Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 24. Managing user groups in IdM CLI

Manage user groups in Identity Management (IdM) using the CLI to organize users with common privileges, password policies, and other characteristics. User groups simplify administration by applying policies to multiple users at once.

A user group in Identity Management (IdM) can include:

  • IdM users
  • other IdM user groups
  • external users, which are users that exist outside of IdM

24.1. The different group types in IdM
Link kopieren

Identity Management (IdM) supports three types of user groups—POSIX, non-POSIX, and external—each suited to different identity store integrations and Linux attribute requirements.

POSIX groups (the default)

POSIX groups support Linux POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.

POSIX attributes identify users as separate entities. Examples of POSIX attributes relevant to users include uidNumber, a user number (UID), and gidNumber, a group number (GID).

Non-POSIX groups

Non-POSIX groups do not support POSIX attributes. For example, these groups do not have a GID defined.

All members of this type of group must belong to the IdM domain.

External groups

Use external groups to add group members that exist in an identity store outside of the IdM domain, such as:

  • A local system
  • An Active Directory domain
  • A directory service

External groups do not support POSIX attributes. For example, these groups do not have a GID defined.

Expand
Table 24.1. User groups created by default
Group nameDefault group members

ipausers

All IdM users

admins

Users with administrative privileges, including the default admin user

editors

This is a legacy group that no longer has any special privileges

trust admins

Users with privileges to manage the Active Directory trusts

When you add a user to a user group, the user gains the privileges and policies associated with the group. For example, to grant administrative privileges to a user, add the user to the admins group.

Warning

Do not delete the admins group. As admins is a pre-defined group required by IdM, this operation causes problems with certain commands.

In addition, IdM creates user private groups by default whenever a new user is created in IdM. For more information about private groups, see Adding users without a private group.

24.2. Direct and indirect group members
Link kopieren

Understand how group membership inheritance works in Identity Management (IdM) with direct and indirect members. Nested group structures simplify policy management by automatically applying group attributes to all member levels.

User group attributes in IdM apply to both direct and indirect members: when group B is a member of group A, all users in group B are considered indirect members of group A.

For example, in the following diagram:

  • User 1 and User 2 are direct members of group A.
  • User 3, User 4, and User 5 are indirect members of group A.

Figure 24.1. Direct and Indirect Group Membership

A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.

If you set a password policy for user group A, the policy also applies to all users in user group B.

24.3. Adding a user group using IdM CLI
Link kopieren

Create user groups in the Identity Management (IdM) CLI to organize users and manage access control policies collectively. Groups simplify administration by allowing you to assign permissions and roles to multiple users at once.

Prerequisites

Procedure

  • Add a user group by using the ipa group-add group_name command. For example, to create group_a: 

    $ ipa group-add group_a
---------------------
Added group "group_a"
---------------------
  Group name: group_a
  GID: 1133400009

    By default, ipa group-add adds a POSIX user group. To specify a different group type, add options to ipa group-add:

  • --nonposix to create a non-POSIX group

  • --external to create an external group

    For details on group types, see The different group types in IdM.

    You can specify a custom GID when adding a user group by using the --gid=custom_GID option. If you do this, be careful to avoid ID conflicts. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.

24.4. Searching for user groups using IdM CLI
Link kopieren

Search for existing user groups in Identity Management (IdM) by using the CLI to identify POSIX, non-POSIX, and external groups in your domain.

Procedure

  • Display all user groups by using the ipa group-find command. To specify a group type, add options to ipa group-find:

    • Display all POSIX groups using the ipa group-find --posix command.
    • Display all non-POSIX groups using the ipa group-find --nonposix command.
    • Display all external groups using the ipa group-find --external command.

24.5. Deleting a user group using IdM CLI
Link kopieren

You can delete user groups using the Identity Management (IdM) CLI. Deleting a group does not delete the group members from IdM.

Prerequisites

Procedure

  • Delete a user group by using the ipa group-del group_name command. For example, to delete group_a: 

    $ ipa group-del group_a
--------------------------
Deleted group "group_a"
--------------------------

24.6. Adding a member to a user group using IdM CLI
Link kopieren

Add users and user groups as members of a user group in the Identity Management (IdM) CLI to organize permissions and access control efficiently. Group membership simplifies user management by applying policies to multiple users simultaneously.

Prerequisites

Procedure

  • Add a member to a user group by using the ipa group-add-member command.

    Specify the type of member using these options:

    • --users adds an IdM user
    • --external adds a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups adds an IdM user group

    For example, to add group_b as a member of group_a: 

    $ ipa group-add-member group_a --groups=group_b
Group name: group_a
GID: 1133400009
Member users: user_a
Member groups: group_b
Indirect Member users: user_b
-------------------------
Number of members added 1
-------------------------

    Members of group_b are now indirect members of group_a.

