Manage Users and Groups in FreeIPA using CLI

In this article we will cover in depth the management of user accounts and groups in a FreeIPA server. Once you have FreeIPA server installed and Kerberos server initialized, the next step is identity management, which ideally begins with user and groups creation on the server. FreeIPA is a powerful policy and identity management platform for Linux powered environments. It uses the Kerberos protocol to support single sign-on.

In our previous articles we covered in detail how installation can be done, available in the links below:

• Install and Configure FreeIPA Server on Rocky Linux 8
• How To Install FreeIPA Server on CentOS 7
• Install and Configure FreeIPA Server on CentOS 8 / RHEL 8

Follow a guide that applies to your base operating system. As a pre-requisite you must have kinit generating ticket for your principle. This is required to proceed with this guide.

kinit [principal]

My principle is admin hence executed command will be:

$ kinit admin
Password for [email protected]:

List cached Kerberos tickets

$ klist
Ticket cache: KCM:0
Default principal: [email protected]

Valid starting       Expires              Service principal
08/09/2021 16:04:58  08/10/2021 16:01:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM

The default lifetime of the ticket is 24 hours. I recommend you work with this default setting as opposed to increasing to a higher value. Just a security precaution.

Groups Management in FreeIPA Server

We will consider below Group operations:

• Creation of user groups
• Removal of user groups

In FreeIPA, a user group is a set of users with common password policies, privileges, and other characteristics. A user group can include:

1. FreeIPA users
2. Other user groups
3. External users, i.e users that exist outside of FreeIPA domain

Supported group types are:

• POSIX groups – This is the default type which supports Linux POSIX attributes for group members. Groups that interact with Active Directory cannot use POSIX attributes(e.g uidNumber and gidNumber)
• Non-POSIX groups – These do not support POSIX attributes. For example, they do not have GID.
• External groups – Used to add group members that exist in an identity store outside of the FreeIPA domain, such as [local system, Active Directory domain or a directory service]. These groups do not support POSIX attributes.

Below groups are created by default at the installation and configuration of FreeIPA Server:

• admins – Consist of all users with administrative privileges, including the default admin user
• ipausers – Consist of all FreeIPA users
• trust admins – Users with privileges to manage the Active Directory trusts

When a user is added to a user group, the user gains the privileges and policies associated with the group

Adding a user group using CLI

To add to add a user group using FreeIPA CLI, use the command:

ipa group-add group_name

For example, to create sysadmins:

$ ipa group-add sysadmins
-----------------------
Added group "sysadmins"
-----------------------
  Group name: sysadmins
  GID: 320800003

By default, the command above adds a POSIX user group. To specify a different group type, add as an option to the command:

# Create an external group
$ ipa group-add --external groupname 

# Create a non-POSIX group
$ ipa group-add --nonposix groupname

Using Custom Group ID

To specify a custom Group ID(GID), use the option gid=custom_GID

# Example
$ ipa group-add gid=custom_GID groupname

But you’ll have be careful to avoid ID conflicts.

Searching for user groups

Display all user groups:

$ ipa group-find
----------------
6 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 320800000

  Group name: devops
  GID: 320800004

  Group name: editors
  Description: Limited admins who can edit other users
  GID: 320800002

  Group name: ipausers
  Description: Default group for all users

  Group name: sysadmins
  GID: 320800003

  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 6
----------------------------

Display all non-POSIX groups:

$ ipa group-find --nonposix
----------------
2 groups matched
----------------
  Group name: ipausers
  Description: Default group for all users

  Group name: trust admins
  Description: Trusts administrators group
----------------------------
Number of entries returned 2
----------------------------

Display all POSIX groups:

$ ipa group-find --posix
----------------
4 groups matched
----------------
  Group name: admins
  Description: Account administrators group
  GID: 320800000

  Group name: devops
  GID: 320800004

  Group name: editors
  Description: Limited admins who can edit other users
  GID: 320800002

  Group name: sysadmins
  GID: 320800003
----------------------------
Number of entries returned 4
----------------------------

Display all external group:

$ ipa group-find --external
----------------
0 groups matched
----------------
----------------------------
Number of entries returned 0
----------------------------

You can also limit the search results to groups that contain a particular user:

$ ipa group-find --user=user_name

The inverse is true when searching for groups that do not contain a particular user:

$ ipa group-find --no-user=user_name

Deleting user groups using FreeIPA CLI

To delete a user group use the command:

ipa group-del groupname

Adding a user group as member of a user group

Add a member to a user group by using:

ipa group-add-member

For example, to add group_2 as a member of group_1:

ipa group-add-member group_1 --groups=group_2

User Management in FreeIPA using CLI

We will consider below user management on FreeIPA:

1. Adding new user accounts to the FreeIPA database using command line
2. Modifying a user account in FreeIPA
3. Delete User account

Add new user account

You need to have administrator privileges to add user accounts to the FreeIPA server. The command syntax is:

$ ipa user-add

These are the commonly used ipa user-add command options:

• –first=STR – User’s first name
• –last=STR – User’s last name
• –cn=STR – User account full name
• –homedir=STR – Home directory
• –shell=STR – Login shell
• –email=STR – Email address
• –password – Prompt to set the user password
• –mobile=STR – Mobile Telephone Number

The command runs a script where you can add basic data necessary for creating a user account.

