Product SiteDocumentation Site

Chapter 5. Identity: Managing Users and User Groups

5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Automounting Home Directories
5.2. Managing User Accounts
5.2.1. About User Entries
5.2.1.1. About User Schema
5.2.1.2. About Username Formats
5.2.1.3. About Changing the Default User and Group Schema
5.2.1.4. Applying Custom Object Classes to New User Entries
5.2.1.5. Applying Custom Object Classes to New Group Entries
5.2.2. Adding Users
5.2.2.1. From the Web UI
5.2.2.2. From the Command Line
5.2.3. Editing Users
5.2.3.1. From the Web UI
5.2.3.2. From the Command Line
5.2.4. Activating and Deactivating User Accounts
5.2.4.1. From the Web UI
5.2.4.2. From the Command Line
5.2.5. Deleting Users
5.2.5.1. With the Web UI
5.2.5.2. From the Command Line
5.3. Changing Passwords
5.3.1. From the Web UI
5.3.2. From the Command Line
5.4. Managing Unique UID and GID Number Assignments
5.4.1. About ID Range Assignments During Installation
5.4.2. Adding New Ranges
5.5. Managing User Groups
5.5.1. Creating User Groups
5.5.1.1. With the Web UI
5.5.1.2. With the Command Line
5.5.2. Adding Group Members
5.5.2.1. With the Web UI (Group Page)
5.5.2.2. With the Web UI (User's Page)
5.5.2.3. With the Command Line
5.5.2.4. Viewing Direct and Indirect Members of a Group
5.5.3. Deleting User Groups
5.5.3.1. With the Web UI
5.5.3.2. With the Command Line
5.6. Searching for Users and Groups
5.6.1. With the UI
5.6.2. With the Command Line
5.7. Specifying Default User and Group Settings
5.7.1. Viewing the Settings Configuration
5.7.1.1. From the Web UI
5.7.1.2. From the Command Line
5.7.2. Setting Default Search Limits
5.7.2.1. With the Web UI
5.7.2.2. With the Command Line
5.7.3. Setting User Search Attributes
5.7.3.1. From the Web UI
5.7.3.2. From the Web UI
5.7.4. Setting Group Search Attributes
5.7.4.1. From the Web UI
5.7.4.2. From the Command Line
Users in Identity Management are able to access services and servers within the domain through Kerberos authentication. This chapter covers general management tasks for users, groups, password policies, and other configuration for users.

5.1. Setting up User Home Directories

A home directory is required for any IPA user. Without a home directory in the expected location, a user may be unable to log into the domain. While systems administrators can manage home directories outside of IPA, it is also possible to use a PAM module to create home directories automatically on both IPA servers and clients.

5.1.1. About Home Directories

IPA, as part of managing users, can manage user home directories. However, IPA has certain defined parameters for any managed home directories:
  • The default prefix for users' home directories is /home.
  • IPA does not automatically create home directories when users log in. Automatically creating home directories requires either the pam_oddjob_mkhomedir module or the pam_mkhomedir module. This module can be configured as part of client installation or after installation, as described in Section 5.1.2, “Enabling the PAM Home Directory Module”.
    The home directory process for IPA first attempts to use the pam_oddjob_mkhomedir module because this requires fewer user privileges and access to create the home directories, as well as integrating smoothly with SELinux. If this module is not available, then the process falls back to the pam_mkhomedir module.
  • It is possible to use an NFS file server that provides /home that can be made available to all machines in the domain and then automounted on the IPA server.
    There are potential issues when using NFS, such as security issues related to granting root access to the NFS user, performance issues with loading the entire /home tree, and network performance issues for using remote servers for home directories. There are some general guidelines for using NFS with Identity Management:
    • Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree.
    • Use a remote user who has limited permissions to create home directories and mount the share on the IPA server as that user. Since the IPA server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the IPA server to create home directories on the NFS server.
    • Use a mechanism, such as the pam_oddjob_mkhomedir module, to create the home directory as that user.
    Using automounts for home directories is described in Section 5.1.3, “Manually Automounting Home Directories”.
  • If a suitable directory and mechanism are not available for to create home directories, users may not be able to log in.

5.1.2. Enabling the PAM Home Directory Module

For a home directory to be created automatically when a user logs in, IPA can use either the pam_oddjob_mkhomedir module or the pam_mkhomedir module. Because it requires fewer permissions and works well with SELinux, IPA preferentially uses the pam_oddjob_mkhomedir module. If that module is not installed, then it falls back to the pam_mkhomedir module.

NOTE

IPA does not require the pam_oddjob_mkhomedir module or pam_mkhomedir module. This is because the *_mkhomedir module may try to create home directories even when the shared storage is not available. If the module is unable to create the home directory, then users can be blocked from logging into the IPA domain.
The system administrator must activate this module on each client or server as needed.
There are two ways to enable the pam_oddjob_mkhomedir (or pam_mkhomedir) module:
  • The --mkhomedir option can be used with the ipa-client-install command. While this is possible for clients, this option is not available to servers when they are set up.
  • The pam_oddjob_mkhomedir module can be enabled using the system's authconfig command. For example: 
    authconfig --enablemkhomedir
    This option can be used for both server and client machines post-installation.

5.1.3. Manually Automounting Home Directories

While PAM modules can be used to create home directories for users automatically, this may not be desirable behavior in every environment. In that case, home directories can be manually added to the IPA server from separate locations using NFS shares and automount.
  1. Create a new location for the user directory maps: 
    $ ipa automountlocation-add userdirs
Location: userdirs
  2. Add a direct map to the new location's auto.direct file. In this example, the mount point is /share: 
    $ ipa automountkey-add userdirs auto.direct --key=/share --info="-ro,soft, ipaserver.example.com:/home/share"

Key: /share
Mount information: -ro,soft, ipaserver.example.com:/home/share
Using automounts with IPA is described in detail in Chapter 9, Policy: Using Automount.