Red Hat SummitChapter 4. Modifying user and group attributes in IdM
Customize the Identity Management (IdM) user and group schema to match your organization’s requirements. Modify LDAP object classes and attributes to control what information can be stored for users and groups.
IdM stores information as LDAP attributes. When you create a user entry, IdM automatically assigns it LDAP object classes that define which attributes are available to that entry. You can modify these object classes and their attributes to customize the schema. For example, you can change attribute formats such as the maximum characters allowed in a user name.
4.1. The default IdM user attributes
IdM user entries contain attributes that are set automatically or manually. Understanding which attributes are required, optional, or have default values helps you create user accounts correctly.
| Web UI field | Command-line option | Required, optional, or default |
|---|---|---|
| User login | username | Required |
| First name | --first | Required |
| Last name | --last | Required |
| Full name | --cn | Optional |
| Display name | --displayname | Optional |
| Initials | --initials | Default |
| Home directory | --homedir | Default |
| GECOS field | --gecos | Default |
| Shell | --shell | Default |
| Kerberos principal | --principal | Default |
| Email address | | Optional |
| Password | --password | Optional. Note that the script prompts for a new password, rather than accepting a value with the argument. |
| User ID number | --uid | Default |
| Group ID number | --gidnumber | Default |
| Street address | --street | Optional |
| City | --city | Optional |
| State/Province | --state | Optional |
| Zip code | --postalcode | Optional |
| Telephone number | --phone | Optional |
| Mobile telephone number | --mobile | Optional |
| Pager number | --pager | Optional |
| Fax number | --fax | Optional |
| Organizational unit | --orgunit | Optional |
| Job title | --title | Optional |
| Manager | --manager | Optional |
| Car license | --carlicense | Optional |
| --noprivate | Optional | |
| SSH Keys | --sshpubkey | Optional |
| Additional attributes | --addattr | Optional |
| Department Number | --departmentnumber | Optional |
| Employee Number | --employeenumber | Optional |
| Employee Type | --employeetype | Optional |
| Preferred Language | --preferredlanguage | Optional |
You can also add any attributes available in the following object classes, even if no Web UI or command-line argument for that attribute exists.
| Object classes | Description |
|---|---|
| ipaobject, ipasshuser | IdM object classes |
| person, organizationalperson, inetorgperson, inetuser, posixAccount | Person object classes |
| krbprincipalaux, krbticketpolicyaux | Kerberos object classes |
| mepOriginEntry | Managed entries (template) object classes |
4.2. Considerations in changing the default user and group schema
Review these considerations before creating custom LDAP object classes or attributes for user and group entries. Schema modifications affect all future entries and require careful planning to avoid breaking existing functionality.
When you modify object classes, IdM provides the following validation:
- All of the object classes and their specified attributes must be known to the LDAP server.
- All default attributes that are configured for the entry must be supported by the configured object classes.
The IdM schema validation has limitations and the IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject object class. However, if the user or group schema is changed, the server does not check if this object class is included. If the object class is accidentally deleted and you then try to add a new user, the attempt fails.
All object class changes are atomic, not incremental. You must define the entire list of default object classes every time a change occurs. For example, you may decide to create a custom object class to store employee information such as birthdays and employment start dates. In this scenario, you cannot simply add the custom object class to the list. Instead, you must set the entire list of current default object classes plus the new object class. If you do not include the existing default object classes when you update the configuration, the current settings are overwritten. This causes serious performance problems.
After you modify the list of default object classes, new user and group entries contain the custom object classes but any old entries are not modified.
4.3. Modifying user object classes in the IdM Web UI
Modify user object classes in the Identity Management (IdM) Web UI to add custom attributes to future user entries. New entries will have different attributes than existing user entries.
Prerequisites
- You are logged in as the IdM administrator.
Procedure
- Open the IPA Server tab.
- Select the Configuration subtab.
Scroll to the User Options area.
Keep all the object classes listed in the Default IdM user object classes table.
ImportantIf any object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.
At the bottom of the users area, click Add for a new field to appear.
- Enter the name of the user object class you want to add.
-
Click
Saveat the top of theConfigurationpage.
4.4. Modifying user object classes in the IdM CLI
Modify user object classes using the Identity Management (IdM) CLI to add custom attributes to future user entries. New entries will have different attributes than existing user entries.
Prerequisites
You have enabled the
brace expansionfeature:# set -o braceexpand- You are logged in as the IdM administrator.
Procedure
Use the
ipa config-modcommand to modify the current schema. For example, to addtopandmailRecipientobject classes to the future user entries:[bjensen@server ~]$ ipa config-mod --userobjectclasses={person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,mepOriginEntry,top,mailRecipient}The command adds all the ten user object classes that are native to IdM as well as the two new ones,
topandmailRecipient.ImportantThe information passed with the
config-modcommand overwrites the previous values. If any user object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.Alternatively, you can add a user object class by using the
ipa config-mod --addattr ipauserobjectclasses=<user object class>command. In this way, you do not risk forgetting a native IdM class in the list. For example, to add themailRecipientuser object class without overwriting the current configuration, enteripa config-mod --addattr ipauserobjectclasses=mailRecipient. Analogously, to remove only themailRecipientobject class, enteripa config-mod --delattr ipauserobjectclasses=mailRecipient.
