full list of available user options, see the /usr/share/doc/ansible-freeipa/README-user.md Markdown file.

   Note

   If you use the update_password: on_create option, Ansible only creates the user password when it creates the user. If the user is already created with a password, Ansible does not generate a new password.

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-IdM-user.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the data of the users whose presence you want to ensure in IdM. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Create user idm_users
       ipauser:
         ipaadmin_password: MySecret123
         users:
         - name: idm_user_1
           first: Alice
           last: Acme
           uid: 10001
           gid: 10011
           phone: "+555123457"
           email: idm_user@acme.com
           passwordexpiration: "2023-01-19 23:59:59"
           password: "Password123"
         - name: idm_user_2
           first: Bob
           last: Acme
           uid: 100011
           gid: 10011
         - name: idm_user_3
           first: Eve
           last: Acme
           uid: 1000111
           gid: 10011

   Note

   If you do not specify the update_password: on_create option, Ansible re-sets the user password every time the playbook is run: if the user has changed the password since the last time the playbook was run, Ansible re-sets password.

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-users.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the necessary tasks. Reference the JSON file with the data of the users whose presence you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/ensure-users-present-ymlfile.yml file:

   ---
   - name: Ensure users' presence
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Include users.json
       include_vars:
         file: users.json
   
     - name: Users present
       ipauser:
         ipaadmin_password: MySecret123
         users: "{{ users }}"

3. Create the users.json file, and add the IdM users into it. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/users.json file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1:

   {
     "users": [
      {
       "name": "idm_user_1",
       "first": "Alice",
       "last": "Acme",
       "password": "Password123"
      },
      {
       "name": "idm_user_2",
       "first": "Bob",
       "last": "Acme"
      },
      {
       "name": "idm_user_3",
       "first": "Eve",
       "last": "Acme"
      }
     ]
   }

4. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-users-present-jsonfile.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the users whose absence from IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to delete users idm_user_1, idm_user_2, and idm_user_3:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Delete users idm_user_1, idm_user_2, idm_user_3
       ipauser:
         ipaadmin_password: MySecret123
         users:
         - name: idm_user_1
         - name: idm_user_2
         - name: idm_user_3
         state: absent

3. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/delete-users.yml

1. Log into ipaserver as administrator:

   $ ssh administrator@server.idm.example.com
   Password:
   [admin@server /]$

2. Request information about idm_user_1:

   $ ipa user-show idm_user_1
   ipa: ERROR: idm_user_1: user not found

   The user named idm_user_1 does not exist in IdM.

Procedure

1. Optional. Use the ipa group-show command to confirm that the group includes the member you want to remove.

2. Remove a member from a user group by using the ipa group-remove-member command.

   Specify members to remove using these options:

   • --users removes an IdM user
   • --external removes a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
   • --groups removes an IdM user group

   For example, to remove user1, user2, and group1 from a group called group_name:

   $ ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1

Procedure

1. Click Identity → Groups, and select User Groups in the left sidebar.
2. Click Add to start adding the group.

3. Fill out the information about the group. For more information about user group types, see The different group types in IdM.

   You can specify a custom GID for the group. If you do this, be careful to avoid ID conflicts. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.

   
4. Click Add to confirm.

Procedure

1. Click Identity → Groups and select User Groups.
2. Select the group to delete.
3. Click Delete.
4. Click Delete to confirm.

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of group member you want to add: Users, User Groups, or External.

   
4. Click Add.
5. Select the check box next to one or more members you want to add.

6. Click the rightward arrow to move the selected members to the group.

   
7. Click Add to confirm.

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of group member manager you want to add: Users or User Groups.

   
4. Click Add.
5. Select the check box next to one or more members you want to add.

6. Click the rightward arrow to move the selected members to the group.

   
7. Click Add to confirm.

Procedure

1. Select Identity → Groups.
2. Select User Groups in the left sidebar.
3. Click the name of the group you want to view.

4. Switch between Direct Membership and Indirect Membership.

   

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of group member you want to remove: Users, User Groups, or External.

   
4. Select the check box next to the member you want to remove.
5. Click Delete.
6. Click Delete to confirm.

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of member manager you want to remove: Users or User Groups.