    Important

    When adding a group as a member of another group, do not create recursive groups. For example, if Group A is a member of Group B, do not add Group B as a member of Group A. Recursive groups can cause unpredictable behavior.

    Note

    After you add a member to a user group, the update may take some time to spread to all clients in your Identity Management environment. This is because when any given host resolves users, groups and netgroups, the System Security Services Daemon (SSSD) first looks into its cache and performs server lookups only for missing or expired records.

24.7. Adding users without a user private group
Link kopieren

You can add Identity Management (IdM) users without creating user private groups (UPGs) to control group ID assignments and membership structures. By default, IdM creates a UPG for each new user, but you can disable this behavior globally or for individual users.

UPGs have the following characteristics:

  • The UPG has the same name as the newly created user.
  • The user is the only member of the UPG. The UPG cannot contain any other members.
  • The GID of the private group matches the UID of the user.

However, it is possible to add users without creating a UPG.

24.7.1. Users without a user private group
Link kopieren

When an existing NIS or system group already uses the GID that Identity Management (IdM) wants to assign to a user private group (UPG), you must explicitly skip UPG creation to avoid GID conflicts.

You can do this in two ways:

In both cases, IdM will require specifying a GID when adding new users, otherwise the operation will fail. This is because IdM requires a GID for the new user, but the default user group ipausers is a non-POSIX group and therefore does not have an associated GID. The GID you specify does not have to correspond to an already existing group.

Note

Specifying the GID does not create a new group. It only sets the GID attribute for the new user, because the attribute is required by IdM.

Add a user without creating a user private group (UPG) in Identity Management (IdM) by manually specifying a GID. With this, you can share primary groups across multiple users for collaborative file access and permissions management.

Procedure

  • To prevent IdM from creating a UPG, add the --noprivate option to the ipa user-add command.

    Note that for the command to succeed, you must specify a custom GID. For example, to add a new user with GID 10000: 

    $ ipa user-add jsmith --first=John --last=Smith --noprivate --gid 10000

24.7.3. Disabling user private groups globally for all users
Link kopieren

You can disable automatic user private group creation in Identity Management (IdM). Global UPG disabling applies only to new users while existing users are not affected.

Procedure

  1. Obtain administrator privileges: 

    $ kinit admin

  2. IdM uses the Directory Server Managed Entries Plug-in to manage UPGs. List the instances of the plug-in: 

    $ ipa-managed-entries --list

  3. To ensure IdM does not create UPGs, disable the plug-in instance responsible for managing user private groups: 

    $ ipa-managed-entries -e "UPG Definition" disable
Disabling Plugin

    To re-enable the UPG Definition instance later, use the ipa-managed-entries -e "UPG Definition" enable command.

  4. Restart Directory Server to load the new configuration. 

    $ sudo systemctl restart dirsrv.target

    To add a user after UPGs have been disabled, you need to specify a GID. For more information, see Adding a user when user private groups are globally disabled

Verification

  • To check if UPGs are globally disabled, use the disable command again: 

    $ ipa-managed-entries -e "UPG Definition" disable
Plugin already disabled

24.7.4. Adding a user when user private groups are globally disabled
Link kopieren

When user private groups are disabled globally in Identity Management (IdM), assign a GID manually or use an automember rule to add users. This ensures users have proper group membership for file permissions and resource access.

Prerequisites

Procedure

  • To make sure adding a new user succeeds when creating UPGs is disabled, choose one of the following:

    • Specify a custom GID when adding a new user. The GID does not have to correspond to an already existing user group.

      For example, when adding a user from the command line, add the --gid option to the ipa user-add command.

    • Use an automember rule to add the user to an existing group with a GID. See Automating group membership using IdM CLI.

Designate users or user groups as member managers using the Identity Management (IdM) CLI to delegate user group membership management. Member managers can add or remove group members without having full administrative privileges.

Prerequisites

  • You must be logged in as the administrator. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the user or group you are adding as member managers and the name of the group you want them to manage.

Procedure

  • Add a user as a member manager to an IdM user group by using the ipa group-add-member-manager command.

    For example, to add the user test as a member manager of group_a: 

    $ ipa group-add-member-manager group_a --users=test
Group name: group_a
GID: 1133400009
Membership managed by users: test
-------------------------
Number of members added 1
-------------------------

    User test can now manage members of group_a.

  • Add a group as a member manager to an IdM user group by using the ipa group-add-member-manager command.

    For example, to add the group group_admins as a member manager of group_a: 

    $ ipa group-add-member-manager group_a --groups=group_admins
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
Membership managed by users: test
-------------------------
Number of members added 1
-------------------------

    Group group_admins can now manage members of group_a.

    Note

    After you add a member manager to a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the user and group were added as member managers. 

    $ ipa group-show group_a
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
Membership managed by users: test

24.9. Viewing group members using IdM CLI
Link kopieren

View both direct and indirect members of an Identity Management (IdM) user group by using the CLI to understand group membership inheritance across nested groups.

