Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring and managing Identity Management

Red Hat Enterprise Linux 8

Logging in to IdM and managing services, users, hosts, groups, access control rules, and certificates.

Red Hat Customer Content Services

Abstract

The main feature of Identity Management (IdM) is the management of users, groups, hosts, access control rules, and certificates. However, before you can perform administration tasks in IdM, you must log in to the service. You can use Kerberos and one time passwords as authentication methods in IdM when you log in by using the command line or the IdM Web UI.
You can manage certificates in IdM by using the integrated or an external Certificate Authority (CA). You can request, renew, and replace certificates using many tools, for example, Ansible Playbooks. To replace the web server and LDAP server certificates of IdM servers, you must perform manual actions.

Providing feedback on Red Hat documentation
Copy link

We appreciate your feedback on our documentation. Let us know how we can improve it.

Submitting feedback through Jira (account required)

  1. Log in to the Jira website.
  2. Click Create in the top navigation bar.
  3. Enter a descriptive title in the Summary field.
  4. Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
  5. Click Create at the bottom of the dialogue.

Identity Management (IdM) uses the Kerberos protocol to support single sign-on. Single sign-on means that the user enters the correct user name and password only once, and then accesses IdM services without the system prompting for the credentials again.

Important

In IdM, the System Security Services Daemon (SSSD) automatically obtains a ticket-granting ticket (TGT) for a user after the user successfully logs in to the desktop environment on an IdM client machine with the corresponding Kerberos principal name. This means that after logging in, the user is not required to use the kinit utility to access IdM resources.

If you have cleared your Kerberos credential cache or your Kerberos TGT has expired, you need to request a Kerberos ticket manually to access IdM resources. The following sections present basic user operations when using Kerberos in IdM.

1.1. Using kinit to log in to IdM manually
Copy link

Follow this procedure to use the kinit utility to authenticate to an Identity Management (IdM) environment manually. The kinit utility obtains and caches a Kerberos ticket-granting ticket (TGT) on behalf of an IdM user.

Only use this procedure if you have destroyed your initial Kerberos TGT or if it has expired. As an IdM user, when logging onto your local machine you are also automatically logging in to IdM. This means that after logging in, you are not required to use the kinit utility to access IdM resources.

Procedure

  • To log in under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as <example_user> on the local system: 

    [example_user@server ~]$ kinit
Password for example_user@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap

    If the user name of the local user does not match any user entry in IdM, the authentication attempt fails: 

    [example_user@server ~]$ kinit
kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    Copy to Clipboard Toggle word wrap

  • To use a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user: 

    [example_user@server ~]$ kinit admin
Password for admin@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap
Note

Requesting user tickets using kinit -kt KDB: user@EXAMPLE.COM is disabled. For more information, see the Why kinit -kt KDB: user@EXAMPLE.COM no longer work after CVE-2024-3183 solution.

Verification

  • To verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services: 

    $ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: example_user@EXAMPLE.COM

Valid starting     	Expires            	Service principal
11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

1.2. Destroying a user’s active Kerberos ticket
Copy link

Follow this procedure to clear the credentials cache that contains the user’s active Kerberos ticket.

Procedure

  • To destroy your Kerberos ticket: 

    [example_user@server ~]$ kdestroy
    Copy to Clipboard Toggle word wrap

Verificiation

  • To check that the Kerberos ticket has been destroyed: 

    [example_user@server ~]$ klist
klist: Credentials cache keyring 'persistent:0:0' not found
    Copy to Clipboard Toggle word wrap

Follow this procedure to configure an external system so that Identity Management (IdM) users can log in to IdM from the external system using their Kerberos credentials.

Enabling Kerberos authentication on external systems is especially useful when your infrastructure includes multiple realms or overlapping domains. It is also useful if the system has not been enrolled into any IdM domain through ipa-client-install.

To enable Kerberos authentication to IdM from a system that is not a member of the IdM domain, define an IdM-specific Kerberos configuration file on the external system.

Prerequisites

  • The krb5-workstation package is installed on the external system.

    To find out whether the package is installed, use the following CLI command: 

    # yum list installed krb5-workstation
Installed Packages
krb5-workstation.x86_64    1.16.1-19.el8     @BaseOS
    Copy to Clipboard Toggle word wrap

Procedure

  1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example: 

    # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap
    Warning

    Do not overwrite the existing krb5.conf file on the external system.

  2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file: 

    $ export KRB5_CONFIG=/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap

    The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

  3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.

Users on the external system can now use the kinit utility to authenticate against the IdM server.

Identity Management (IdM) servers are Red Hat Enterprise Linux systems that work as domain controllers (DCs). A number of different services are running on IdM servers, most notably the Directory Server, Certificate Authority (CA), DNS, and Kerberos.

2.1. The IdM services
Copy link

There are many different services that can be installed and run on the IdM servers and clients.

List of services hosted by IdM servers

Most of the following services are not strictly required to be installed on the IdM server. For example, you can install services such as a certificate authority (CA) or DNS server on an external server outside the IdM domain.

Kerberos
the krb5kdc and kadmin services

IdM uses the Kerberos protocol to support single sign-on. With Kerberos, users only need to present the correct username and password once and can access IdM services without the system prompting for credentials again.

