Procedure

1. To log in to IdM

   • under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as example_user on the local system:

     [example_user@server ~]$ kinit
     Password for example_user@EXAMPLE.COM:
     [example_user@server ~]$

     If the user name of the local user does not match any user entry in IdM, the authentication attempt fails:

     [example_user@server ~]$ kinit
     kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials

   • using a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user:

     [example_user@server ~]$ kinit admin
     Password for admin@EXAMPLE.COM:
     [example_user@server ~]$

2. Optionally, to verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services:

   $ klist
   Ticket cache: KEYRING:persistent:0:0
   Default principal: example_user@EXAMPLE.COM
   
   Valid starting     	Expires            	Service principal
   11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM

Procedure

1. To destroy your Kerberos ticket:

   [example_user@server ~]$ kdestroy

2. Optionally, to check that the Kerberos ticket has been destroyed:

   [example_user@server ~]$ klist
   klist: Credentials cache keyring 'persistent:0:0' not found

Procedure

1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example:

   # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf

   Warning

   Do not overwrite the existing krb5.conf file on the external system.

2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file:

   $ export KRB5_CONFIG=/etc/krb5_ipa.conf

   The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter ipa help topics to display a list of topics covered by help.

   $ ipa help topics

3. Select one of the topics and create a command according to the following pattern: ipa help [topic_name], instead of the topic_name string, add one of the topics you listed in the previous step.

   In the example, we use the following topic: user

   $ ipa help user

4. If the IPA help command is too long and you cannot see the whole text, use the following syntax:

   $ ipa help user | less

   You can then scroll down and read the whole help.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter ipa help commands to display a list of commands covered by help.

   $ ipa help commands

3. Select one of the commands and create a help command according to the following pattern: ipa help <COMMAND>, instead of the <COMMAND> string, add one of the commands you listed in the previous step.

   $ ipa help user-add

Procedure

1. Open terminal and connect to the IdM server.

2. Enter the command for adding a new user:

   $ ipa user-add

   The command runs a script where you can add basic data necessary for creating a user account.

3. In the First name: field, enter the first name of the new user and press the Enter key.
4. In the Last name: field, enter the last name of the new user and press the Enter key.

5. In the User login [suggested user name]: enter the user name or just press the Enter key if the suggested user name works for you.

   User name must be unique for the whole IdM database. If an error occurs, that the user already exists, you need to start from the beginning with the ipa user-add command and try a different user name.

Procedure

1. Open terminal and connect to the IdM server.

2. Enter the command for adding a password:

   $ ipa user-mod euser --password

   The command runs a script where you can add the new password.

3. Enter the new password and press the Enter key.

Procedure

1. Type an IdM server URL into the browser address bar. The name will look similarly to the following example:

   https://server.example.com

   You just need to change server.example.com with a DNS name of your IdM server.

   This opens the IdM Web UI login screen in your browser.

   

   • If the server does not respond or the login screen does not open, check the DNS settings on the IdM server to which you are connecting.

   • If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

     To avoid security exceptions, install a certificate signed by a certificate authority.

2. On the Web UI login screen, enter the administrator account credentials you added during the IdM server installation.

   For details, see Installing an Identity Management server: With integrated DNS, with an integrated CA.

   You can enter your personal account credentials as well if they are already entered in the IdM server.

   

3. Click Log in.

Procedure

1. To log in to IdM

   • under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as example_user on the local system:

     [example_user@server ~]$ kinit
     Password for example_user@EXAMPLE.COM:
     [example_user@server ~]$

     If the user name of the local user does not match any user entry in IdM, the authentication attempt fails:

     [example_user@server ~]$ kinit
     kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials

   • using a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user:

     [example_user@server ~]$ kinit admin
     Password for admin@EXAMPLE.COM:
     [example_user@server ~]$

2. Optionally, to verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services:

   $ klist
   Ticket cache: KEYRING:persistent:0:0
   Default principal: example_user@EXAMPLE.COM
   
   Valid starting     	Expires            	Service principal
   11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM

Procedure

1. Open the IdM Web UI login dialog in your web browser.

2. Click the link for browser configuration on the Web UI login screen.

   

3. Follow the steps on the configuration page.

   

Procedure

1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example:

   # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf

   Warning

   Do not overwrite the existing krb5.conf file on the external system.

2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file:

   $ export KRB5_CONFIG=/etc/krb5_ipa.conf

   The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.
4. Configure the browser on the external system, as described in Section 6.3, “Configuring the browser for Kerberos authentication”.

Procedure

1. Log in to the IdM Web UI with your username and password.

2. Open the Identity → Users → Active users tab.

   

3. Click your username to open the user settings.
4. In the User authentication types, select Two factor authentication (password + OTP).
5. Click Save.

Procedure

1. Log in to the IdM Web UI with your user name and password.
2. To create the token in your mobile phone, open the Authentication → OTP Tokens tab.

3. Click Add.

   

4. In the Add OTP token dialog box, leave everything unfilled and click Add.

   At this stage, the IdM server creates a token with default parameters at the server and opens a page with a QR code.

5. Copy the QR code into your mobile phone.
6. Click OK to close the QR code.

Procedure

1. In the Identity Management login screen, enter your user name or a user name of the IdM server administrator account.
2. Add the password for the user name entered above.
3. Generate a one time password on your device.
4. Enter the one time password right after the password (without space).

5. Click Log in.

   If the authentication fails, synchronize OTP tokens.

   If your CA uses a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

   If the the IdM Web UI does not open, verify the DNS configuration of your Identity Management server.

Procedure

1. On the IdM Web UI login screen, click Sync OTP Token.

   

2. In the login screen, enter your username and the Identity Management password.
3. Generate one time password and enter it in the First OTP field.
4. Generate another one time password and enter it in the Second OTP field.

