Differences
This shows you the differences between two versions of the page.
linux_wiki:freeipa_accounts [2016/03/18 23:11] billdozor [FreeIPA Accounts] |
linux_wiki:freeipa_accounts [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== FreeIPA Accounts ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | FreeIPA account management from a FreeIPA server. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): CentOS 7 | ||
- | * Other: FreeIPA Server | ||
- | |||
- | ---- | ||
- | |||
- | ====== IPA CLI ====== | ||
- | |||
- | In addition to the web portal, there is a CLI for FreeIPA.\\ | ||
- | Prior to issuing commands, you will need to authenticate to kerberos as an " | ||
- | |||
- | - SSH to an IPA server and switch to the root user. | ||
- | - Determine if there is a valid kerberos authentication ticket (and sample output):< | ||
- | |||
- | Ticket cache: KEYRING: | ||
- | Default principal: admin@EXAMPLE.COM | ||
- | |||
- | Valid starting | ||
- | 02/29/2016 11: | ||
- | - If needed, initialize a kerberos authentication ticket as an " | ||
- | - By default, tickets are good for 24 hours. You can extend this by specifying a longer time< | ||
- | - Perform ipa commands as listed below. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Show User Info ====== | ||
- | |||
- | Show a known user's account info:< | ||
- | |||
- | \\ | ||
- | Show a user's failed login count, last successful, and last failed login across the IPA servers< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Find Users ====== | ||
- | |||
- | Find a user account via the cli.< | ||
- | |||
- | * **String can be**: first name, last name, username, telephone number | ||
- | * If there is no string, then the search returns every entry in FreeIPA, up to the search limit. | ||
- | * With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used. | ||
- | * Searches are case insensitive. | ||
- | * Search results are displayed alphabetically, | ||
- | * Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Unlock User Account ====== | ||
- | |||
- | After a certain number of failed login attempts, user accounts are locked. (defined via password policy)\\ | ||
- | After a certain number of minutes, accounts are automatically unlocked. (defined via password policy) | ||
- | |||
- | To unlock an account manually: | ||
- | <code bash> | ||
- | ipa user-unlock < | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Reset User Password ====== | ||
- | |||
- | Options to reset a user's password: | ||
- | * Scripted (randomly generated password with e-mail auto sent) **<< Preferred Method** | ||
- | * Web portal (then send the user the set password) | ||
- | * CLI (then send the user the set password) | ||
- | |||
- | \\ | ||
- | ===== Scripted Method ===== | ||
- | |||
- | This method will e-mail the user a randomly generated password with instructions for setting a new one. | ||
- | - SSH to an IPA server and switch to the root user. | ||
- | - Execute the [[linux_wiki: | ||
- | |||
- | \\ | ||
- | ===== Alternative Command Line Methods ===== | ||
- | |||
- | You will need to e-mail the user the generated or manually set password using these methods. | ||
- | |||
- | Prompt to set a user password | ||
- | <code bash> | ||
- | ipa user-mod < | ||
- | </ | ||
- | |||
- | \\ | ||
- | Generate a random user password | ||
- | <code bash> | ||
- | ipa user-mod < | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Disable User Account ====== | ||
- | |||
- | To disable a user's account now: | ||
- | <code bash> | ||
- | ipa user-disable < | ||
- | </ | ||
- | |||
- | \\ | ||
- | Schedule a time to disable the user account | ||
- | - SSH to an IPA server and switch to the root user. | ||
- | - [[freeipa_accounts# | ||
- | - Schedule the disable job<code bash>at 5:00pm march 3 | ||
- | at>ipa user-disable < | ||
- | at> | ||
- | job 1 at Thu Mar 3 17:00:00 2016</ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Enable User Account ====== | ||
- | |||
- | To enable a user's account: | ||
- | <code bash> | ||
- | ipa user-enable < | ||
- | </ | ||
- | |||
- | ---- | ||