Show Table of Contents Hide Table of Contents English English 日本語 Multi-page HTML Single-page HTML PDF ePub Configuring and managing Identity ManagementProviding feedback on Red Hat documentation1. Logging in to Identity Management from the command line1.1. Using kinit to log in to IdM manually1.2. Destroying a user’s active Kerberos ticket1.3. Configuring an external system for Kerberos authentication2. Viewing, starting and stopping the Identity Management services2.1. Viewing the status of IdM services2.2. Starting and stopping the entire Identity Management server: the ipactl utility2.3. Starting and stopping an individual Identity Management service: the systemctl utility3. Introduction to the IdM command-line utilities3.1. What is the IPA command line interface3.2. What is the IPA help3.3. Using IPA help topics3.4. Using IPA help commands3.5. Structure of IPA commands3.6. Using an IPA command to add a user account to IdM3.7. Using an IPA command to modify a user account in IdM3.8. How to supply a list of values to the IdM utilities3.9. How to use special characters with the IdM utilities4. Searching Identity Management entries from the command line4.1. Overview of listing IdM entries4.2. Showing details for a particular entry4.3. Adjusting the search size and time limit4.3.1. Adjusting the search size and time limit in the command line4.3.2. Adjusting the search size and time limit in the Web UI5. Accessing the IdM Web UI in a web browser5.1. What is the IdM Web UI5.2. Web browsers supported for accessing the Web UI5.3. Accessing the Web UI6. Logging in to IdM in the Web UI: Using a Kerberos ticket6.1. Kerberos authentication in Identity Management6.2. Using kinit to log in to IdM manually6.3. Configuring the browser for Kerberos authentication6.4. Logging in to the web UI using a Kerberos ticket6.5. Configuring an external system for Kerberos authentication6.6. Web UI login for Active Directory users7. Logging in to the Identity Management Web UI using one time passwords7.1. Prerequisites7.2. One time password (OTP) authentication in Identity Management7.3. Enabling the one time password in the Web UI7.4. Adding OTP tokens in the Web UI7.5. Logging into the Web UI with a one time password7.6. Synchronizing OTP tokens using the Web UI7.7. Changing expired passwords8. Managing user accounts using the IdM Web UI8.1. User life cycle8.2. Adding users in the Web UI8.3. Activating stage users in the IdM Web UI8.4. Disabling user accounts in the Web UI8.5. Enabling user accounts in the Web UI8.6. Preserving active users in the IdM Web UI8.7. Restoring users in the IdM Web UI8.8. Deleting users in the IdM Web UI9. Managing user accounts using the command line9.1. User life cycle9.2. Adding users using the command line9.3. Activating users using the command line9.4. Preserving users using the command line9.5. Deleting users using the command line9.6. Restoring users using the command line10. Managing user groups in IdM CLI10.1. User groups and group types in IdM10.2. Direct and indirect group members10.3. Adding, searching for, and deleting user groups in IdM CLI10.4. Adding a member to a user group using IdM CLI10.5. Viewing group members using IdM CLI10.6. Removing a member from a user group using IdM CLI11. Managing Hosts in IdM CLI11.1. Hosts in IdM11.2. Host enrollment11.2.1. User privileges required for host enrollment11.2.2. Enrollment and authentication of IdM hosts and users: comparison11.2.3. Alternative authentication options for IdM hosts11.3. Host Operations11.4. Host entry in IdM LDAP11.4.1. Host entry configuration properties11.5. Adding IdM host entries from IdM CLI11.6. Deleting host entries from IdM CLI11.7. Re-enrolling an Identity Management client11.7.1. Client re-enrollment in IdM11.7.2. Re-enrolling a client by using user credentials: Interactive re-enrollment11.7.3. Re-enrolling a client by using the client keytab: Non-interactive re-enrollment11.7.4. Testing an Identity Management client after installation11.8. Renaming Identity Management client systems11.8.1. Prerequisites11.8.2. Uninstalling an Identity Management client11.8.3. Renaming the host system11.8.4. Re-installing an Identity Management client11.8.5. Re-adding services, re-generating certificates, and re-adding host groups11.9. Disabling and Re-enabling Host Entries11.9.1. Disabling Hosts11.9.2. Re-enabling Hosts12. Adding host entries from IdM Web UI12.1. Hosts in IdM12.2. Host enrollment12.2.1. User privileges required for host enrollment12.2.2. Enrollment and authentication of IdM hosts and users: comparison12.2.3. Alternative authentication options for IdM hosts12.3. Host entry in IdM LDAP12.3.1. Host entry configuration properties12.4. Adding Host Entries from the Web UI13. Public key certificates in Identity Management13.1. Certificate authorities in IdM13.2. Comparison of certificates and Kerberos13.3. The pros and cons of using certificates to authenticate users in IdM14. Converting certificate formats to work with IdM14.1. Certificate formats and encodings in IdM14.2. Converting an external certificate to load into an IdM user account14.2.1. Converting an external certificate in the IdM CLI and loading it into an IdM user account14.2.2. Converting an external certificate in the IdM web UI for loading into an IdM user account:14.3. Preparing to load a certificate into the browser14.3.1. Exporting a certificate and private key from an NSS database into a PKCS #12 file14.3.2. Combining certificate and private key PEM files into a PKCS #12 file14.4. Certificate-related commands and formats in IdM15. Configuring Identity Management for smart card authentication15.1. Configuring the IdM server for smart card authentication15.2. Configuring the IdM client for smart card authentication15.3. Adding a certificate to a