   
4. Select the check box next to the member manager you want to remove.
5. Click Delete.
6. Click Delete to confirm.

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the necessary user and group information:

   ---
   - name: Playbook to handle groups
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Create group ops with gid 1234
       ipagroup:
         ipaadmin_password: MySecret123
         name: ops
         gidnumber: 1234
   
     - name: Create group sysops
       ipagroup:
         ipaadmin_password: MySecret123
         name: sysops
         user:
         - idm_user
   
     - name: Create group appops
       ipagroup:
         ipaadmin_password: MySecret123
         name: appops
   
     - name: Add group members sysops and appops to group ops
       ipagroup:
         ipaadmin_password: MySecret123
         name: ops
         group:
         - sysops
         - appops

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-group-members.yml

1. Log into ipaserver as administrator:

   $ ssh admin@server.idm.example.com
   Password:
   [admin@server /]$

2. Display information about ops:

   ipaserver]$ ipa group-show ops
     Group name: ops
     GID: 1234
     Member groups: sysops, appops
     Indirect Member users: idm_user

   The appops and sysops groups - the latter including the idm_user user - exist in IdM.

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the necessary user and group member management information:

   ---
   - name: Playbook to handle membership management
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure user test is present for group_a
       ipagroup:
         ipaadmin_password: MySecret123
         name: group_a
         membermanager_user: test
   
     - name: Ensure group_admins is present for group_a
       ipagroup:
         ipaadmin_password: MySecret123
         name: group_a
         membermanager_group: group_admins

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-member-managers-user-groups.yml

1. Log into ipaserver as administrator:

   $ ssh admin@server.idm.example.com
   Password:
   [admin@server /]$

2. Display information about managergroup1:

   ipaserver]$ ipa group-show group_a
     Group name: group_a
     GID: 1133400009
     Membership managed by groups: group_admins
     Membership managed by users: test

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the necessary user and group member management information:

   ---
   - name: Playbook to handle membership management
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure member manager user and group members are absent for group_a
       ipagroup:
         ipaadmin_password: MySecret123
         name: group_a
         membermanager_user: test
         membermanager_group: group_admins
         action: member
         state: absent

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-member-managers-are-absent.yml

1. Log into ipaserver as administrator:

   $ ssh admin@server.idm.example.com
   Password:
   [admin@server /]$

2. Display information about group_a:

   ipaserver]$ ipa group-show group_a
     Group name: group_a
     GID: 1133400009

Procedure

1. Enter the ipa automember-add command to add an automember rule.

2. When prompted, specify:

   • Automember rule. This is the target group name.
   • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

   For example, to add an automember rule for a user group named user_group:

   $ ipa automember-add
   Automember Rule: user_group
   Grouping Type: group
   --------------------------------
   Added automember rule "user_group"
   --------------------------------
       Automember Rule: user_group

Procedure

1. Define one or more inclusive or exclusive conditions using the ipa automember-add-condition command.

2. When prompted, specify:

   • Automember rule. This is the target rule name. See Automember rules for details.
   • Attribute Key. This specifies the entry attribute to which the filter will apply. For example, uid for users.
   • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
   • Inclusive regex and Exclusive regex. These specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.

   For example, the following condition targets all users with any value (.*) in their user login attribute (uid).

   $ ipa automember-add-condition
   Automember Rule: user_group
   Attribute Key: uid
   Grouping Type: group
   [Inclusive Regex]: .*
   [Exclusive Regex]:
   ----------------------------------
   Added condition(s) to "user_group"
   ----------------------------------
     Automember Rule: user_group
     Inclusive Regex: uid=.*
   ----------------------------
   Number of conditions added 1
   ----------------------------

   As another example, you can use an automembership rule to target all Windows users synchronized from Active Directory (AD). To achieve this, create a condition that that targets all users with ntUser in their objectClass attribute, which is shared by all AD users:

   $ ipa automember-add-condition
   Automember Rule: ad_users
   Attribute Key: objectclass
   Grouping Type: group
   [Inclusive Regex]: ntUser
   [Exclusive Regex]:
   -------------------------------------
   Added condition(s) to "ad_users"
   -------------------------------------
     Automember Rule: ad_users
     Inclusive Regex: objectclass=ntUser
   ----------------------------
   Number of conditions added 1
   ----------------------------

Procedure

1. Enter the ipa automember-find command.

2. When prompted, specify the Grouping type:

   • To target a user group, enter group.

   • To target a host group, enter hostgroup.