4.5. Modifying group object classes in the IdM Web UI
Modify group object classes in the IdM Web UI to add custom attributes to future group entries. New groups will have different attributes than existing group entries.
The following group objects are available by default: * top * groupofnames * nestedgroup * ipausergroup * ipaobject
In this example, you learn how to add additional group object classes to the future group entries.
Prerequisites
- You are logged in as the IdM administrator.
Procedure
- Open the IPA Server tab.
- Select the Configuration subtab.
- Locate the Group Options area.
Keep the default IdM group object classes.
ImportantIf any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.
Click Add for a new field to appear.
- Enter the name of the group object class you want to add.
- Click Save at the top of the Configuration page.
4.6. Modifying group object classes in the IdM CLI
Modify group object classes using the Identity Management (IdM) CLI to add custom attributes to future group entries. New groups will have different attributes than existing group entries.
The following group objects are available by default: * top * groupofnames * nestedgroup * ipausergroup * ipaobject
In this example, you add the ipasshuser and employee group object classes to the future group entries.
Prerequisites
You have enabled the
brace expansionfeature:# set -o braceexpand- You are logged in as the IdM administrator.
Procedure
Use the
ipa config-modcommand to modify the current schema. For example, to addipasshuserandemployeegroup object classes to the future user entries:[bjensen@server ~]$ ipa config-mod --groupobjectclasses={top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup}The command adds all the default group object classes as well as the two new ones,
ipasshuserandemployeegroup.ImportantIf any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.
NoteInstead of the comma-separated list inside curly braces with no spaces allowed that is used in the example above, you can use the
--groupobjectclassesargument repeatedly.
4.7. Default user and group attributes in IdM
Identity Management (IdM) uses templates with default values when creating new user and group entries. Customize these defaults to match your organization’s requirements for home directories, shells, and naming conventions.
The template for users is more specific than the template for groups. IdM uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes, such as the home directory location, or they can define the formats of attribute values, such as the user name length. The template also defines the object classes assigned to users.
For groups, the template only defines the assigned object classes.
In the IdM LDAP directory, these default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.
You can modify the configuration of default user parameters in IdM by using the ipa config-mod command. The table below summarizes some of the key parameters, the command-line options that you can use with ipa config-mod to modify them, and the parameter descriptions.
| Web UI field | Command-line option | Description |
|---|---|---|
| Maximum user name length |
| Sets the maximum number of characters for user names. Default: 32. |
| Root for home directories |
|
Sets the default directory for user home directories. Default: |
| Default shell |
|
Sets the default shell for users. Default: |
| Default user group |
|
Sets the default group for newly created accounts. Default: |
| Default e-mail domain |
| Sets the email domain for creating addresses based on user accounts. Default: server domain. |
| Search time limit |
| Sets the maximum time in seconds for a search before returning results. |
| Search size limit |
| Sets the maximum number of records to return in a search. |
| User search fields |
| Defines searchable fields in user entries, impacting server performance if too many attributes are set. |
| Group search fields |
| Defines searchable fields in group entries. |
| Certificate subject base | Sets the base DN for creating subject DNs for client certificates during setup. | |
| Default user object classes |
| Defines object classes for creating user accounts. Must provide a complete list as it overwrites the existing one. |
| Default group object classes |
| Defines object classes for creating group accounts. Must provide a complete list. |
| Password expiration notification |
| Defines the number of days before a password expires for sending a notification. |
| Password plug-in features | Sets the format of allowable passwords for users. |
4.8. Viewing and modifying user and group configuration in the IdM Web UI
View and modify default user and group attribute settings in the Identity Management (IdM) Web UI. Changes apply to newly created accounts while existing accounts remain unchanged.
Prerequisites
-
You are logged in as IdM
admin.
Procedure
- Open the IPA Server tab.
- Select the Configuration subtab.
The User Options section has multiple fields you can review and edit.
-
For example, to change the default shell for future IdM users from
/bin/shto/bin/bash, locate the Default shell field, and replace/bin/shwith/bin/bash. In the Group Options section, you can only review and edit the Group search fields field.
Click the Save button at the top of the screen.
The newly saved configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.
4.9. Viewing and modifying user and group configuration in the IdM CLI
View and modify default user and group attribute settings using the Identity Management (IdM) CLI. Changes apply to newly created accounts while existing accounts remain unchanged.
Prerequisites
-
You have the IdM
admincredentials.
Procedure
The
ipa config-showcommand displays the most common attribute settings. Use the--alloption for a complete list:[bjensen@server ~]$ ipa config-show --all dn: cn=ipaConfig,cn=etc,dc=example,dc=com Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE cn: ipaConfig objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObjectUse the
ipa config-modcommand to modify an attribute. For example, to change the default shell for future IdM users from/bin/shto/bin/bash, enter:[bjensen@server ~]$ ipa config-mod --defaultshell "/bin/bash"For more
ipa config-modoptions, see the Default user parameters table.The new configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}