$ ipa user-add
First name: Josphat
Last name: Mutai
User login [jmutai]:
-------------------
Added user "jmutai"
-------------------

As can be seen from the command output, a user password is not set while the user account is being created.

To assign user a password, use the ipa command to add the user with below option:

$ ipa user-add --first=Example --last=User --password  loginname

Example:

$ ipa user-del  jmutai
---------------------
Deleted user "jmutai"
---------------------

$ ipa user-add --first=Josphat --last=Mutai  --password  jmutai
Password:
Enter Password again to verify:
-------------------
Added user "jmutai"
-------------------
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Full name: Josphat Mutai
  Display name: Josphat Mutai
  Initials: JM
  Home directory: /home/jmutai
  GECOS: Josphat Mutai
  Login shell: /bin/bash
  Principal name: [email protected]
  Principal alias: jmutai@EXAMPLE.COM
  User password expiration: 20210809205924Z
  Email address: [email protected]
  UID: 320800006
  GID: 320800006
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

 You can then list all users with the following command:

$ ipa user-find

Modify existing user account

To change created user information use command syntax:

$ ipa [global-options] user-mod LOGIN

To list all available user-mod command options run the command below:

ipa help user-mod

Example to reset the password of jmutai login user

$ ipa  user-mod --password jmutai
Password:
Enter Password again to verify:
----------------------
Modified user "jmutai"
----------------------
  User login: jmutai
  First name: Josphat
  Last name: Mutai
  Home directory: /home/jmutai
  Login shell: /bin/bash

Adding a member to a user group

Add a member to a user group by using the command syntax:

ipa [global-options] group-add-member GROUP-NAME [options]

Common options:

• –users=STR – Users to add to the group
• –groups=STR – Groups to add to the named group
• –services=STR – Services to add to the group
• –external=STR Members of a trusted domain in DOM\name or name@domain form

See below examples on adding user/group to a group

Add user as member of a group

Add the user jmutai as a member manager of sysadmins:

$ ipa group-add-member sysadmins --users=jmutai
  Group name: sysadmins
  GID: 320800003
  Member users: jmutai
-------------------------
Number of members added 1
-------------------------

$ ipa group-show sysadmins
  Group name: sysadmins
  GID: 320800003
  Member users: jmutai

Add a user as a member manager to an user group

For example, to add the user jmutai as a member manager of devops:

$ ipa group-add-member-manager devops --users=jmutai
  Group name: devops
  GID: 320800004
  Membership managed by users: jmutai
-------------------------
Number of members added 1
-------------------------

User jmutai can now manage members of devops.

Or add the group sysadmins as a member manager of devops:

$ ipa group-add-member-manager devops --groups=sysadmins
  Group name: devops
  GID: 320800004
  Membership managed by groups: sysadmins
  Membership managed by users: jmutai
-------------------------
Number of members added 1
-------------------------

$ ipa group-show devops
  Group name: devops
  GID: 320800004
  Membership managed by groups: sysadmins
  Membership managed by users: jmutai

Group sysadmins will then be able to manage members of devops.

Add add as a member of another group

Add add group_b as a member of group_a:

$ ipa group-add-member group_a --groups=group_b

Removing a member from a user group

First confirm that the group includes the member you want to remove.

ipa group-show

Remove a member from a user group by using the ipa group-remove-member command while specifying members to remove using these options:

• --users removes a FreeIPA user
• --external removes a user that exists outside the FreeIPA domain, in the format of DOMAIN\user_name or user_name@domain
• --groups removes a user group

For example, to remove jmutai from a group called sysadmins:

$ ipa group-remove-member sysadmins --users=jmutai
  Group name: sysadmins
  GID: 320800003
---------------------------
Number of members removed 1
---------------------------

Remove user1, user2, and group1 from a group called group_name:

ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1

Removing users or groups as member managers from a user group

Command syntax:

 ipa group-remove-member-manager GROUP-NAME [options]

options to use:

• –users=STR users to remove
• –groups=STR groups to remove

For example, to remove the user user1 as a member manager of group1:

$ ipa group-remove-member-manager group1 --users=user1

Remove the group sysadmins as a member manager of devops:

$ ipa group-remove-member-manager devops --groups=sysadmins
  Group name: devops
  GID: 320800004
  Membership managed by users: jmutai
---------------------------
Number of members removed 1
---------------------------

The group and its member will not be able to manage devops group members after removal.

We believe FreeIPA is a powerful tool in your Linux infrastructure efficient administration. In this regard, we’ll be sharing more articles on the general usage and management of FreeIPA. There are many topics to be covered so stay updated by bookmarking our website.

Also check related articles from below links:

• Secure FreeIPA Server With Let’s Encrypt SSL Certificate
• Configure Jenkins FreeIPA LDAP Authentication
• Configure GitLab FreeIPA LDAP Authentication