5. Optionally, enter the token ID.

   

6. Click Sync OTP Token.

Procedure

1. In the password expiration login screen, enter the user name.
2. Add the password for the user name entered above.

3. In the OTP field, generate a one time password, if you use the one time password authentication.

   If you do not have enabled the OTP authentication, leave the field empty.

4. Enter the new password twice for verification.

5. Click Reset Password.

   

Procedure

1. Open terminal and connect to the IdM server.

2. Add user login, user’s first name, last name and optionally, you can also add their email address.

   $ ipa user-add user_login --first=first_name --last=last_name --email=email_address

   IdM supports user names that can be described by the following regular expression:

   [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?

   Note

   User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support.

   If you add a user name containing uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires to enter user names in lowercase when logging in. Additionally, it is not possible to add user names which differ only in letter casing, such as user and User.

   The default maximum length for user names is 32 characters. To change it, use the ipa config-mod --maxusername command. For example, to increase the maximum user name length to 64 characters:

   $ ipa config-mod --maxusername=64
    Maximum username length: 64
    ...

   The ipa user-add command includes a lot of parameters. To list them all, use the ipa help command:

   $ ipa help user-add

   For details about ipa help command, see What is the IPA help.

Procedure

1. Open terminal and connect to the IdM server.

2. Activate the user account with the following command:

   $ ipa stageuser-activate user_login
   -------------------------
   Stage user user_login activated
   -------------------------
   ...

Procedure

1. Open terminal and connect to the IdM server.

2. Preserve the user account with the following command:

   $ ipa user-del --preserve user_login
   --------------------
   Deleted user "user_login"
   --------------------

Procedure

1. Open terminal and connect to the IdM server.

2. Delete the user account with the following command:

   $ ipa user-del user_login
   --------------------
   Deleted user "user_login"
   --------------------

Procedure

1. Open terminal and connect to the IdM server.

2. Activate the user account with the following command:

   $ ipa user-undel user_login
   ------------------------------
   Undeleted user account "user_login"
   ------------------------------

   Alternatively, you can restore user accounts as staged:

   $ ipa user-stage user_login
   ------------------------------
   Staged user account "user_login"
   ------------------------------

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Stage Users tab.

   Alternatively, you can add the user account in the Users → Active users, however, you cannot add user groups to the account.

3. Click the + Add icon.
4. In the Add stage user dialog box, enter First name and Last name of the new user.

5. [Optional] In the User login field, add a login name.

   If you leave it empty, the IdM server creates the login name in the following pattern: The first letter of the first name and the surname. The whole login name can have up to 32 characters.

6. [Optional] In the GID drop down menu, select groups in which the user should be included.
7. [Optional] In the Password and Verify password fields,

8. Click on the Add button.

   

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Stage users tab.
3. Click the check-box of the user account you want to activate.

4. Click on the Activate button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to disable.

4. Click on the Disable button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.
2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to enable.

4. Click on the Enable button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.
3. Click the check-box of the user accounts you want to preserve.

4. Click on the Delete button.

   

5. In the Remove users dialog box, switch the Delete mode radio button to preserve.

6. Click on the Delete button.

   

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Preserved users tab.
3. Click the check-box at the user accounts you want to restore.

4. Click on the Restore button.

   

5. In the Confirmation dialog box, click on the OK button.

Procedure

1. Log in to the IdM Web UI.

   For details, see Accessing the IdM Web UI in a web browser.

2. Go to Users → Active users tab.

   Alternatively, you can delete the user account in the Users → Stage users or Users → Preserved users.

3. Click the Delete icon.
4. In the Remove users dialog box, switch the Delete mode radio button to delete.
5. Click on the Delete button.

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the data of the user whose presence in IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/add-user.yml file. For example, to create user named idm_user and add Password123 as the user password:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Create user idm_user
       ipauser:
         ipaadmin_password: MySecret123
         name: idm_user
         first: Alice
         last: Acme
         uid: 1000111
         gid: 10011
         phone: "+555123457"
         email: idm_user@acme.com
         passwordexpiration: "2023-01-19 23:59:59"
         password: "Password123"
         update_password: on_create

   You must use the following options to add a user:

   • name: the login name
   • first: the first name string
   • last: the last name string

   For the full list of available user options, see the /usr/share/doc/ansible-freeipa/README-user.md Markdown file.

   Note

   If you use the update_password: on_create option, Ansible only creates the user password when it creates the user. If the user is already created with a password, Ansible does not generate a new password.

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-IdM-user.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the data of the users whose presence you want to ensure in IdM. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Create user idm_users
       ipauser:
         ipaadmin_password: MySecret123
         users:
         - name: idm_user_1
           first: Alice
           last: Acme
           uid: 10001
           gid: 10011
           phone: "+555123457"
           email: idm_user@acme.com
           passwordexpiration: "2023-01-19 23:59:59"
           password: "Password123"
         - name: idm_user_2
           first: Bob
           last: Acme
           uid: 100011
           gid: 10011
         - name: idm_user_3
           first: Eve
           last: Acme
           uid: 1000111
           gid: 10011

   Note

   If you do not specify the update_password: on_create option, Ansible re-sets the user password every time the playbook is run: if the user has changed the password since the last time the playbook was run, Ansible re-sets password.