     For example:

   $ ipa automember-find
   Grouping Type: group
   ---------------
   1 rules matched
   ---------------
     Automember Rule: user_group
     Inclusive Regex: uid=.*
   ----------------------------
   Number of entries returned 1
   ----------------------------

Procedure

1. Enter the ipa automember-del command.

2. When prompted, specify:

   • Automember rule. This is the rule you want to delete.
   • Grouping rule. This specifies whether the rule you want to delete is for a user group or a host group. Enter group or hostgroup.

Procedure

1. Enter the ipa automember-remove-condition command.

2. When prompted, specify:

   • Automember rule. This is the name of the rule from which you want to remove a condition.
   • Attribute Key. This is the target entry attribute. For example, uid for users.
   • Grouping Type. This specifies whether the condition you want to delete is for a user group or a host group. Enter group or hostgroup.

   • Inclusive regex and Exclusive regex. These specify the conditions you want to remove. If you only want to specify one condition, press Enter when prompted for the other.

     For example:

   $ ipa automember-remove-condition
   Automember Rule: user_group
   Attribute Key: uid
   Grouping Type: group
   [Inclusive Regex]: .*
   [Exclusive Regex]:
   -----------------------------------
   Removed condition(s) from "user_group"
   -----------------------------------
     Automember Rule: user_group
   ------------------------------
   Number of conditions removed 1
   ------------------------------

Procedure

1. Enter the ipa automember-default-group-set command to configure a default automember group.

2. When prompted, specify:

   • Default (fallback) Group, which specifies the target group name.

   • Grouping Type, which specifies whether the target is a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

     For example:

     $ ipa automember-default-group-set
     Default (fallback) Group: default_user_group
     Grouping Type: group
     ---------------------------------------------------
     Set default (fallback) group for automember "default_user_group"
     ---------------------------------------------------
       Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com

   Note

   To remove the current default automember group, enter the ipa automember-default-group-remove command.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules.
2. Click Add.

3. In the Automember rule field, select the group to which the rule will apply. This is the target group name.

   
4. Click Add to confirm.
5. Optional: You can add conditions to the new rule using the procedure described in Adding a condition to an automember rule using IdM Web UI.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules.
2. Click on the rule to which you want to add a condition.

3. In the Inclusive or Exclusive sections, click Add.

   
4. In the Attribute field, select the required attribute, for example uid.
5. In the Expression field, define a regular expression.

6. Click Add.

   For example, the following condition targets all users with any value (.*) in their user ID (uid) attribute.

   

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.

2. Optional: Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.

   

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
2. Select the check box next to the rule you want to remove.

3. Click Delete.

   
4. Click Delete to confirm.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
2. Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.
3. Select the check box next to the conditions you want to remove.

4. Click Delete.

   
5. Click Delete to confirm.

Procedure

1. Click Identity → Automember, and select User group rules.

2. In the Default user group field, select the group you want to set as the default user group.

   

Procedure

1. Click Identity → Automember, and select Host group rules.

2. In the Default host group field, select the group you want to set as the default host group.

   

Procedure

1. Optional: Display existing self-service rules with the ipa selfservice-find command.
2. Optional: Display details for the self-service rule you want to modify with the ipa selfservice-show command.
3. Use the ipa selfservice-mod command to edit a self-service rule.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Click Add at the top-right of the list of the self-service access rules:

   

3. The Add Self Service Permission window opens. Enter the name of the new self-service rule in the Self-service name field. Spaces are allowed:

   

4. Select the check boxes next to the attributes you want users to be able to edit.

5. Optional: If an attribute you would like to provide access to is not listed, you can add a listing for it:

   1. Click the Add button.
   2. Enter the attribute name in the Attribute text field of the following Add Custom Attribute window.
   3. Click the OK button to add the attribute
   4. Verify that the new attribute is selected
6. Click the Add button at the bottom of the form to save the new self-service rule.
   Alternatively, you can save and continue editing the self-service rule by clicking the Add and Edit button, or save and add further rules by clicking the Add and Add another button.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Click on the name of the self-service rule you want to modify.

   

3. The edit page only allows you to edit the list of attributes to you want to add or remove to the self-service rule. Select or deselect the appropriate check boxes.
4. Click the Save button to save your changes to the self-service rule.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Select the check box next to the rule you want to delete, then click on the Delete button on the right of the list.

