IPA is an integrated security information management solution which combines Red Hat Enterprise Linux, Red Hat Directory Server,
MIT Kerberos, and
NTP. It provides web browser and command-line interfaces, and its numerous administration tools allow an administrator to quickly install, set up, and administer one or more servers for centralized authentication and identity management.
The latest version of
IPA extends the integration of
DNS, includes a Certificate System Server, an enhanced administrative framework, support for host identities, netgroups, automount by location and other features.
Because this section is devoted to getting you started with IPA quickly and easily, we have included only a limited number of examples. In this case, we have used the example of adding a new user to the system as an introduction to administering your IPA system. The methods and general approach, however, apply to nearly all IPA objects (users, groups, hosts, etc.), upon which you would perform some operation, such as add, show, find, or delete. The general syntax involved follows the same pattern: ipa object-operation
Use the # ipa user-add
command to create IPA users. Numerous options are available to customize the way your IPA users are created. Use the ipa help
user command to access the available help on operations regarding user creation. Password management can be performed as a separate operation or as part of the initial user creation process. This, and other aspects of creating IPA users, are discussed below.
In interactive mode, the user is first created and their password created separately so that they can authenticate and log in. Use the # ipa user-add
command to create an IPA user. You can run this command with or without additional parameters. If you omit any of the required parameters, the interface will prompt you for the information.
The following example demonstrates adding a new user to IPA. In this example, the ipa user-add
command was executed without any additional parameters; all required information was entered in interactive mode.
# ipa user-add
First name: Ryan
Last name: Andrews
User login [randrews]:
---------------------
Added user "randrews"
---------------------
User login: randrews
First name: Ryan
Last name: Andrews
Full name: Ryan Andrews
Display name: Ryan Andrews
Initials: RA
Home directory: /home/randrews
GECOS field: randrews
Login shell: /bin/sh
Kerberos principal: randrews@IPADOCS.ORG
UID: 1316000004
Type
ipa passwd <user login>
to create a password for the user. This is a temporary password, or
one-time password (OTP), and the user is required to change it the first time they log in. This is done intentionally, so that an administrator can reset a password for a user but they are unable to take advantage of that knowledge, because the user must change the password when they first log in.
As an integrated (or unattended) operation, you can pass the --password
option to the ipa user-add
command. This will force the command to prompt for an initial password. As an alternative, echo the password directly into the command:
# echo "secret123" | ipa user-add asmart --first=Alex --last=Smart --password
--------------------
Added user "asmart"
--------------------
User login: asmart
First name: Alex
Last name: Smart
Full name: Alex Smart
Display name: Alex Smart
Initials: AS
Home directory: /home/asmart
GECOS field: asmart
Login shell: /bin/sh
Kerberos principal: asmart@IPADOCS.ORG
UID: 1315400003
You can now authenticate using the newly-created user and temporary password. Type kinit <user login>
to log in to IPA. This will prompt you for a password and then immediately request a password change.
You can browse the IPA man pages and help system to explore other IPA commands. Please take some time to become familiar with the ways other IPA objects can be created and modified.