Chapter 2. Viewing, starting and stopping the Identity Management services
Identity Management (IdM) servers are Red Hat Enterprise Linux systems that work as domain controllers (DCs). A number of different services are running on IdM servers, most notably the Directory Server, Certificate Authority (CA), DNS, and Kerberos.
2.1. Viewing the status of IdM services
To view the status of the IdM services that are configured on your IdM server:
ipactl statusDirectory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful
In the output above:
The Kerberos service is divided into two parts,
krb5kdcservice is the Kerberos version 5 Authentication service and Key Distribution Center (KDC) deamon. The
kadminservice is the Kerberos V5 database administration program.
namedservice refers to the Internet domain name service (DNS).
pkiis the Command-Line Interface for accessing Certificate System services. The
pki-tomcatdprogram handles Identity Management operations related to certificates.
The output of the
ipactl status command on your server depends on your IdM configuration. For example, if an IdM deployment does not include a DNS server, the
named service is not present in the list.
You cannot use the IdM web UI to view the status of all the IdM services running on a particular IdM server. Kerberized services running on different servers can be viewed in the
Services tab of the IdM web UI.
You can start or stop the entire server, or an individual service only.
To start, stop, or restart the entire IdM server, see:
To start, stop, or restart an individual IdM service, see:
To display the version of IdM software, see:
2.2. Starting and stopping the entire Identity Management server: the
ipactl utility to stop, start, or restart the entire IdM server along with all the installed services. Using the
ipactl utility ensures all services are stopped, started, or restarted in the appropriate order. You do not need to have a valid Kerberos ticket to run the
To start the entire IdM server:
# ipactl start
To stop the entire IdM server:
# ipactl stop
To restart the entire IdM server:
# ipactl restart
To show the status of all the services that make up IdM:
# ipactl status
You cannot use the IdM web UI to perform the
2.3. Starting and stopping an individual Identity Management service: the
Changing IdM configuration files manually is generally not recommended. However, certain situations require that an administrator performs a manual configuration of specific services. In such situations, use the
systemctl utility to stop, start, or restart an individual IdM service.
For example, use
systemctl after customizing the Directory Server behavior, without modifying the other IdM services:
systemctl restart dirsrv@REALM-NAME.service
Also, when initially deploying an IdM trust with Active Directory, modify the
/etc/sssd/sssd.conf file, adding:
- specific parameters to tune the timeout configuration options in an environment where remote servers have a high latency
- specific parameters to tune the Active Directory site affinity
- overrides for certain configuration options that are not provided by the global IdM settings
To apply the changes you have made in the
systemctl restart sssd.service
systemctl restart sssd.service is required because the System Security Services Daemon (SSSD) does not automatically re-read or re-apply its configuration.
Note that for changes that affect IdM identity ranges, a complete server reboot is recommended.
To restart multiple IdM domain services, always use
ipactl. Because of dependencies between the services installed with the IdM server, the order in which they are started and stopped is critical. The
ipactl utility ensures that the services are started and stopped in the appropriate order.
To start a particular IdM service:
# systemctl start name.service
To stop a particular IdM service:
# systemctl stop name.service
To restart a particular IdM service:
# systemctl restart name.service
To view the status of a particular IdM service:
# systemctl status name.service
You cannot use the IdM web UI to start or stop the individual services running on IdM servers. You can only use the web UI to modify the settings of a Kerberized service by navigating to
Services and selecting the service.
2.4. Methods for displaying IdM software version
You can display the IdM version number with:
- the IdM WebUI
- Displaying version through the WebUI
In the IdM WebUI, the software version can be displayed by choosing
Aboutfrom the username menu at the top-right.
- Displaying version with
From the command line, use the
[root@server ~]# ipa --version VERSION: 4.8.0, API_VERSION: 2.233
- Displaying version with
If IdM services are not operating properly, you can use the
rpmutility to determine the version number of the
ipa-serverpackage that is currently installed.
[root@server ~]# rpm -q ipa-server ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64