ipa command. This command has several dozen subcommands, grouped by configuration areas, to give specific control over different areas of the IPA domain configuration. These subcommands are really plug-ins, that are implemented and called through the ipa command.
ipa command is that it is pluggable. Custom behavior can be defined for the IPA domain through custom ipa subcommands.
| Description | Location |
|---|---|
| Tool directory | /usr/bin |
| Package | ipa-admintools |
ipa [
global_options
]
commands
[
command_options
]
ipa are loosely organized in groups, based on the configuration area that they relate to. These groups are called topics, and the ipa help information can be called for each topic group.
$ ipa help topicName$ ipa help automount
| Topic | Description |
|---|---|
| automount | Adding and managing automount and NFS configuration. |
| cert | Managing certificate operations. |
| config | Managing the IPA server configuration. |
| delegation | Setting and controlling authorization delegated between groups. |
| dns | Creating and managing the DNS entries within the IPA DNS domain. |
| group | Creating groups of users. |
| hbac | Setting and testing host-based access controls. |
| host | Creating and managing client (host) entries within the IPA domain. |
| hostgroup | Creating and managing groups of hosts. |
| krbtpolicy | Managing the Kerberos ticket policy. |
| migration | Managing migration to IPA. |
| misc | Viewing current environment variables and plug-ins. |
| netgroup | Managing netgroups within the IPA domain. |
| passwd | Managing user passwords. |
| permission | Setting access control rules for users, groups, and roles within IPA to IPA resources. |
| privilege | Managing a group of permissions. |
| pwpolicy | Managing the IPA domain password policy. |
| role | Creating and managing user roles, as part of access control. |
| selfservice | Managing rights that users have to their own personal IPA entries. |
| service | Creating and managing system services that are managed as an IPA resource. |
| sudo | Creating and managing sudo rules and policies. |
| user | Creating and managing IPA user accounts. |
| Short Option | Long Option | Description |
|---|---|---|
| -h | --help | Prints the help for the command and exits. |
| -e key=value | Sets a given environment variable (key) to the specified value before running the command. | |
| -c file |
Loads the server configuration from a different file instead of default.conf.
| |
| -d | --debug | Uses debug logging when running the command. |
| -v | --verbose |
Prints verbose messages to stdout when running the command. If two -v options are used, then the command returns the full XML-RPC request.
|
| -a | --prompt-all | Prompts for every argument for the command, even optional ones. |
| -n | --no-prompt | Does not prompt for any argument, even required ones. |
| -f | --no-fallback |
Uses only the server specified in the local default.conf and does not fallback to another server if that one is unavailable.
|
| --all | For find and show commands. Returns all of the attributes for the entry, not just the ones related to the command or configuration area. | |
| --raw | For find and show commands. Returns the raw, LDIF-formatted LDAP entry instead of the friendly-formatted versions. | |
| --addattr=attribute=value | For add and mod commands. Adds a new attribute with the given value. | |
| --setattr=attribute=value | For add and mod commands. Replaces the value of a given attribute with the new value. |
ipa use specified command-line arguments to set values. For example, adding a mail attribute to a user can be done with the --mail argument; enabling dynamic updates for a DNS zone can be done with the --allow-dynupdate option with zone commands; and a map key for an automount map is given in the --key option.
ipa allow the --setattr and --addattr options to define attributes and values explicitly.
--setattr=attribute=value--setattr option sets one value for the given attribute; any existing values are overwritten, even for multi-valued attributes.
--addattr option adds a new value for an attribute; for a multi-valued attribute, it adds the new value while preserving any existing values.
--setattr option and --addattr can be used multiple times in the same command invocation. For example:
$ ipa user-mod jsmith --addattr=mail=johnnys@me.com --addattr=mail=jsmith@example.com --setattr=description="backup IT manager for the east coast branch"
| Return Code | Description |
|---|---|
| 0 | An error occurred. |
| 1 | The operation was successful. |
| 2 | A resource or object was not found. |
| Command | Description |
|---|---|
| dnsrecord-add | Creates a new DNS zone in the IPA server. |
| dnsrecord-del | Deletes a DNS zone from the DNS domain maintained by the IPA server. |
| dnsrecord-find | Searches for a DNS zone which matches the filter. |
| dnsrecord-mod | Edits the configuration of an existing DNS domain. |
| dnsrecord-show | Lists the details for any or all DNS zones, depending on the filter |
| Command | Description |
|---|---|
| dnszone-add | Creates a new DNS zone in the IPA server. |
| dnszone-del | Deletes a DNS zone from the DNS domain maintained by the IPA server. |
| dnszone-find | Searches for a DNS zone which matches the filter. |
| dnszone-mod | Edits the configuration of an existing DNS domain. |
| dnszone-show | Lists the details for any or all DNS zones, depending on the filter |
| dnszone-disable | Disables a DNS zone, which removes it from being used but does not delete the zone or its configuration. |
| dnszone-enable | Enables an existing DNS zone, which restores it to the IPA domain with its previous configuration intact. |