Procedure

  • To list members of a group, use the ipa group-show group_name command. For example: 

    $ ipa group-show group_a
  ...
  Member users: user_a
  Member groups: group_b
  Indirect Member users: user_b
    Note

    The list of indirect members does not include external users from trusted Active Directory domains. The Active Directory trust user objects are not visible in the Identity Management interface because they do not exist as LDAP objects within Identity Management.

Additional resources

24.10. Removing a member from a user group using IdM CLI
Link kopieren

Remove users, external users, or nested groups from an Identity Management (IdM) user group by using the CLI to revoke their inherited group privileges.

Prerequisites

Procedure

  1. Optional: Use the ipa group-show command to confirm that the group includes the member you want to remove.

  2. Remove a member from a user group by using the ipa group-remove-member command.

    Specify members to remove using these options:

    • --users removes an IdM user
    • --external removes a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups removes an IdM user group

    For example, to remove user1, user2, and group1 from a group called group_name: 

    $ ipa group-remove-member pass:quotes[group_name] --users=pass:quotes[user1] --users=pass:quotes[user2] --groups=pass:quotes[group1]

Remove users or groups as member managers from an Identity Management (IdM) user group by using the CLI to revoke their ability to manage group membership. Member managers can add and remove group members but cannot change the group’s attributes.

Prerequisites

  • You must be logged in as the administrator. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the existing member manager user or group you are removing and the name of the group they are managing.

Procedure

  • Remove a user as a member manager of an IdM user group by using the ipa group-remove-member-manager command.

    For example, to remove the user test as a member manager of group_a: 

    $ ipa group-remove-member-manager group_a --users=test
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
---------------------------
Number of members removed 1
---------------------------

    User test can no longer manage members of group_a.

  • Remove a group as a member manager of an IdM user group by using the ipa group-remove-member-manager command.

    For example, to remove the group group_admins as a member manager of group_a: 

    $ ipa group-remove-member-manager group_a --groups=group_admins
Group name: group_a
GID: 1133400009
---------------------------
Number of members removed 1
---------------------------

    Group group_admins can no longer manage members of group_a.

    Note

    After you remove a member manager from a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the user and group were removed as member managers. 

    $ ipa group-show group_a
Group name: group_a
GID: 1133400009

24.12. Enabling group merging for local and remote groups in IdM
Link kopieren

Enable group merging in Identity Management (IdM) to combine membership from centrally managed and local groups with matching names. Group merging supports legacy applications that require local group memberships while maintaining centralized management.

Groups are either centrally managed, provided by a domain such as IdM or Active Directory (AD), or they are managed on a local system in the etc/group file. In most cases, users rely on a centrally managed store. However, in some cases software still relies on membership in known groups for managing access control.

If you want to manage groups from a domain controller and from the local etc/group file, you can enable group merging. You can configure your nsswitch.conf file to check both the local files and the remote service. If a group appears in both, the list of member users is combined and returned in a single response. The steps below describe how to enable group merging for a user, idmuser.

Note

If you are using the authselect utility, you no longer need to manually edit nssswitch.conf to enable group merging. It is now integrated into authselect profiles, eliminating the need for manual changes.

Procedure

  1. Add [SUCCESS=merge] to the /etc/nsswitch.conf file: 

    # Allow initgroups to default to the setting for group.
initgroups: sss [SUCCESS=merge] files

  2. Add the idmuser to IdM: 

    # ipa user-add idmuser
First name: idm
Last name: user
---------------------
Added user "idmuser"
---------------------
User login: idmuser
First name: idm
Last name: user
Full name: idm user
Display name: idm user
Initials: tu
Home directory: /home/idmuser
GECOS: idm user
Login shell: /bin/sh
Principal name: idmuser@IPA.TEST
Principal alias: idmuser@IPA.TEST
Email address: idmuser@ipa.test
UID: 19000024
GID: 19000024
Password: False
Member of groups: ipausers
Kerberos keys available: False

  3. Verify the GID of the local audio group. 

    $ getent group audio
---------------------
audio:x:63

  4. Add the group audio to IdM: 

    $ ipa group-add audio --gid 63
-------------------
Added group "audio"
-------------------
Group name: audio
GID: 63
    Note

    The GID you define when adding the audio group to IdM must be the same as the GID of the local audio group.

  5. Add idmuser user to the IdM audio group: 

    $ ipa group-add-member audio --users=idmuser
Group name: audio
GID: 63
Member users: idmuser
-------------------------
Number of members added 1
-------------------------

Verification

  1. Log in as the idmuser.

  2. Verify the idmuser has the local group in their session: 

    $ id idmuser
uid=1867800003(idmuser) gid=1867800003(idmuser) groups=1867800003(idmuser),63(audio),10(wheel)
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben