Differences

This shows you the differences between two versions of the page.

--- linux_wiki:freeipa_accounts [2016/03/21 22:12]
billdozor [FreeIPA Accounts]
+++ linux_wiki:freeipa_accounts [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== FreeIPA Accounts ======
-**General Information**
-FreeIPA account management from a FreeIPA server.
-**Checklist**
-  * Distro(s): Any
-  * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server]]
-----
-====== IPA CLI ======
-In addition to the web portal, there is a CLI for FreeIPA.\\
-Prior to issuing commands, you will need to authenticate to kerberos as an "admin" user.
-  - SSH to an IPA server and switch to the root user.
-  - Determine if there is a valid kerberos authentication ticket (and sample output):<code bash>klist
-Ticket cache: KEYRING:persistent:0:0
-Default principal: admin@EXAMPLE.COM
-Valid starting       Expires              Service principal
-/29/2016 11:54:25  03/01/2016 11:54:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM</code>
-  - If needed, initialize a kerberos authentication ticket as an "admin" user and enter the admin password when prompted<code bash>kinit admin</code>
-    - By default, tickets are good for 24 hours. You can extend this by specifying a longer time<code bash>kinit -l 48h admin</code>
-  - Perform ipa commands as listed below.
-----
-====== Show User Info ======
-Show a known user's account info:<code bash>ipa user-show <username></code>
-\\
-Show a user's failed login count, last successful, and last failed login across the IPA servers<code bash>ipa user-status <username></code>
-----
-====== Find Users ======
-Find a user account via the cli.<code bash>ipa user-find <string></code>
-  * **String can be**: first name, last name, username, telephone number
-  * If there is no string, then the search returns every entry in FreeIPA, up to the search limit.
-  * With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used.
-  * Searches are case insensitive.
-  * Search results are displayed alphabetically, with exact matches listed first, followed by partial matches.
-  * Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields.
-----
-====== Unlock User Account ======
-After a certain number of failed login attempts, user accounts are locked. (defined via password policy)\\
-After a certain number of minutes, accounts are automatically unlocked. (defined via password policy)
-To unlock an account manually:
-<code bash>
-ipa user-unlock <username>
-</code>
-----
-====== Reset User Password ======
-Options to reset a user's password:
-  * Scripted (randomly generated password with e-mail auto sent) **<< Preferred Method**
-  * Web portal (then send the user the set password)
-  * CLI (then send the user the set password)
-\\
-===== Scripted Method =====
-This method will e-mail the user a randomly generated password with instructions for setting a new one.
-  - SSH to an IPA server and switch to the root user.
-  - Execute the [[linux_wiki:freeipa_password_reset|password reset script]]
-\\
-===== Alternative Command Line Methods =====
-You will need to e-mail the user the generated or manually set password using these methods.
-Prompt to set a user password
-<code bash>
-ipa user-mod <username> --password
-</code>
-\\
-Generate a random user password
-<code bash>
-ipa user-mod <username> --random
-</code>
-----
-====== Disable User Account ======
-To disable a user's account now:
-<code bash>
-ipa user-disable <username>
-</code>
-\\
-Schedule a time to disable the user account
-  - SSH to an IPA server and switch to the root user.
-  - [[freeipa_accounts#ipa_cli|Verify there is a kerberos ticket]] that is valid in the range you want to disable
-  - Schedule the disable job<code bash>at 5:00pm march 3
-at>ipa user-disable <username>
-at>Ctrl+d
-job 1 at Thu Mar  3 17:00:00 2016</code>
-----
-====== Enable User Account ======
-To enable a user's account:
-<code bash>
-ipa user-enable <username>
-</code>
-----