====== FreeIPA Accounts ====== **General Information** FreeIPA account management from a FreeIPA server. **Checklist** * Distro(s): Any * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server]] ---- ====== IPA CLI ====== In addition to the web portal, there is a CLI for FreeIPA.\\ Prior to issuing commands, you will need to authenticate to kerberos as an "admin" user. - SSH to an IPA server and switch to the root user. - Determine if there is a valid kerberos authentication ticket (and sample output):

klist

Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
02/29/2016 11:54:25  03/01/2016 11:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM

- If needed, initialize a kerberos authentication ticket as an "admin" user and enter the admin password when promptedkinit admin - By default, tickets are good for 24 hours. You can extend this by specifying a longer timekinit -l 48h admin - Perform ipa commands as listed below. ---- ====== Show User Info ====== Show a known user's account info:ipa user-show \\ Show a user's failed login count, last successful, and last failed login across the IPA serversipa user-status ---- ====== Find Users ====== Find a user account via the cli.ipa user-find * **String can be**: first name, last name, username, telephone number * If there is no string, then the search returns every entry in FreeIPA, up to the search limit. * With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used. * Searches are case insensitive. * Search results are displayed alphabetically, with exact matches listed first, followed by partial matches. * Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields. ---- ====== Unlock User Account ====== After a certain number of failed login attempts, user accounts are locked. (defined via password policy)\\ After a certain number of minutes, accounts are automatically unlocked. (defined via password policy) To unlock an account manually:


ipa user-unlock

---- ====== Reset User Password ====== Options to reset a user's password: * Scripted (randomly generated password with e-mail auto sent) **<< Preferred Method** * Web portal (then send the user the set password) * CLI (then send the user the set password) \\ ===== Scripted Method ===== This method will e-mail the user a randomly generated password with instructions for setting a new one. - SSH to an IPA server and switch to the root user. - Execute the [[linux_wiki:freeipa_user_password_reset|password reset script]] \\ ===== Alternative Command Line Methods ===== You will need to e-mail the user the generated or manually set password using these methods. Prompt to set a user password


ipa user-mod  --password

\\ Generate a random user password


ipa user-mod  --random

---- ====== Disable User Account ====== To disable a user's account now:


ipa user-disable

\\ Schedule a time to disable the user account - SSH to an IPA server and switch to the root user. - [[freeipa_accounts#ipa_cli|Verify there is a kerberos ticket]] that is valid in the range you want to disable - Schedule the disable job

at 5:00pm march 3
at>ipa user-disable 
at>Ctrl+d
job 1 at Thu Mar  3 17:00:00 2016

---- ====== Enable User Account ====== To enable a user's account:


ipa user-enable

----