FreeIPA Accounts
General Information
FreeIPA account management from a FreeIPA server.
Checklist
- Distro(s): Any
- Other: FreeIPA Server
IPA CLI
In addition to the web portal, there is a CLI for FreeIPA.
Prior to issuing commands, you will need to authenticate to kerberos as an “admin” user.
- SSH to an IPA server and switch to the root user.
- Determine if there is a valid kerberos authentication ticket (and sample output):
klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/29/2016 11:54:25 03/01/2016 11:54:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
- If needed, initialize a kerberos authentication ticket as an “admin” user and enter the admin password when prompted
kinit admin
- By default, tickets are good for 24 hours. You can extend this by specifying a longer time
kinit -l 48h admin
- Perform ipa commands as listed below.
Show User Info
Show a known user's account info:
ipa user-show <username>
Show a user's failed login count, last successful, and last failed login across the IPA servers
ipa user-status <username>
Find Users
Find a user account via the cli.
ipa user-find <string>
- String can be: first name, last name, username, telephone number
- If there is no string, then the search returns every entry in FreeIPA, up to the search limit.
- With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used.
- Searches are case insensitive.
- Search results are displayed alphabetically, with exact matches listed first, followed by partial matches.
- Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields.
Unlock User Account
After a certain number of failed login attempts, user accounts are locked. (defined via password policy)
After a certain number of minutes, accounts are automatically unlocked. (defined via password policy)
To unlock an account manually:
ipa user-unlock <username>
Reset User Password
Options to reset a user's password:
- Scripted (randomly generated password with e-mail auto sent) « Preferred Method
- Web portal (then send the user the set password)
- CLI (then send the user the set password)
Scripted Method
This method will e-mail the user a randomly generated password with instructions for setting a new one.
- SSH to an IPA server and switch to the root user.
- Execute the password reset script
Alternative Command Line Methods
You will need to e-mail the user the generated or manually set password using these methods.
Prompt to set a user password
ipa user-mod <username> --password
Generate a random user password
ipa user-mod <username> --random
Disable User Account
To disable a user's account now:
ipa user-disable <username>
Schedule a time to disable the user account
- SSH to an IPA server and switch to the root user.
- Verify there is a kerberos ticket that is valid in the range you want to disable
- Schedule the disable job
at 5:00pm march 3 at>ipa user-disable <username> at>Ctrl+d job 1 at Thu Mar 3 17:00:00 2016
Enable User Account
To enable a user's account:
ipa user-enable <username>