3. Run the playbook:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-users.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the necessary tasks. Reference the JSON file with the data of the users whose presence you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/ensure-users-present-ymlfile.yml file:

   ---
   - name: Ensure users' presence
     hosts: ipaserver
     become: true
   
     tasks:
     - name: Include users.json
       include_vars:
         file: users.json
   
     - name: Users present
       ipauser:
         ipaadmin_password: Secret123
         users: "{{ users }}"

3. Create the users.json file, and add the IdM users into it. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/users.json file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1:

   {
     "users": [
      {
       "name": "idm_user_1",
       "first": "Alice",
       "last": "Acme",
       "password": "Password123"
      },
      {
       "name": "idm_user_2",
       "first": "Bob",
       "last": "Acme"
      },
      {
       "name": "idm_user_3",
       "first": "Eve",
       "last": "Acme"
      }
     ]
   }

4. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-users-present-jsonfile.yml

Procedure

1. Create an inventory file, for example inventory.file, and define ipaserver in it:

   [ipaserver]
   server.idm.example.com

2. Create an Ansible playbook file with the users whose absence from IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to delete users idm_user_1, idm_user_2, and idm_user_3:

   ---
   - name: Playbook to handle users
     hosts: ipaserver
     become: true
     gather_facts: false
   
     tasks:
     - name: Delete users idm_user_1, idm_user_2, idm_user_3
       ipauser:
         ipaadmin_password: MySecret123
         users:
         - name: idm_user_1
         - name: idm_user_2
         - name: idm_user_3
         state: absent

3. Run the Ansible playbook specifying the playbook file and the inventory file:

   $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/delete-users.yml

1. Log into ipaserver as administrator:

   $ ssh administrator@server.idm.example.com
   Password:
   [admin@server /]$

2. Request information about idm_user_1:

   $ ipa user-show idm_user_1
   ipa: ERROR: idm_user_1: user not found

   The user named idm_user_1 does not exist in IdM.

Procedure

1. Optional. Use the ipa group-show command to confirm that the group includes the member you want to remove.

2. Remove a member from a user group by using the ipa group-remove-member command.

   Specify members to remove using these options:

   • --users removes an IdM user
   • --external removes a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
   • --groups removes an IdM user group

   For example, to remove user1, user2, and group1 from a group called group_name:

   $ ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1

Procedure

1. Click Identity → Groups, and select User Groups in the left sidebar.
2. Click Add to start adding the group.

3. Fill out the information about the group. For more information about user group types, see The different group types in IdM.

   You can specify a custom GID for the group. If you do this, be careful to avoid ID conflicts. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.

   
4. Click Add to confirm.

Procedure

1. Click Identity → Groups and select User Groups.
2. Select the group to delete.
3. Click Delete.
4. Click Delete to confirm.

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of group member you want to add: Users, User Groups, or External.

   
4. Click Add.
5. Select the check box next to one or more members you want to add.

6. Click the rightward arrow to move the selected members to the group.

   
7. Click Add to confirm.

Procedure

1. Select Identity → Groups.
2. Select User Groups in the left sidebar.
3. Click the name of the group you want to view.

4. Switch between Direct Membership and Indirect Membership.

   

Procedure

1. Click Identity → Groups and select User Groups in the left sidebar.
2. Click the name of the group.

3. Select the type of group member you want to remove: Users, User Groups, or External.

   
4. Select the check box next to the member you want to remove.
5. Click Delete.
6. Click Delete to confirm.

Procedure

1. Enter the ipa automember-add command to add an automember rule.

2. When prompted, specify:

   • Automember rule. This is the target group name.
   • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

   For example, to add an automember rule for a user group named user_group:

   $ ipa automember-add
   Automember Rule: user_group
   Grouping Type: group
   --------------------------------
   Added automember rule "user_group"
   --------------------------------
       Automember Rule: user_group

Procedure

1. Define one or more inclusive or exclusive conditions using the ipa automember-add-condition command.

2. When prompted, specify:

   • Automember rule. This is the target rule name. See Automember rules for details.
   • Attribute Key. This specifies the entry attribute to which the filter will apply. For example, uid for users.
   • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
   • Inclusive regex and Exclusive regex. These specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.

   For example, the following condition targets all users with any value (.*) in their user login attribute (uid).

   $ ipa automember-add-condition
   Automember Rule: user_group
   Attribute Key: uid
   Grouping Type: group
   [Inclusive Regex]: .*
   [Exclusive Regex]:
   ----------------------------------
   Added condition(s) to "user_group"
   ----------------------------------
     Automember Rule: user_group
     Inclusive Regex: uid=.*
   ----------------------------
   Number of conditions added 1
   ----------------------------

   As another example, you can use an automembership rule to target all Windows users synchronized from Active Directory (AD). To achieve this, create a condition that that targets all users with ntUser in their objectClass attribute, which is shared by all AD users:

   $ ipa automember-add-condition
   Automember Rule: ad_users
   Attribute Key: objectclass
   Grouping Type: group
   [Inclusive Regex]: ntUser
   [Exclusive Regex]:
   -------------------------------------
   Added condition(s) to "ad_users"
   -------------------------------------
     Automember Rule: ad_users
     Inclusive Regex: objectclass=ntUser
   ----------------------------
   Number of conditions added 1
   ----------------------------

Procedure

1. Enter the ipa automember-find command.

2. When prompted, specify the Grouping type:

   • To target a user group, enter group.

   • To target a host group, enter hostgroup.

     For example:

   $ ipa automember-find
   Grouping Type: group
   ---------------
   1 rules matched
   ---------------
     Automember Rule: user_group
     Inclusive Regex: uid=.*
   ----------------------------
   Number of entries returned 1
   ----------------------------

Procedure

1. Enter the ipa automember-del command.

2. When prompted, specify:

   • Automember rule. This is the rule you want to delete.
   • Grouping rule. This specifies whether the rule you want to delete is for a user group or a host group. Enter group or hostgroup.

Procedure

1. Enter the ipa automember-remove-condition command.

2. When prompted, specify:

   • Automember rule. This is the name of the rule from which you want to remove a condition.
   • Attribute Key. This is the target entry attribute. For example, uid for users.
   • Grouping Type. This specifies whether the condition you want to delete is for a user group or a host group. Enter group or hostgroup.

   • Inclusive regex and Exclusive regex. These specify the conditions you want to remove. If you only want to specify one condition, press Enter when prompted for the other.

