FreeIPA Accounts

General Information

FreeIPA account management from a FreeIPA server.



In addition to the web portal, there is a CLI for FreeIPA.
Prior to issuing commands, you will need to authenticate to kerberos as an “admin” user.

  1. SSH to an IPA server and switch to the root user.
  2. Determine if there is a valid kerberos authentication ticket (and sample output):
    Ticket cache: KEYRING:persistent:0:0
    Default principal: admin@EXAMPLE.COM
    Valid starting       Expires              Service principal
    02/29/2016 11:54:25  03/01/2016 11:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
  3. If needed, initialize a kerberos authentication ticket as an “admin” user and enter the admin password when prompted
    kinit admin
    1. By default, tickets are good for 24 hours. You can extend this by specifying a longer time
      kinit -l 48h admin
  4. Perform ipa commands as listed below.

Show User Info

Show a known user's account info:

ipa user-show <username>

Show a user's failed login count, last successful, and last failed login across the IPA servers

ipa user-status <username>

Find Users

Find a user account via the cli.

ipa user-find <string>
  • String can be: first name, last name, username, telephone number
  • If there is no string, then the search returns every entry in FreeIPA, up to the search limit.
  • With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used.
  • Searches are case insensitive.
  • Search results are displayed alphabetically, with exact matches listed first, followed by partial matches.
  • Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields.

Unlock User Account

After a certain number of failed login attempts, user accounts are locked. (defined via password policy)
After a certain number of minutes, accounts are automatically unlocked. (defined via password policy)

To unlock an account manually:

ipa user-unlock <username>

Reset User Password

Options to reset a user's password:

  • Scripted (randomly generated password with e-mail auto sent) « Preferred Method
  • Web portal (then send the user the set password)
  • CLI (then send the user the set password)

This method will e-mail the user a randomly generated password with instructions for setting a new one.

  1. SSH to an IPA server and switch to the root user.

You will need to e-mail the user the generated or manually set password using these methods.

Prompt to set a user password

ipa user-mod <username> --password

Generate a random user password

ipa user-mod <username> --random

Disable User Account

To disable a user's account now:

ipa user-disable <username>

Schedule a time to disable the user account

  1. SSH to an IPA server and switch to the root user.
  2. Verify there is a kerberos ticket that is valid in the range you want to disable
  3. Schedule the disable job
    at 5:00pm march 3
    at>ipa user-disable <username>
    job 1 at Thu Mar  3 17:00:00 2016

Enable User Account

To enable a user's account:

ipa user-enable <username>

  • linux_wiki/freeipa_accounts.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)