Product SiteDocumentation Site

Directory Services

Red Hat Enterprise Virtualization Manager is able to use both Active Directory and IPA Server for user authentication. This appendix documents the basic requirements for directory servers of either type to be added to the environment.
Information on adding or removing directory services domains to the Red Hat Enterprise Virtualization Manager configuration, once they have been created, is available in Section C.1, “Domain Management Tool”.

B.1. IPA Server

IPA is an integrated security information management solution which combines Red Hat Enterprise Linux, Red Hat Directory Server, MIT Kerberos, and NTP. It provides web browser and command-line interfaces, and its numerous administration tools allow an administrator to quickly install, set up, and administer one or more servers for centralized authentication and identity management.
The latest version of IPA extends the integration of DNS, includes a Certificate System Server, an enhanced administrative framework, support for host identities, netgroups, automount by location and other features.
Installation
IPA focuses on making centralized identity and policy easy to manage in Linux and Unix environments, and includes compatibility with Windows environments. If you need assistance installing or configuring IPA, see the Red Hat Enterprise Linux — Enterprise Identity Management Guide.

B.1.1. Adding New Users

Because this section is devoted to getting you started with IPA quickly and easily, we have included only a limited number of examples. In this case, we have used the example of adding a new user to the system as an introduction to administering your IPA system. The methods and general approach, however, apply to nearly all IPA objects (users, groups, hosts, etc.), upon which you would perform some operation, such as add, show, find, or delete. The general syntax involved follows the same pattern: ipa object-operation
Use the # ipa user-add command to create IPA users. Numerous options are available to customize the way your IPA users are created. Use the ipa help user command to access the available help on operations regarding user creation. Password management can be performed as a separate operation or as part of the initial user creation process. This, and other aspects of creating IPA users, are discussed below.
Interactive Mode
In interactive mode, the user is first created and their password created separately so that they can authenticate and log in. Use the # ipa user-add command to create an IPA user. You can run this command with or without additional parameters. If you omit any of the required parameters, the interface will prompt you for the information.
The following example demonstrates adding a new user to IPA. In this example, the ipa user-add command was executed without any additional parameters; all required information was entered in interactive mode.
# ipa user-add
  First name: Ryan
  Last name: Andrews
  User login [randrews]:
  ---------------------
  Added user "randrews"
  ---------------------
  User login: randrews
  First name: Ryan
  Last name: Andrews
  Full name: Ryan Andrews
  Display name: Ryan Andrews
  Initials: RA
  Home directory: /home/randrews
  GECOS field: randrews
  Login shell: /bin/sh
  Kerberos principal: randrews@IPADOCS.ORG
  UID: 1316000004
Type ipa passwd <user login> to create a password for the user. This is a temporary password, or one-time password (OTP), and the user is required to change it the first time they log in. This is done intentionally, so that an administrator can reset a password for a user but they are unable to take advantage of that knowledge, because the user must change the password when they first log in.
Unattended Mode
As an integrated (or unattended) operation, you can pass the --password option to the ipa user-add command. This will force the command to prompt for an initial password. As an alternative, echo the password directly into the command:
# echo "secret123" | ipa user-add asmart --first=Alex --last=Smart --password
  --------------------
  Added user "asmart"
  --------------------
  User login: asmart
  First name: Alex
  Last name: Smart
  Full name: Alex Smart
  Display name: Alex Smart
  Initials: AS
  Home directory: /home/asmart
  GECOS field: asmart
  Login shell: /bin/sh
  Kerberos principal: asmart@IPADOCS.ORG
  UID: 1315400003
Performing Initial Login
You can now authenticate using the newly-created user and temporary password. Type kinit <user login> to log in to IPA. This will prompt you for a password and then immediately request a password change.
You can browse the IPA man pages and help system to explore other IPA commands. Please take some time to become familiar with the ways other IPA objects can be created and modified.