     For example:

   $ ipa automember-remove-condition
   Automember Rule: user_group
   Attribute Key: uid
   Grouping Type: group
   [Inclusive Regex]: .*
   [Exclusive Regex]:
   -----------------------------------
   Removed condition(s) from "user_group"
   -----------------------------------
     Automember Rule: user_group
   ------------------------------
   Number of conditions removed 1
   ------------------------------

Procedure

1. Enter the ipa automember-default-group-set command to configure a default automember group.

2. When prompted, specify:

   • Default (fallback) Group, which specifies the target group name.

   • Grouping Type, which specifies whether the target is a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

     For example:

     $ ipa automember-default-group-set
     Default (fallback) Group: default_user_group
     Grouping Type: group
     ---------------------------------------------------
     Set default (fallback) group for automember "default_user_group"
     ---------------------------------------------------
       Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com

   Note

   To remove the current default automember group, enter the ipa automember-default-group-remove command.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules.
2. Click Add.

3. In the Automember rule field, select the group to which the rule will apply. This is the target group name.

   
4. Click Add to confirm.
5. Optional: You can add conditions to the new rule using the procedure described in Adding a condition to an automember rule using IdM Web UI.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules.
2. Click on the rule to which you want to add a condition.

3. In the Inclusive or Exclusive sections, click Add.

   
4. In the Attribute field, select the required attribute, for example uid.
5. In the Expression field, define a regular expression.

6. Click Add.

   For example, the following condition targets all users with any value (.*) in their user ID (uid) attribute.

   

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.

2. Optional: Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.

   

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
2. Select the check box next to the rule you want to remove.

3. Click Delete.

   
4. Click Delete to confirm.

Procedure

1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
2. Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.
3. Select the check box next to the conditions you want to remove.

4. Click Delete.

   
5. Click Delete to confirm.

Procedure

1. Click Identity → Automember, and select User group rules.

2. In the Default user group field, select the group you want to set as the default user group.

   

Procedure

1. Click Identity → Automember, and select Host group rules.

2. In the Default host group field, select the group you want to set as the default host group.

   

Procedure

1. Optional: Display existing self-service rules with the ipa selfservice-find command.
2. Optional: Display details for the self-service rule you want to modify with the ipa selfservice-show command.
3. Use the ipa selfservice-mod command to edit a self-service rule.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Click Add at the top-right of the list of the self-service access rules:

   

3. The Add Self Service Permission window opens. Enter the name of the new self-service rule in the Self-service name field. Spaces are allowed:

   

4. Select the check boxes next to the attributes you want users to be able to edit.

5. Optional: If an attribute you would like to provide access to is not listed, you can add a listing for it:

   1. Click the Add button.
   2. Enter the attribute name in the Attribute text field of the following Add Custom Attribute window.
   3. Click the OK button to add the attribute
   4. Verify that the new attribute is selected
6. Click the Add button at the bottom of the form to save the new self-service rule.
   Alternatively, you can save and continue editing the self-service rule by clicking the Add and Edit button, or save and add further rules by clicking the Add and Add another button.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Click on the name of the self-service rule you want to modify.

   

3. The edit page only allows you to edit the list of attributes to you want to add or remove to the self-service rule. Select or deselect the appropriate check boxes.
4. Click the Save button to save your changes to the self-service rule.

Procedure

1. Open the Role-Based Access Control sub-menu in the IPA Server tab and select Self Service Permissions.

2. Select the check box next to the rule you want to delete, then click on the Delete button on the right of the list.

   

3. A dialog opens, click on Delete to confirm.

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.

2. Click Add.

   

3. In the Add delegation window, do the following:

   1. Name the new delegation rule.
   2. Set the permissions by selecting the check boxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
   3. In the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
   4. In the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.

   5. In the attributes box, select the check boxes by the attributes to which you want to grant permissions.

      
   6. Click the Add button to save the new delegation rule.

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.

   

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.

   
2. Click on the rule you want to modify.

3. Make the desired changes:

   • Change the name of the rule.
   • Change granted permissions by selecting the check boxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
   • In the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
   • In the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.

   • In the attributes box, select the check boxes by the attributes to which you want to grant permissions. To remove permissions to an attribute, uncheck the relevant check box.

     
   • Click the Save button to save the changes.

Procedure

1. From the IPA Server menu, click Role-Based Access Control → Delegations.
2. Select the check box next to the rule you want to remove.

3. Click Delete.

   
4. Click Delete to confirm.

Procedure

1. Create new permission entries with the ipa permission-add command.
   For example, to add a permission named dns admin:

   $ ipa permission-add "dns admin"

2. Specify the properties of the permission with the following options:
   

   • --bindtype specifies the bind rule type. This option accepts the all, anonymous, and permission arguments. The permission bindtype means that only the users who are granted this permission via a role can exercise it.
     For example:

     $ ipa permission-add "dns admin" --bindtype=all

     If you do not specify --bindtype, then permission is the default value.

     Note

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

   • --right lists the rights granted by the permission, it replaces the deprecated --permissions option. The available values are add, delete, read, search, compare, write, all.

     You can set multiple attributes by using multiple --right options or with a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --right=read --right=write

     $ ipa permission-add "dns admin" --right={read,write}

     Note

     add and delete are entry-level operations (for example deleting a user, adding a group, etc.) while read, search, compare and write are more attribute-level: you can write to userCertificate but not read userPassword.

   • --attrs gives the list of attributes over which the permission is granted.
     You can set multiple attributes by using multiple --attrs options or by listing the options in a comma-separated list inside curly braces. For example:

     $ ipa permission-add "dns admin" --attrs=description --attrs=automountKey

     $ ipa permission-add "dns admin" --attrs={description,automountKey}

     The attributes provided with --attrs must exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.

