General Information
FreeIPA account management from a FreeIPA server.
Checklist
In addition to the web portal, there is a CLI for FreeIPA.
Prior to issuing commands, you will need to authenticate to kerberos as an “admin” user.
klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/29/2016 11:54:25 03/01/2016 11:54:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
kinit admin
kinit -l 48h admin
Show a known user's account info:
ipa user-show <username>
Show a user's failed login count, last successful, and last failed login across the IPA servers
ipa user-status <username>
Find a user account via the cli.
ipa user-find <string>
After a certain number of failed login attempts, user accounts are locked. (defined via password policy)
After a certain number of minutes, accounts are automatically unlocked. (defined via password policy)
To unlock an account manually:
ipa user-unlock <username>
Options to reset a user's password:
This method will e-mail the user a randomly generated password with instructions for setting a new one.
You will need to e-mail the user the generated or manually set password using these methods.
Prompt to set a user password
ipa user-mod <username> --password
Generate a random user password
ipa user-mod <username> --random
To disable a user's account now:
ipa user-disable <username>
Schedule a time to disable the user account
at 5:00pm march 3 at>ipa user-disable <username> at>Ctrl+d job 1 at Thu Mar 3 17:00:00 2016
To enable a user's account:
ipa user-enable <username>