user entry in IdM15.3.1. Adding a certificate to a user entry in the IdM Web UI15.3.2. Adding a certificate to a user entry in the IdM CLI15.4. Configuring the browser for smart card authentication15.5. Logging in to IdM with smart cards16. Configuring authentication with a certificate stored on the desktop of an IdM client16.1. Configuring the Identity Management Server for Certificate Authentication in the Web UI16.2. Requesting a new user certificate and exporting it to the client16.3. Making sure the certificate and user are linked together16.4. Configuring a browser to enable certificate authentication16.5. Authenticating to the Identity Management Web UI with a Certificate as an Identity Management User16.6. Configuring an IdM client to enable authenticating to the CLI using a certificate17. Configuring certificate mapping rules in Identity Management17.1. Certificate mapping rules for configuring authentication on smart cards17.1.1. Certificate mapping rules for trusts with Active Directory domains17.1.2. Components of an identity mapping rule in IdM17.1.3. Obtaining the issuer from a certificate for use in a matching rule17.2. Configuring certificate mapping for users stored in IdM17.2.1. Adding a certificate mapping rule in IdM17.2.2. Adding certificate mapping data to a user entry in IdM17.3. Configuring certificate mapping for users whose AD user entry contains the whole certificate17.3.1. Adding a certificate mapping rule for users whose AD entry contains whole certificates17.4. Configuring certificate mapping if AD is configured to map user certificates to user accounts17.4.1. Adding a certificate mapping rule if the trusted AD domain is configured to map user certificates17.4.2. Checking certificate mapping data on the AD side17.5. Configuring certificate mapping if AD user entry contains no certificate or mapping data17.5.1. Adding a certificate mapping rule if the AD user entry contains no certificate or mapping data17.5.2. Adding a certificate to an AD user’s ID override if the user entry in AD contains no certificate or mapping data17.6. Combining several identity mapping rules into one18. Using IdM CA renewal master18.1. Explanation of IdM CA renewal master18.2. Changing and resetting IdM CA renewal master18.3. Switching from an externally to self-signed CA in IdM18.4. Renewing the IdM CA renewal master with an externally-signed certificate19. Renewing expired system certificates when IdM is offline19.1. Renewing expired system certificates on a CA Renewal Master19.2. Verifying other IdM servers in the IdM domain after renewal20. Generating CRL on the IdM CA server20.1. Stopping CRL generation on IdM master server20.2. Starting CRL generation on IdM replica server21. Obtaining an IdM certificate for a service using certmonger21.1. Certmonger overview21.2. Obtaining an IdM certificate for a service using certmonger21.3. Communication flow for certmonger requesting a service certificate21.4. Viewing the details of a certificate request tracked by certmonger21.5. Starting and stopping certificate tracking21.6. Renewing a certificate manually21.7. Making certmonger resume tracking of IdM certificates on a CA replica22. Enabling AD users to administer IdM22.1. ID overrides for AD users22.2. Using ID overrides to enable AD users to administer IdM22.3. Managing IdM Command-Line Interface (CLI) as an AD user23. Using canonicalized DNS host names in IdM23.1. Adding an alias to a host principal23.2. Enabling canonicalization of host names in service principals on clients23.3. Options for using host names with DNS host name canonicalization enabled24. Collecting IdM Healthcheck information24.1. Healthcheck in IdM24.2. Log rotation24.3. Configuring log rotation using the IdM Healthcheck25. Checking services using IdM Healthcheck25.1. Services Healthcheck test25.2. Screening services using Healthcheck26. Verifying your IdM and AD trust configuration using IdM Healthcheck26.1. IdM and AD trust Healthcheck tests26.2. Screening the trust with the Healthcheck tool27. Verifying certificates using IdM Healthcheck27.1. IdM certificates Healthcheck tests27.2. Screening certificates using the Healthcheck tool28. Verifying system certificates using IdM Healthcheck28.1. System certificates Healthcheck tests28.2. Screening system certificates using Healthcheck29. Checking disk space using IdM Healthcheck29.1. Disk space healthcheck test29.2. Screening disk space using the healthcheck tool30. Verifying permissions of IdM configuration files using Healthcheck30.1. File permissions Healthcheck tests30.2. Screening configuration files using Healthcheck31. Checking IdM replication using Healthcheck31.1. Replication healthcheck tests31.2. Screening replication using Healthcheck32. Demoting or promoting hidden replicas33. Setting up Samba on an IdM domain member33.1. Preparing the IdM domain for installing Samba on domain members33.2. Enabling the AES encryption type in Active Directory using a GPO33.3. Installing and configuring a Samba server on an IdM client33.4. Manually adding an ID mapping configuration if IdM trusts a new domain33.5. Additional resources34. Identity Management security settings34.1. How Identity Management applies default security settings34.2. Anonymous LDAP binds in Identity ManagementLegal Notice Configuring and managing Identity Management Red Hat Enterprise Linux 8Configuring, managing and maintaining Identity Management in Red Hat Enterprise Linux 8Red Hat Customer Content ServicesLegal NoticeAbstract This documentation collection provides instructions on how to effectively configure, manage and maintain Identity Management on Red Hat Enterprise Linux 8. Providing feedback on Red Hat documentation Where did the comment section go?Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.