   • --type defines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes.
     For example:

     $ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby

   • --subtree gives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry; --subtree does not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.
     Because IdM uses a simplified, flat directory tree structure, --subtree can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example:

     $ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation

     Note

     The --type and --subtree options are mutually exclusive: you can see the inclusion of filters for --type as a simplification of --subtree, intending to make life easier for an admin.

   • --filter uses an LDAP filter to identify which entries the permission applies to.
     IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example:

     $ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description

   • --memberof sets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group:

     $ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers

   • --targetgroup sets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members):

     $ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineers

   • Optionally, you can specify a target domain name (DN):
     

     • --target specifies the DN to apply the permission to. Wildcards are accepted.
     • --targetto specifies the DN subtree where an entry can be moved to.
     • --targetfrom specifies the DN subtree from where an entry can be moved.

Procedure

1. Add privilege entries using the ipa privilege-add command
   For example, to add a privilege named managing filesystems with a description:

   $ ipa privilege-add "managing filesystems" --desc="for filesystems"

2. Assign the required permissions to the privilege group with the privilege-add-permission command
   For example, to add the permissions named managing automount and managing ftp services to the managing filesystems privilege:

   $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount" --permissions="managing ftp services"

Procedure

1. Add new role entries using the ipa role-add command:

   $ ipa role-add --desc="User Administrator" useradmin
   ------------------------
   Added role "useradmin"
   ------------------------
   Role name: useradmin
   Description: User Administrator

2. Add the required privileges to the role using the ipa role-add-privilege command:

   $ ipa role-add-privilege --privileges="user administrators" useradmin
   Role name: useradmin
   Description: User Administrator
   Privileges: user administrators
   ----------------------------
   Number of privileges added 1
   ----------------------------

3. Add the required members to the role using the ipa role-add-member command. Allowed member types are: users, groups, hosts and hostgroups.
   For example, to add the group named useradmins to the previously created useradmin role:

   $ ipa role-add-member --groups=useradmins useradmin
   Role name: useradmin
   Description: User Administrator
   Member groups: useradmins
   Privileges: user administrators
   -------------------------
   Number of members added 1
   -------------------------

Procedure

1. To add a new permission, open the Role-Based Access Control sub-menu in the IPA Server tab and select Permissions:

   

2. The list of permissions opens: Click the Add button at the top of the list of the permissions:

   

3. The Add Permission form opens. Specify the name of the new permission and define its properties accordingly:

   

4. Select the appropriate Bind rule type:

   • permission is the default permission type, granting access through privileges and roles
   • all specifies that the permission applies to all authenticated users

   • anonymous specifies that the permission applies to all users, including unauthenticated users

     Note

     It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

5. Choose the rights to grant with this permisthsion in Granted rights.

6. Define the method to identify the target entries for the permission:

   • Type specifies an entry type, such as user, host, or service. If you choose a value for the Type setting, a list of all possible attributes which will be accessible through this ACI for that entry type appears under Effective Attributes. Defining Type sets Subtree and Target DN to one of the predefined values.
   • Subtree (required) specifies a subtree entry; every entry beneath this subtree entry is then targeted. Provide an existing subtree entry, as Subtree does not accept wildcards or non-existent domain names (DNs). For example: cn=automount,dc=example,dc=com
   • Extra target filter uses an LDAP filter to identify which entries the permission applies to. The filter can be any valid LDAP filter, for example: (!(objectclass=posixgroup))
     IdM automatically checks the validity of the given filter. If you enter an invalid filter, IdM warns you about this when you attempt to save the permission.
   • Target DN specifies the domain name (DN) and accepts wildcards. For example: uid=*,cn=users,cn=accounts,dc=com
   • Member of group sets the target filter to members of the given group. After you specify the filter settings and click Add, IdM validates the filter. If all the permission settings are correct, IdM will perform the search. If some of the permissions settings are incorrect, IdM will display a message informing you about which setting is set incorrectly.

7. Add attributes to the permission:

   • If you set Type, choose the Effective attributes from the list of available ACI attributes.

   • If you did not use Type, add the attributes manually by writing them into the Effective attributes field. Add a single attribute at a time; to add multiple attributes, click Add to add another input field.

     Important

     If you do not set any attributes for the permission, then the permissions includes all attributes by default.

8. Finish adding the permissions with the Add buttons at the bottom of the form:

   • Click the Add button to save the permission and go back to the list of permissions.
   • Alternatively, you can save the permission and continue adding additional permissions in the same form by clicking the Add and Add another button
   • The Add and Edit button enables you to save and continue editing the newly created permission.
9. Optional. You can also edit the properties of an existing permission by clicking its name from the list of permissions to display the Permission settings page.

10. Optional. If you need to remove an existing permission, click the Delete button once you ticked the check box next to its name in the list, to display The Remove permissions dialog.

    Note

    Operations on default managed permissions are restricted: the attributes you cannot modify are disabled in the IdM Web UI and you cannot delete the managed permissions completely.
    However, you can effectively disable a managed permission that has a bind type set to permission, by removing the managed permission from all privileges.

Procedure

1. To add a new privilege, open the Role-Based Access Control sub-menu in the IPA Server tab and select Privileges:

   

2. The list of privileges opens. Click the Add button at the top of the list of privileges:

   

3. The Add Privilege form opens. Enter the name and a description of the privilege:

   

4. Click the Add and Edit button in order to save the new privilege and continue to the privilege configuration page to add permissions.
5. Edit the properties of privileges by clicking on the privileges name in the privileges list. The privileges configuration page opens.

6. The Permissions tab displays a list of permissions included in the selected privilege. Click the Add button at the top of the list to add permissions to the privilege:

   

7. Tick the check box next to the name of each permission to add, and use the > button to move the permissions to the Prospective column:

   

8. Confirm by clicking the Add button.
9. Optional. If you need to remove permissions, click the Delete button after you ticked the check box next to the relevant permission: the Remove privileges from permissions dialog opens.
10. Optional. If you need to delete an existing privilege, click the Delete button after you ticked the check box next to its name in the list: the Remove privileges dialog opens.