   

3. A dialog opens, click on Delete to confirm.

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the selfservice-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-present.yml selfservice-present-copy.yml

3. Open the selfservice-present-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipaselfservice task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the new self-service rule.
   • Set the permission variable to a comma-separated list of permissions to grant: read and write.
   • Set the attribute variable to a list of attributes that users can manage themselves: givenname, displayname, title, and initials.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Self-service present
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure self-service rule "Users can manage their own name details" is present
       ipaselfservice:
         ipaadmin_password: Secret123
         name: "Users can manage their own name details"
         permission: read, write
         attribute:
         - givenname
         - displayname
         - title
         - initials

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i inventory selfservice-present-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the selfservice-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-absent.yml selfservice-absent-copy.yml

3. Open the selfservice-absent-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipaselfservice task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the self-service rule.
   • Set the state variable to absent.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Self-service absent
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure self-service rule "Users can manage their own name details" is absent
       ipaselfservice:
         ipaadmin_password: Secret123
         name: "Users can manage their own name details"
         state: absent

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i inventory selfservice-absent-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the selfservice-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-member-present.yml selfservice-member-present-copy.yml

3. Open the selfservice-member-present-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipaselfservice task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the self-service rule to modify.
   • Set the attribute variable to surname.
   • Set the action variable to member.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Self-service member present
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure selfservice "Users can manage their own name details" member attribute surname is present
       ipaselfservice:
         ipaadmin_password: Secret123
         name: "Users can manage their own name details"
         attribute:
         - surname
         action: member

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i inventory selfservice-member-present-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the selfservice-member-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-member-absent.yml selfservice-member-absent-copy.yml

3. Open the selfservice-member-absent-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipaselfservice task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the self-service rule you want to modify.
   • Set the attribute variable to givenname and surname.
   • Set the action variable to member.
   • Set the state variable to absent.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Self-service member absent
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure selfservice "Users can manage their own name details" member attributes givenname and surname are absent
       ipaselfservice:
         ipaadmin_password: Secret123
         name: "Users can manage their own name details"
         attribute:
         - givenname
         - surname
         action: member
         state: absent

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i inventory selfservice-member-absent-copy.yml

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.

2. Click Add.

   

3. In the Add delegation window, do the following:

   1. Name the new delegation rule.
   2. Set the permissions by selecting the check boxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
   3. In the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
   4. In the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.

   5. In the attributes box, select the check boxes by the attributes to which you want to grant permissions.

      
   6. Click the Add button to save the new delegation rule.

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.

   
2. Click on the rule you want to modify.

3. Make the desired changes:

   • Change the name of the rule.
   • Change granted permissions by selecting the check boxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
   • In the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
   • In the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.

   • In the attributes box, select the check boxes by the attributes to which you want to grant permissions. To remove permissions to an attribute, uncheck the relevant check box.

     
   • Click the Save button to save the changes.

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.
2. Select the check box next to the rule you want to remove.

3. Click Delete.

   
4. Click Delete to confirm.

Procedure

1. Create a directory for your Ansible configuration and playbooks in your home directory:

   $ mkdir ~/MyPlaybooks/

2. Change into the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks

3. Create the ~/MyPlaybooks/ansible.cfg file with the following content:

   [defaults]
   inventory = /home/<username>/MyPlaybooks/inventory
   
   [privilege_escalation]
   become=True

4. Create the ~/MyPlaybooks/inventory file with the following content:

   [eu]
   server.idm.example.com
   
   [us]
   replica.idm.example.com
   
   [ipaserver:children]
   eu
   us

   This configuration defines two host groups, eu and us, for hosts in these locations. Additionally, this configuration defines the ipaserver host group, which contains all hosts from the eu and us groups.

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the delegation-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-present.yml delegation-present-copy.yml

3. Open the delegation-present-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipadelegation task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the new delegation rule.
   • Set the permission variable to a comma-separated list of permissions to grant: read and write.
   • Set the attribute variable to a list of attributes the delegated user group can manage: businesscategory, departmentnumber, employeenumber, and employeetype.
   • Set the group variable to the name of the group that is being given access to view or modify attributes.
   • Set the membergroup variable to the name of the group whose attributes can be viewed or modified.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Playbook to manage a delegation rule
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure delegation "basic manager attributes" is present
       ipadelegation:
         ipaadmin_password: Secret123
         name: "basic manager attributes"
         permission: read, write
         attribute:
         - businesscategory
         - departmentnumber
         - employeenumber
         - employeetype
         group: managers
         membergroup: employees

