13.6. Defining Automatic Group Membership for Users and Hosts
13.6.1. How Automatic Group Membership Works in IdM
13.6.1.1. What Automatic Group Membership Is
- Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
- Divide hosts based on their class, location, or any other attribute.
- Add all users or all hosts to a single global group.
13.6.1.2. Benefits of Automatic Group Membership
- Reduced overhead of managing group membership manually
- With automatic group membership, the administrator no longer assigns users and hosts to groups manually.
- Improved consistency in user and host management
- With automatic group membership, users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.
- Easier management of group-based settings
- Various settings are defined for groups and then applied to individual group members, for example
sudo
rules,automount
, or access control. When using automatic group membership, users and hosts are automatically added to specified groups, which makes managing group-based settings easier.
13.6.1.3. Automember Rules
- Inclusive conditions
- When a user or host entry meets an inclusive condition, it will be included in the group.
- Exclusive conditions
- When a user or host entry meets an exclusive condition, it will not be included in the group.
13.6.2. Adding an Automember Rule
- The IdM web UI, see the section called “Web UI: Add an Automember Rule”
- The command line, see the section called “Command Line: Add an Automember Rule”
- All entries created in the future will become members of the specified group. If an entry meets conditions specified in multiple automember rules, it will be added to all the corresponding groups.
- Existing entries will not become members of the specified group. See Section 13.6.3, “Applying Automember Rules to Existing Users and Hosts” for more information.
Web UI: Add an Automember Rule
- Select
or . - Click.
- In the Automember rule field, select the group to which the rule will apply. Click .
- Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
- In the Inclusive or Exclusive sections, click .
- In the Attribute field, select the required attribute.
- In the Expression field, define the regular expression.
- Click.
For example, the following condition targets all users with any value (.*
) in their user login attribute (uid
).Figure 13.5. Adding Automember Rule Conditions
Command Line: Add an Automember Rule
- Use the ipa automember-add command to add an automember rule. When prompted, specify:
Automember rule
, which matches the target group name.Grouping Type
, which specifies whether the rule targets a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.
For example, to add an automember rule for a user group nameduser_group
:$ ipa automember-add Automember Rule:
user_group
Grouping Type:group
-------------------------------- Added automember rule "user_group" -------------------------------- Automember Rule: user_group - Define one or more inclusive and exclusive conditions. See Section 13.6.1.3, “Automember Rules” for details.
- To add a condition, use the ipa automember-add-condition command. When prompted, specify:
Automember rule
, which matches the target group name.Attribute Key
, which specifies the entry attribute to which the filter will apply. For example,manager
for users.Grouping Type
, which specifies whether the rule targets a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.Inclusive regex
andExclusive regex
, which specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.
For example, the following condition targets all users with any value (.*
) in their user login attribute (uid
).$ ipa automember-add-condition Automember Rule:
user_group
Attribute Key:uid
Grouping Type:group
[Inclusive Regex]:.*
[Exclusive Regex]: ---------------------------------- Added condition(s) to "user_group" ---------------------------------- Automember Rule: user_group Inclusive Regex: uid=.* ---------------------------- Number of conditions added 1 ---------------------------- - To remove a condition, use the ipa automember-remove-condition command.
Example 13.5. Command Line: Creating an Automember Rule to Add All Entries to a Single Group
cn
or fqdn
, you can ensure that all users or hosts created in the future will be added to a single group.
- Create the group, such as a host group named
all_hosts
. See Section 13.2, “Adding and Removing User or Host Groups”. - Add an automember rule for the new host group. For example:
$ ipa automember-add Automember Rule:
all_hosts
Grouping Type:hostgroup
------------------------------------- Added automember rule "all_hosts" ------------------------------------- Automember Rule: all_hosts - Add an inclusive condition that targets all hosts. In the following example, the inclusive condition targets hosts that have any value (
.*
) in thefqdn
attribute:$ ipa automember-add-condition Automember Rule:
all_hosts
Attribute Key:fqdn
Grouping Type:hostgroup
[Inclusive Regex]:.*
[Exclusive Regex]: --------------------------------- Added condition(s) to "all_hosts" --------------------------------- Automember Rule: all_hosts Inclusive Regex: fqdn=.* ---------------------------- Number of conditions added 1 ----------------------------
all_hosts
group.
Example 13.6. Command Line: Creating an Automember Rule for Synchronized AD Users
ntUser
object class. By creating an automember condition that targets all users with ntUser
in their objectclass
attribute, you can ensure that all synchronized AD users created in the future will be included in a common group for AD users.
- Create a user group for the AD users, such as
ad_users
. See Section 13.2, “Adding and Removing User or Host Groups”. - Add an automember rule for the new user group. For example:
$ ipa automember-add Automember Rule:
ad_users
Grouping Type:group
------------------------------------- Added automember rule "ad_users" ------------------------------------- Automember Rule: ad_users - Add an inclusive condition to filter the AD users. In the following example, the inclusive condition targets all users that have the
ntUser
value in theobjectclass
attribute:$ ipa automember-add-condition Automember Rule:
ad_users
Attribute Key:objectclass
Grouping Type:group
[Inclusive Regex]:ntUser
[Exclusive Regex]: ------------------------------------- Added condition(s) to "ad_users" ------------------------------------- Automember Rule: ad_users Inclusive Regex: objectclass=ntUser ---------------------------- Number of conditions added 1 ----------------------------
ad_users
user group.
13.6.3. Applying Automember Rules to Existing Users and Hosts
Web UI: Rebuild Automatic Membership for Existing Entries
- Select
or . - Click
. Figure 13.6. Rebuilding Automatic Membership for All Users or Hosts
- Select
or , and click on the required user login or host name. - Click
. Figure 13.7. Rebuilding Automatic Membership for a Single User or Host
Command Line: Rebuild Automatic Memberhips for Existing Entries
$ ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (9) entries.
--------------------------------------------------------
$ ipa automember-rebuild --users=user1 --users=user2 -------------------------------------------------------- Automember rebuild task finished. Processed (2) entries. --------------------------------------------------------
13.6.4. Configuring a Default Automember Group
- Use the ipa automember-default-group-set command to configure a default automember group. When prompted, specify:
Default (fallback) Group
, which specifies the target group name.Grouping Type
, which specifies whether the target is a user group or a host group. To target a user group, entergroup
. To target a host group, enterhostgroup
.
For example:$ ipa automember-default-group-set Default (fallback) Group:
default_user_group
Grouping Type:group
--------------------------------------------------- Set default (fallback) group for automember "default_user_group" --------------------------------------------------- Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com - To verify that the group is set correctly, use the ipa automember-default-group-show command. The command displays the current default automember group. For example:
$ ipa automember-default-group-show Grouping Type:
group
Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com