Procedure

1. To add a new role, open the Role-Based Access Control sub-menu in the IPA Server tab and select Roles:

   

2. The list of roles opens. Click the Add button at the top of the list of the role-based access control instructions.

   

3. The Add Role form opens. Enter the role name and a description:

   

4. Click the Add and Edit button to save the new role and go to the role configuration page to add privileges and users.
5. Edit the properties of roles by clicking on the roles name in the role list. The roles configuration page opens.

6. Add members using the Users, Users Groups, Hosts, Host Groups or Services tabs, by clicking the Add button on top of the relevant list(s).

   

7. In the window that opens, select the members on the left and use the > button to move them to the Prospective column.

   

8. At the top of the Privileges tab, click Add.

   

9. Select the privileges on the left and use the > button to move them to the Prospective column.

   

10. Click the Add button to save.
11. Optional. If you need to remove privileges or members from a role, click the Delete button after you ticked the check box next to the name of the entity you want to remove. A dialog opens.
12. Optional. If you need to remove an existing role, click the Delete button after you ticked the check box next to its name in the list, to display the Remove roles dialog.

Procedure

1. Create a new ID view. For example, to create an ID view named example_for_host1:

   $ ipa idview-add example_for_host1
   ---------------------------
   Added ID View "example_for_host1"
   ---------------------------
     ID View Name: example_for_host1

2. Add a user override to the example_for_host1 ID view. To override the user login:

   • Enter the ipa idoverrideuser-add command
   • Add the name of the ID view
   • Add the user name, also called the anchor

   • Add the --login option:

     $ ipa idoverrideuser-add example_for_host1 idm_user --login=user_1234
     -----------------------------
     Added User ID override "idm_user"
     -----------------------------
       Anchor to override: idm_user
       User login: user_1234

     For a list of the available options, run ipa idoverrideuser-add --help.

     Note

     The ipa idoverrideuser-add --certificate command replaces all existing certificates for the account in the specified ID view. To append an additional certificate, use the ipa idoverrideuser-add-cert command instead:

     $ ipa idoverrideuser-add-cert example_for_host1 user --certificate="MIIEATCC..."

3. Optional: Using the ipa idoverrideuser-mod command, you can specify new attribute values for an existing user override.

4. Apply example_for_host1 to the host1.idm.example.com host:

   $ ipa idview-apply example_for_host1 --hosts=host1.idm.example.com
   -----------------------------
   Applied ID View "example_for_host1"
   -----------------------------
   hosts: host1.idm.example.com
   ---------------------------------------------
   Number of hosts the ID View was applied to: 1
   ---------------------------------------------

   Note

   The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

   This means that if a host is added to the host group in the future, the ID view does not apply to the new host.

5. To apply the new configuration to the host1.idm.example.com system immediately:

   1. SSH to the system as root:

      $ ssh root@host1
      Password:

   2. Clear the SSSD cache:

      root@host1 ~]# sss_cache -E

   3. Restart the SSSD daemon:

   root@host1 ~]# systemctl restart sssd

Procedure

1. As root, create the directory that you want idm_user to use on host1.idm.example.com as the user home directory:

   [root@host1 /]# mkdir /home/user_1234/

2. Change the ownership of the directory:

   [root@host1 /]# chown idm_user:idm_user /home/user_1234/

3. Display the ID view, including the hosts to which the ID view is currently applied. To display the ID view named example_for_host1:

   $ ipa idview-show example_for_host1 --all
     dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
     ID View Name: example_for_host1
     User object override: idm_user
     Hosts the view applies to: host1.idm.example.com
     objectclass: ipaIDView, top, nsContainer

   The output shows that the ID view currently applies to host1.idm.example.com.

4. Modify the user override of the example_for_host1 ID view. To override the user home directory:

   • Enter the ipa idoverrideuser-add command
   • Add the name of the ID view
   • Add the user name, also called the anchor

   • Add the --homedir option:

     $ ipa idoverrideuser-mod example_for_host1 idm_user --homedir=/home/user_1234
     -----------------------------
     Modified an User ID override "idm_user"
     -----------------------------
       Anchor to override: idm_user
       User login: user_1234
       Home directory: /home/user_1234/

   For a list of the available options, run ipa idoverrideuser-mod --help.

5. To apply the new configuration to the host1.idm.example.com system immediately:

   1. SSH to the system as root:

      $ ssh root@host1
      Password:

   2. Clear the SSSD cache:

      root@host1 ~]# sss_cache -E

   3. Restart the SSSD daemon:

   root@host1 ~]# systemctl restart sssd

Verification steps

1. SSH to host1 as idm_user:

   [root@r8server ~]# ssh idm_user@host1.idm.example.com
   Password:
   
   Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
   [user_1234@host1 ~]$

2. Print the working directory:

   [user_1234@host1 ~]$ pwd
   /home/user_1234/

Procedure

1. As root, create the directory that you want idm_user to use on host1.idm.example.com as the user home directory:

   [root@host1 /]# mkdir /home/user_1234/

2. Change the ownership of the directory:

   [root@host1 /]# chown idm_user:idm_user /home/user_1234/

3. Create an ID view. For example, to create an ID view named example_for_host1:

   $ ipa idview-add example_for_host1
   ---------------------------
   Added ID View "example_for_host1"
   ---------------------------
     ID View Name: example_for_host1

4. Add a user override to the example_for_host1 ID view. To override the user home directory:

   • Enter the ipa idoverrideuser-add command
   • Add the name of the ID view
   • Add the user name, also called the anchor
   • Add the --homedir option:

   $ ipa idoverrideuser-add example_for_host1 idm_user --homedir=/home/user_1234
   -----------------------------
   Added User ID override "idm_user"
   -----------------------------
     Anchor to override: idm_user
     Home directory: /home/user_1234/

5. Apply example_for_host1 to the host1.idm.example.com host:

   $ ipa idview-apply example_for_host1 --hosts=host1.idm.example.com
   -----------------------------
   Applied ID View "example_for_host1"
   -----------------------------
   hosts: host1.idm.example.com
   ---------------------------------------------
   Number of hosts the ID View was applied to: 1
   ---------------------------------------------

   Note

   The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

   This means that if a host is added to the host group in the future, the ID view does not apply to the new host.