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i ~/MyPlaybooks/inventory delegation-present-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks>/

2. Make a copy of the delegation-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-present.yml delegation-absent-copy.yml

3. Open the delegation-absent-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipadelegation task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the delegation rule.
   • Set the state variable to absent.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Delegation absent
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure delegation "basic manager attributes" is absent
       ipadelegation:
         ipaadmin_password: Secret123
         name: "basic manager attributes"
         state: absent

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i ~/MyPlaybooks/inventory delegation-absent-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the delegation-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-member-present.yml delegation-member-present-copy.yml

3. Open the delegation-member-present-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipadelegation task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the delegation rule to modify.
   • Set the attribute variable to departmentnumber.
   • Set the action variable to member.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Delegation member present
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
       ipadelegation:
         ipaadmin_password: Secret123
         name: "basic manager attributes"
         attribute:
         - departmentnumber
         action: member

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i ~/MyPlaybooks/inventory delegation-member-present-copy.yml

Procedure

1. Navigate to the ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

2. Make a copy of the delegation-member-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory:

   $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-member-absent.yml delegation-member-absent-copy.yml

3. Open the delegation-member-absent-copy.yml Ansible playbook file for editing.

4. Adapt the file by setting the following variables in the ipadelegation task section:

   • Set the ipaadmin_password variable to the password of the IdM administrator.
   • Set the name variable to the name of the delegation rule to modify.
   • Set the attribute variable to employeenumber and employeetype.
   • Set the action variable to member.
   • Set the state variable to absent.

   This is the modified Ansible playbook file for the current example:

   ---
   - name: Delegation member absent
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
       ipadelegation:
         ipaadmin_password: Secret123
         name: "basic manager attributes"
         attribute:
         - employeenumber
         - employeetype
         action: member
         state: absent

5. Save the file.

6. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i ~/MyPlaybooks/inventory delegation-member-absent-copy.yml

Procedure

1. Create new permission entries with the ipa permission-add command.
   For example, to add a permission named dns admin:

   $ ipa permission-add "dns admin"

2. Specify the properties of the permission with the following options:
   

   • --bindtype specifies the bind rule type. This option accepts the all, anonymous, and permission arguments. The permission bindtype means that only the users who are granted this permission via a role can exercise it.
     For example:

     $ ipa permission-add "dns admin" --bindtype=all

     If you do not specify --bindtype, then permission is the default value.

     Note

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

   • --right lists the rights granted by the permission, it replaces the deprecated --permissions option. The available values are add, delete, read, search, compare, write, all.

     You can set multiple attributes by using multiple --right options or with a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --right=read --right=write

     $ ipa permission-add "dns admin" --right={read,write}

     Note

     add and delete are entry-level operations (for example deleting a user, adding a group, etc.) while read, search, compare and write are more attribute-level: you can write to userCertificate but not read userPassword.

   • --attrs gives the list of attributes over which the permission is granted.
     You can set multiple attributes by using multiple --attrs options or by listing the options in a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --attrs=description --attrs=automountKey

     $ ipa permission-add "dns admin" --attrs={description,automountKey}

     The attributes provided with --attrs must exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.

   • --type defines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes.
     For example:

     $ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby

   • --subtree gives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry; --subtree does not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.
     Because IdM uses a simplified, flat directory tree structure, --subtree can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example:

     $ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation

     Note

     The --type and --subtree options are mutually exclusive: you can see the inclusion of filters for --type as a simplification of --subtree, intending to make life easier for an admin.

   • --filter uses an LDAP filter to identify which entries the permission applies to.
     IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example:

     $ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description

   • --memberof sets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group:

     $ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers

   • --targetgroup sets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members):

     $ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineers

   • Optionally, you can specify a target domain name (DN):
     

     • --target specifies the DN to apply the permission to. Wildcards are accepted.
     • --targetto specifies the DN subtree where an entry can be moved to.
     • --targetfrom specifies the DN subtree from where an entry can be moved.

Procedure

1. Add privilege entries using the ipa privilege-add command
   For example, to add a privilege named managing filesystems with a description:

   $ ipa privilege-add "managing filesystems" --desc="for filesystems"

2. Assign the required permissions to the privilege group with the privilege-add-permission command
   For example, to add the permissions named managing automount and managing ftp services to the managing filesystems privilege:

   $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount" --permissions="managing ftp services"