General Information

FreeIPA account management from a FreeIPA server.

Checklist

• Distro(s): Any
• Other: FreeIPA Server

In addition to the web portal, there is a CLI for FreeIPA.
Prior to issuing commands, you will need to authenticate to kerberos as an “admin” user.

1. SSH to an IPA server and switch to the root user.
2. Determine if there is a valid kerberos authentication ticket (and sample output):

   klist
    
   Ticket cache: KEYRING:persistent:0:0
   Default principal: admin@EXAMPLE.COM
    
   Valid starting       Expires              Service principal
   02/29/2016 11:54:25  03/01/2016 11:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM

3. If needed, initialize a kerberos authentication ticket as an “admin” user and enter the admin password when prompted

   kinit admin

   1. By default, tickets are good for 24 hours. You can extend this by specifying a longer time

      kinit -l 48h admin

4. Perform ipa commands as listed below.

Show a known user's account info:

ipa user-show <username>

Show a user's failed login count, last successful, and last failed login across the IPA servers

ipa user-status <username>

Find a user account via the cli.

ipa user-find <string>

• String can be: first name, last name, username, telephone number
• If there is no string, then the search returns every entry in FreeIPA, up to the search limit.
• With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used.
• Searches are case insensitive.
• Search results are displayed alphabetically, with exact matches listed first, followed by partial matches.
• Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields.

After a certain number of failed login attempts, user accounts are locked. (defined via password policy)
After a certain number of minutes, accounts are automatically unlocked. (defined via password policy)

To unlock an account manually:

ipa user-unlock <username>

Options to reset a user's password:

• Scripted (randomly generated password with e-mail auto sent) « Preferred Method
• Web portal (then send the user the set password)
• CLI (then send the user the set password)

This method will e-mail the user a randomly generated password with instructions for setting a new one.

1. SSH to an IPA server and switch to the root user.
2. Execute the password reset script

You will need to e-mail the user the generated or manually set password using these methods.

Prompt to set a user password

ipa user-mod <username> --password

Generate a random user password

ipa user-mod <username> --random

To disable a user's account now:

ipa user-disable <username>

Schedule a time to disable the user account

1. SSH to an IPA server and switch to the root user.
2. Verify there is a kerberos ticket that is valid in the range you want to disable
3. Schedule the disable job

   at 5:00pm march 3
   at>ipa user-disable <username>
   at>Ctrl+d
   job 1 at Thu Mar  3 17:00:00 2016

To enable a user's account:

ipa user-enable <username>