6. To apply the new configuration to the host1.idm.example.com system immediately:

   1. SSH to the system as root:

      $ ssh root@host1
      Password:

   2. Clear the SSSD cache:

      root@host1 ~]# sss_cache -E

   3. Restart the SSSD daemon:

   root@host1 ~]# systemctl restart sssd

Verification steps

1. SSH to host1 as idm_user:

   [root@r8server ~]# ssh idm_user@host1.idm.example.com
   Password:
   Activate the web console with: systemctl enable --now cockpit.socket
   
   Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
   [idm_user@host1 /]$

2. Print the working directory:

   [idm_user@host1 /]$ pwd
   /home/user_1234/

1. How to create a host group and add hosts to it.
2. How to apply an ID view to the host group.
3. How to add a new host to the host group and apply the ID view to the new host.

Procedure

1. Create a host group and add hosts to it:

   1. Create a host group. For example, to create a host group named baltimore:

      [root@master ~]# ipa hostgroup-add --desc="Baltimore hosts" baltimore
      ---------------------------
      Added hostgroup "baltimore"
      ---------------------------
      Host-group: baltimore
      Description: Baltimore hosts

   2. Add hosts to the host group. For example, to add the host102 and host103 to the baltimore host group:

      [root@master ~]# ipa hostgroup-add-member --hosts={host102,host103} baltimore
      Host-group: baltimore
      Description: Baltimore hosts
      Member hosts: host102.idm.example.com, host103.idm.example.com
      -------------------------
      Number of members added 2
      -------------------------

2. Apply an ID view to the hosts in the host group. For example, to apply the example_for_host1 ID view to the baltimore host group:

   [root@master ~]# ipa idview-apply --hostgroups=baltimore
   ID View Name: example_for_host1
   -----------------------------------------
   Applied ID View "example_for_host1"
   -----------------------------------------
     hosts: host102.idm.example.com, host103.idm.example.com
   ---------------------------------------------
   Number of hosts the ID View was applied to: 2
   ---------------------------------------------

3. Add a new host to the host group and apply the ID view to the new host:

   1. Add a new host to the host group. For example, to add the somehost.idm.example.com host to the baltimore host group:

      [root@master ~]# ipa hostgroup-add-member --hosts=somehost.idm.example.com baltimore
        Host-group: baltimore
        Description: Baltimore hosts
        Member hosts:  host102.idm.example.com, host103.idm.example.com,somehost.idm.example.com
      -------------------------
      Number of members added 1
      -------------------------

   2. Optionally, display the ID view information. For example, to display the details about the example_for_host1 ID view:

      [root@master ~]# ipa idview-show example_for_host1 --all
        dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
        ID View Name: example_for_host1
      [...]
        Hosts the view applies to: host102.idm.example.com, host103.idm.example.com
        objectclass: ipaIDView, top, nsContainer

      The output shows that the ID view is not applied to somehost.idm.example.com, the newly-added host in the baltimore host group.

   3. Apply the ID view to the new host. For example, to apply the example_for_host1 ID view to somehost.idm.example.com:

      [root@master ~]# ipa idview-apply --host=somehost.idm.example.com
      ID View Name: example_for_host1
      -----------------------------------------
      Applied ID View "example_for_host1"
      -----------------------------------------
        hosts: somehost.idm.example.com
      ---------------------------------------------
      Number of hosts the ID View was applied to: 1
      ---------------------------------------------

Procedure

1. Log in as IdM administrator:

   $ kinit admin

2. Create a user named provisionator with the privileges to add stage users.

   1. Add the provisionator user account:

   $ ipa user-add provisionator --first=provisioning --last=account --password

   1. Grant the provisionator user the required privileges.

      1. Create a custom role, System Provisioning, to manage adding stage users:

         $ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning"

      2. Add the Stage User Provisioning privilege to the role. This privilege provides the ability to add stage users:

         $ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning"

      3. Add the provisionator user to the role:

         $ ipa role-add-member --users=provisionator "System Provisioning"

      4. Verify that the provisionator exists in IdM:

      $ ipa user-find provisionator --all --raw
      --------------
      1 user matched
      --------------
        dn: uid=provisionator,cn=users,cn=accounts,dc=idm,dc=example,dc=com
        uid: provisionator
        [...]

3. Create a user, activator, with the privileges to manage user accounts.

   1. Add the activator user account:

      $ ipa user-add activator --first=activation --last=account --password

   2. Grant the activator user the required privileges by adding the user to the default User Administrator role:

      $ ipa role-add-member --users=activator "User Administrator"

4. Create a user group for application accounts:

   $ ipa group-add application-accounts

5. Update the password policy for the group. The following policy prevents password expiration and lockout for the account but compensates the potential risks by requiring complex passwords:

   $ ipa pwpolicy-add application-accounts --maxlife=10000 --minlife=0 --history=0 --minclasses=4 --minlength=8 --priority=1 --maxfail=0 --failinterval=1 --lockouttime=0

6. (Optional) Verify that the password policy exists in IdM:

   $ ipa pwpolicy-show application-accounts
     Group: application-accounts
     Max lifetime (days): 10000
     Min lifetime (hours): 0
     History size: 0
   [...]

