Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== FreeIPA Accounts ====== **General Information** FreeIPA account management from a FreeIPA server. **Checklist** * Distro(s): Any * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server]] ---- ====== IPA CLI ====== In addition to the web portal, there is a CLI for FreeIPA.\\ Prior to issuing commands, you will need to authenticate to kerberos as an "admin" user. - SSH to an IPA server and switch to the root user. - Determine if there is a valid kerberos authentication ticket (and sample output):<code bash>klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/29/2016 11:54:25 03/01/2016 11:54:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM</code> - If needed, initialize a kerberos authentication ticket as an "admin" user and enter the admin password when prompted<code bash>kinit admin</code> - By default, tickets are good for 24 hours. You can extend this by specifying a longer time<code bash>kinit -l 48h admin</code> - Perform ipa commands as listed below. ---- ====== Show User Info ====== Show a known user's account info:<code bash>ipa user-show <username></code> \\ Show a user's failed login count, last successful, and last failed login across the IPA servers<code bash>ipa user-status <username></code> ---- ====== Find Users ====== Find a user account via the cli.<code bash>ipa user-find <string></code> * **String can be**: first name, last name, username, telephone number * If there is no string, then the search returns every entry in FreeIPA, up to the search limit. * With the command-line tools, only a single search string can be used for user and group searches. With the UI, multiple strings can be used. * Searches are case insensitive. * Search results are displayed alphabetically, with exact matches listed first, followed by partial matches. * Wildcards cannot be used in searches. The search string must include at least one character that appears in one of the indexed search fields. ---- ====== Unlock User Account ====== After a certain number of failed login attempts, user accounts are locked. (defined via password policy)\\ After a certain number of minutes, accounts are automatically unlocked. (defined via password policy) To unlock an account manually: <code bash> ipa user-unlock <username> </code> ---- ====== Reset User Password ====== Options to reset a user's password: * Scripted (randomly generated password with e-mail auto sent) **<< Preferred Method** * Web portal (then send the user the set password) * CLI (then send the user the set password) \\ ===== Scripted Method ===== This method will e-mail the user a randomly generated password with instructions for setting a new one. - SSH to an IPA server and switch to the root user. - Execute the [[linux_wiki:freeipa_user_password_reset|password reset script]] \\ ===== Alternative Command Line Methods ===== You will need to e-mail the user the generated or manually set password using these methods. Prompt to set a user password <code bash> ipa user-mod <username> --password </code> \\ Generate a random user password <code bash> ipa user-mod <username> --random </code> ---- ====== Disable User Account ====== To disable a user's account now: <code bash> ipa user-disable <username> </code> \\ Schedule a time to disable the user account - SSH to an IPA server and switch to the root user. - [[freeipa_accounts#ipa_cli|Verify there is a kerberos ticket]] that is valid in the range you want to disable - Schedule the disable job<code bash>at 5:00pm march 3 at>ipa user-disable <username> at>Ctrl+d job 1 at Thu Mar 3 17:00:00 2016</code> ---- ====== Enable User Account ====== To enable a user's account: <code bash> ipa user-enable <username> </code> ---- linux_wiki/freeipa_accounts.txt Last modified: 2019/05/25 23:50(external edit)