Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 43. Managing host groups using the IdM CLI

Manage host groups and their members in Identity Management (IdM) using the CLI to organize hosts for easier policy management. Host groups simplify the application of access control rules and other policies to multiple hosts.

43.1. Host groups in IdM
Copy link

Understand how IdM host groups centralize control over access policies and other management tasks for sets of hosts with common characteristics. For example, you can define host groups based on company departments, physical locations, or access control requirements.

A host group in IdM can include:

  • IdM servers and clients

  • Other IdM host groups

    Host groups created by default
    By default, the IdM server creates the host group ipaservers for all IdM server hosts.
    Direct and indirect group members
    Group attributes in IdM apply to both direct and indirect members: when host group B is a member of host group A, all members of host group B are considered indirect members of host group A.

43.2. Viewing IdM host groups using the CLI
Copy link

View host groups and their details by using the Identity Management (IdM) CLI to understand how hosts are organized and confirm group configurations.

Prerequisites

Procedure

  1. Find all host groups using the ipa hostgroup-find command. 

    $ ipa hostgroup-find
-------------------
1 hostgroup matched
-------------------
  Host-group: ipaservers
  Description: IPA server hosts
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

  2. To display all attributes of a host group, add the --all option. For example: 

    $ ipa hostgroup-find --all
-------------------
1 hostgroup matched
-------------------
  dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=idm,dc=local
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: xxx.xxx.xxx.xxx
  ipauniqueid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  objectclass: top, groupOfNames, nestedGroup, ipaobject, ipahostgroup
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

43.3. Creating IdM host groups using the CLI
Copy link

Create host groups using the Identity Management (IdM) CLI to organize and manage multiple hosts as a single unit. Host groups simplify policy application and administrative tasks across your infrastructure.

Prerequisites

Procedure

  • Add a host group using the ipa hostgroup-add command.

    For example, to create an IdM host group named group_name and give it a description: 

    $ ipa hostgroup-add --desc 'My new host group' group_name
---------------------
Added hostgroup "group_name"
---------------------
  Host-group: group_name
  Description: My new host group
---------------------
    Copy to Clipboard Toggle word wrap

43.4. Deleting IdM host groups using the CLI
Copy link

You can delete host groups using the Identity Management (IdM) CLI. Deleting a host group does not delete the group members from IdM.

Prerequisites

Procedure

  • Delete a host group using the ipa hostgroup-del command.

    For example, to delete the IdM host group named group_name: 

    $ ipa hostgroup-del group_name
--------------------------
Deleted hostgroup "group_name"
--------------------------
    Copy to Clipboard Toggle word wrap

43.5. Adding IdM host group members using the CLI
Copy link

Add hosts to host groups using the Identity Management (IdM) CLI to apply policies and access controls to multiple systems collectively.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • Optional: Use the ipa hostgroup-find command to find hosts and host groups.

Procedure

  • To add a member to a host group, use the ipa hostgroup-add-member command and provide the relevant information. You can specify the type of member to add using these options:

    • Use the --hosts option to add one or more hosts to an IdM host group.

      For example, to add the host named example_member to the group named group_name: 

      $ ipa hostgroup-add-member group_name --hosts example_member
Host-group: group_name
Description: My host group
Member hosts: example_member
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • Use the --hostgroups option to add one or more host groups to an IdM host group.

      For example, to add the host group named nested_group to the group named group_name: 

      $ ipa hostgroup-add-member group_name --hostgroups nested_group
Host-group: group_name
Description: My host group
Member host-groups: nested_group
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • You can add multiple hosts and multiple host groups to an IdM host group in one single command using the following syntax: 

      $ ipa hostgroup-add-member group_name --hosts={host1,host2} --hostgroups={group1,group2}
      Copy to Clipboard Toggle word wrap
    Important

    When adding a host group as a member of another host group, do not create recursive groups. For example, if Group A is a member of Group B, do not add Group B as a member of Group A. Recursive groups can cause unpredictable behavior.

Remove hosts or nested host groups from an Identity Management (IdM) host group by using the CLI to revoke their membership-based policies and access.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • Optional. Use the ipa hostgroup-find command to confirm that the group includes the member you want to remove.

Procedure

  • To remove a host group member, use the ipa hostgroup-remove-member command and provide the relevant information. You can specify the type of member to remove using these options:

    • Use the --hosts option to remove one or more hosts from an IdM host group.

      For example, to remove the host named example_member from the group named group_name: 

      $ ipa hostgroup-remove-member group_name --hosts example_member
Host-group: group_name
Description: My host group
-------------------------
Number of members removed 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • Use the --hostgroups option to remove one or more host groups from an IdM host group.

      For example, to remove the host group named nested_group from the group named group_name: 

      $ ipa hostgroup-remove-member group_name --hostgroups example_member
Host-group: group_name
Description: My host group
-------------------------
Number of members removed 1
-------------------------
      Copy to Clipboard Toggle word wrap
      Note

      Removing a group does not delete the group members from IdM.

    • You can remove multiple hosts and multiple host groups from an IdM host group in one single command using the following syntax: 

      $ ipa hostgroup-remove-member group_name --hosts={host1,host2} --hostgroups={group1,group2}
      Copy to Clipboard Toggle word wrap

Designate hosts or host groups as member managers using the Identity Management (IdM) CLI to delegate host group membership management. Member managers can add or remove hosts from groups without having full administrative privileges.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the host or host group you are adding as member managers and the name of the host group you want them to manage.

Procedure

  1. Optional: Use the ipa hostgroup-find command to find hosts and host groups.

  2. To add a member manager to a host group, use the ipa hostgroup-add-member-manager.

    For example, to add the user named example_member as a member manager to the group named group_name: 

    $ ipa hostgroup-add-member-manager group_name --user example_member
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by users: example_member
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  3. Use the --groups option to add one or more host groups as a member manager to an IdM host group.

    For example, to add the host group named admin_group as a member manager to the group named group_name: 

    $ ipa hostgroup-add-member-manager group_name --groups admin_group
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by groups: admin_group
Membership managed by users: example_member
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap
    Note

    After you add a member manager to a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the host user and host group were added as member managers. 

    $ ipa hostgroup-show group_name
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Membership managed by groups: admin_group
Membership managed by users: example_member
    Copy to Clipboard Toggle word wrap

Remove hosts or host groups as member managers from an Identity Management (IdM) host group by using the CLI to revoke their ability to manage group membership. Member managers can add and remove group members but cannot change the attributes of the host group.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the existing member manager host group you are removing and the name of the host group they are managing.

Procedure

  1. Optional: Use the ipa hostgroup-find command to find hosts and host groups.

  2. To remove a member manager from a host group, use the ipa hostgroup-remove-member-manager command.

    For example, to remove the user named example_member as a member manager from the group named group_name: 

    $ ipa hostgroup-remove-member-manager group_name --user example_member
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by groups: nested_group
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap

  3. Use the --groups option to remove one or more host groups as a member manager from an IdM host group.

    For example, to remove the host group named nested_group as a member manager from the group named group_name: 

    $ ipa hostgroup-remove-member-manager group_name --groups nested_group
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap
    Note

    After you remove a member manager from a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Use the ipa group-show command to verify that the host user and host group were removed as member managers. 

    $ ipa hostgroup-show group_name
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top