There are two basic categories of command-line scripts that Identity Management has available.

The first is a selection of independent configuration scripts which are used to set up machines that operate within the domain. Most commonly, these are scripts to add machines to the domain (including ipa-server-install, ipa-client-install, and ipa-replica-install). Some scripts are also available to enable services within the IPA server. The domain server has a large number of different installation options and services — such as DNS, certificate services, and NIS management. All of these can be enabled at the time the server is set up, but none of those services are required. If a server is configured without a service like DNS, that service can be enabled later using a specific installation script, such as ipa-dns-install.

The real management functions of the domain are carried out with a single script: ipa. The ipa command is essentially a big plug-in container, and it supports dozens of plug-ins which it executes as subcommands. For example, adding a user is done using the user-add plug-in, which is run like a user-add subcommand:

ipa user-add options

Related subcommands are grouped together into plug-in modules. Commands for managing DNS entries like dnszone-add and dnsrecord-add all belong to the dns module or topic. All of the information for managing a specific area, with all of the supported commands and examples for each, are available by viewing the help for that topic:

ipa help topic

To get a list of all available help topics, run the help command without a topic name:

ipa help

For the most common attributes, the ipa use specified command-line arguments to set values. For example, adding a mail attribute to a user can be done with the --mail argument; enabling dynamic updates for a DNS zone can be done with the --allow-dynupdate option with zone commands; and a map key for an automount map is given in the --key option.

However, entries can also allow attributes that may not have command-line (or UI) options for setting them. Partially, this is because the underlying LDAP schema is very rich, particularly for user entries. Additionally, Identity Management allows limited schema extensions for users and groups, and those custom schema elements are not reflected in the UI or command-line tools.

Most ipa allow the --setattr and --addattr options to define attributes and values explicitly.

Both options have this format:

--setattr=attribute=value

The --setattr option sets one value for the given attribute; any existing values are overwritten, even for multi-valued attributes.

The --addattr option adds a new value for an attribute; for a multi-valued attribute, it adds the new value while preserving any existing values.

Both --setattr option and --addattr can be used multiple times in the same command invocation. For example:

$ ipa user-mod jsmith --addattr=mail=johnnys@me.com --addattr=mail=jsmith@example.com --setattr=description="backup IT manager for the east coast branch"

The IPA command-line tools are run as any other utilities in a shell. If there are special characters in the command — such as angle brackets (> and <), ampersands (&), asterisks (*), and pipes (|) — the characters must be escaped. Otherwise, the command fails because the shell cannot properly parse the unescaped characters.

The web UI has three major functional areas which correspond to each of the major functions of IPA: identity management, policy management, and domain configuration.

The main menu at the top of every page has three tabs which correspond to the functional areas listed in Table 4.1, “Configuration Areas Per Tab”. When a tab is selected, there is a submenu of the different configuration areas. Some configuration areas may have multiple possible entries; for example, role-based access controls define user roles/groups, the areas that access can be granted or denied (privileges), and then the permissions granted to those areas. Each separate configuration entry has its own task area beneath the primary configuration area.

All entries for a configuration area are listed together on the main page for that area. This page provides direct links to individual entry pages, as well as basic information (the attributes) about the entry. (This is usually just the description, but user entries show a lot more information.)

The page also has some tasks that can be performed on it. For a list page that shows entries, this can be creating or deleting an entry. For a list page for groups, the tasks are for establishing relationships between entities, either by adding (enrolling) or removing an entity from that group. Both individual entries and groups can be searched for through the list page.

Each entry page is a form which allows that entry to be edited. This is done by editing text fields or by selecting items from drop-down menus.

The web UI uses common elements on all pages.

The most basic is that all blue text is a link to an entry or to an action.

When a task like adding an entry or saving a change is possible, the task link it blue. When it is not possible (such as no items have been selected to be deleted) then the task is grayed out.

All list pages display direct links to entry pages. However, some entries are essentially nested. For example, in automount configuration, the primary entry is the location, and then keys, mount points, and maps are associated with that location as children entries. This hierarchy is reflected in breadcrumb navigation near the top of the page, so it is easy to identify where you are in the UI and how this entry relates to any other related entries.

Most entries have a variety of different configuration areas. A simple user entry has account activity settings, personal information, address information, organizational information, and other contact information. Related attributes are grouped together logically in the UI. These entry form areas can be collapsed or expanded using the arrows to control the amount of information displayed on the page.

When entries are created, they are added with only the required attributes. Additional attributes can be added manually. Some attributes have default values added to the entry and simply need to be edited; other attributes may not exist at all in the new entry and need to be added.

Any changes to any attribute can be undone. A single attribute change can be undone by clicking the dynamic undo button; all changes can be undone by clicking the Reset link at the top of the entry details page.

Members can be added to a group through the group configuration. There are tabs for all the member types which can belong to the group, and an administrator picks all of the marching entries and adds them as members.

However, it is also possible for an entity to be added to a group through its own configuration. Each entry has a list of tabs that displays group types that the entry can join. The list of all groups of that type are displayed, and the entity can be added to multiple groups at the same time.

Searches can be performed on attributes that are not displayed in the UI. This means that entries can be returned in a search that do not appear to match the given filter. This is especially common if the search information is very short, which increases the likelihood of a match.

For more information on setting and changing attributes which are searched, see Section 5.7.3, “Setting User Search Attributes” and Section 5.7.4, “Setting Group Search Attributes”.