7. Add the provisioning and activation accounts to the group for application accounts:

   $ ipa group-add-member application-accounts --users={provisionator,activator}

8. Change the passwords for the user accounts:

   $ kpasswd provisionator
   $ kpasswd activator

   Changing the passwords is necessary because new IdM users passwords expire immediately.

Procedure

1. Generate a keytab file for the activation account:

   # ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab

   If you want to enable the activation process on more than one IdM server, generate the keytab file on one server only. Then copy the keytab file to the other servers.

2. Create a script, /usr/local/sbin/ipa-activate-all, with the following contents to activate all users:

   #!/bin/bash
   
   kinit -k -i activator
   
   ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done

3. Edit the permissions and ownership of the ipa-activate-all script to make it executable:

   # chmod 755 /usr/local/sbin/ipa-activate-all
   # chown root:root /usr/local/sbin/ipa-activate-all

4. Create a systemd unit file, /etc/systemd/system/ipa-activate-all.service, with the following contents:

   [Unit]
   Description=Scan IdM every minute for any stage users that must be activated
   
   [Service]
   Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
   Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
   ExecStart=/usr/local/sbin/ipa-activate-all

5. Create a systemd timer, /etc/systemd/system/ipa-activate-all.timer, with the following contents:

   [Unit]
   Description=Scan IdM every minute for any stage users that must be activated
   
   [Timer]
   OnBootSec=15min
   OnUnitActiveSec=1min
   
   [Install]
   WantedBy=multi-user.target

6. Reload the new configuration:

   # systemctl daemon-reload

7. Enable ipa-activate-all.timer:

   # systemctl enable ipa-activate-all.timer

8. Start ipa-activate-all.timer:

   # systemctl start ipa-activate-all.timer

9. (Optional) Verify that the ipa-activate-all.timer daemon is running:

   # systemctl status ipa-activate-all.timer
   ● ipa-activate-all.timer - Scan IdM every minute for any stage users that must be activated
      Loaded: loaded (/etc/systemd/system/ipa-activate-all.timer; enabled; vendor preset: disabled)
      Active: active (waiting) since Wed 2020-06-10 16:34:55 CEST; 15s ago
     Trigger: Wed 2020-06-10 16:35:55 CEST; 44s left
   
   Jun 10 16:34:55 server.idm.example.com systemd[1]: Started Scan IdM every minute for any stage users that must be activated.

Procedure

1. On the external server, create an LDIF file that contains information about the new user:

   dn: uid=stageidmuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
   changetype: add
   objectClass: top
   objectClass: inetorgperson
   uid: stageidmuser
   sn: surname
   givenName: first_name
   cn: full_name

2. Transfer the LDIF file from the external server to the IdM server:

   $ scp add-stageidmuser.ldif provisionator@server.idm.example.com:/provisionator/
   Password:
   add-stageidmuser.ldif                                                                                          100%  364   217.6KB/s   00:00

3. Use the SSH protocol to connect to the IdM server as provisionator:

   $ ssh provisionator@server.idm.example.com
   Password:
   [provisionator@server ~]$

4. On the IdM server, obtain the Kerberos ticket-granting ticket (TGT) for the provisionator account:

   [provisionator@server ~]$ kinit provisionator

5. Enter the ldapadd command with the -f option and the name of the LDIF file. Specify the name of the IdM server and the port number:

   ~]$ ldapadd -h server.idm.example.com -p 389 -f  add-stageidmuser.ldif
   SASL/GSSAPI authentication started
   SASL username: provisionator@IDM.EXAMPLE.COM
   SASL SSF: 256
   SASL data security layer installed.
   adding the entry "uid=stageidmuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com"

Procedure

1. Use the SSH protocol to connect to the IdM server using your IdM identity and credentials:

   $ ssh provisionator@server.idm.example.com
   Password:
   [provisionator@server ~]$

2. Obtain the TGT of the provisionator account, an IdM user with a role to add new stage users:

   $ kinit provisionator

3. Enter the ldapmodify command and specify Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to use for authentication. Specify the name of the IdM server and the port:

   # ldapmodify -h server.idm.example.com -p 389 -Y GSSAPI
   SASL/GSSAPI authentication started
   SASL username: provisionator@IDM.EXAMPLE.COM
   SASL SSF: 56
   SASL data security layer installed.

4. Enter the dn of the user you are adding:

   dn: uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com

5. Enter add as the type of change you are performing:

   changetype: add

6. Specify the LDAP object class categories required to allow the correct processing of the user life cycle:

   objectClass: top
   objectClass: inetorgperson

   You can specify additional object classes.

7. Enter the uid of the user:

   uid: stageuser

8. Enter the cn of the user:

   cn: Babs Jensen

9. Enter the last name of the user:

   sn: Jensen

10. Press Enter again to confirm that this is the end of the entry:

    [Enter]
    
    adding new entry "uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com"

11. Exit the connection using Ctrl + C.

Procedure

1. Log in as an IdM user with a role to preserve users:

   $ kinit admin

2. Enter the ldapmodify command and specify the Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to be used for authentication:

   # ldapmodify -Y GSSAPI
   SASL/GSSAPI authentication started
   SASL username: admin@IDM.EXAMPLE.COM
   SASL SSF: 256
   SASL data security layer installed.

3. Enter the dn of the user you want to preserve:

   dn: uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com

4. Enter modrdn as the type of change you want to perform:

   changetype: modrdn

5. Specify the newrdn for the user:

   newrdn: uid=user1

6. Indicate that you want to preserve the user:

   deleteoldrdn: 0

7. Specify the new superior DN:

   newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com

   Preserving a user moves the entry to a new location in the directory information tree (DIT). For this reason, you must specify the DN of the new parent entry as the new superior DN.

8. Press Enter again to confirm that this is the end of the entry:

   [Enter]
   
   modifying rdn of entry "uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com"

9. Exit the connection using Ctrl + C.