Kerberos is divided into two parts:

  • The krb5kdc service is the Kerberos Authentication service and Key Distribution Center (KDC) daemon.
  • The kadmin service is the Kerberos database administration program.

For information about how to authenticate using Kerberos in IdM, see Logging in to Identity Management from the command line and Logging in to IdM in the Web UI: Using a Kerberos ticket.

LDAP directory server
the dirsrv service

The IdM LDAP directory server instance stores all IdM information, such as information related to Kerberos, user accounts, host entries, services, policies, DNS, and others. The LDAP directory server instance is based on the same technology as Red Hat Directory Server. However, it is tuned to IdM-specific tasks.

Certificate Authority
the pki-tomcatd service

The integrated certificate authority (CA) is based on the same technology as Red Hat Certificate System. pki is the command line for accessing Certificate System services.

You can also install the server without the integrated CA if you create and provide all required certificates independently.

For more information, see Planning your CA services.

Domain Name System (DNS)
the named service

IdM uses DNS for dynamic service discovery. The IdM client installation utility can use information from DNS to automatically configure the client machine. After the client is enrolled in the IdM domain, it uses DNS to locate IdM servers and services within the domain. The BIND (Berkeley Internet Name Domain) implementation of the DNS (Domain Name System) protocols in Red Hat Enterprise Linux includes the named DNS server.

For information, see Planning your DNS services and host names.

Apache HTTP Server
the httpd service

The Apache HTTP web server provides the IdM Web UI, and also manages communication between the Certificate Authority and other IdM services.

Samba / Winbind
smb and winbind services

Samba implements the Server Message Block (SMB) protocol, also known as the Common Internet File System (CIFS) protocol, in Red Hat Enterprise Linux. Via the smb service, the SMB protocol enables you to access resources on a server, such as file shares and shared printers. If you have configured a Trust with an Active Directory (AD) environment, the`Winbind` service manages communication between IdM servers and AD servers.

One-time password (OTP) authentication
the ipa-otpd services

One-time passwords (OTP) are passwords that are generated by an authentication token for only one session, as part of two-factor authentication. OTP authentication is implemented in Red Hat Enterprise Linux via the ipa-otpd service.

For more information, see Logging in to the Identity Management Web UI using one time passwords.

OpenDNSSEC
the ipa-dnskeysyncd service

OpenDNSSEC is a DNS manager that automates the process of keeping track of DNS security extensions (DNSSEC) keys and the signing of zones. The ipa-dnskeysyncd service manages synchronization between the IdM Directory Server and OpenDNSSEC.

The Identity Management Server: Unifying Services
View larger image
The Identity Management Server: Unifying Services
Note

DNSSEC is only available as Technology Preview in IdM.

List of services hosted by IdM clients

  • System Security Services Daemon: the sssd service

The System Security Services Daemon (SSSD) is the client-side application that manages user authentication and caching credentials. Caching enables the local system to continue normal authentication operations if the IdM server becomes unavailable or if the client goes offline.

For more information, see Understanding SSSD and its benefits.

  • Certmonger: the certmonger service

The certmonger service monitors and renews the certificates on the client. It can request new certificates for the services on the system.

For more information, see Obtaining an IdM certificate for a service using certmonger.

Interactions Between IdM Services
View larger image
Interactions Between IdM Services

2.2. Viewing the status of IdM services
Copy link

To view the status of the IdM services that are configured on your IdM server, run the ipactl status command: 

[root@server ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
Copy to Clipboard Toggle word wrap

The output of the ipactl status command on your server depends on your IdM configuration. For example, if an IdM deployment does not include a DNS server, the named service is not present in the list.

Note

You cannot use the IdM web UI to view the status of all the IdM services running on a particular IdM server. Kerberized services running on different servers can be viewed in the IdentityServices tab of the IdM web UI.

Use the ipa systemd service to stop, start, or restart the entire IdM server along with all the installed services. Using the systemctl utility to control the ipa systemd service ensures all services are stopped, started, or restarted in the appropriate order. The ipa systemd service also upgrades the RHEL IdM configuration before starting the IdM services, and it uses the proper SELinux contexts when administrating with IdM services. You do not need to have a valid Kerberos ticket to run the systemctl ipa commands.

ipa systemd service commands

To start the entire IdM server: 

# systemctl start ipa
Copy to Clipboard Toggle word wrap

To stop the entire IdM server: 

# systemctl stop ipa
Copy to Clipboard Toggle word wrap

To restart the entire IdM server: 

# systemctl restart ipa
Copy to Clipboard Toggle word wrap

To show the status of all the services that make up IdM, use the ipactl utility: 

# ipactl status
Copy to Clipboard Toggle word wrap
Important
  • Do not directly use the ipactl utility to start, stop, or restart IdM services. Use the systemctl ipa commands instead, which call the ipactl utility in a predictable environment.
  • You cannot use the IdM web UI to perform the ipactl commands.

Changing IdM configuration files manually is generally not recommended. However, certain situations require that an administrator performs a manual configuration of specific services. In such situations, use the systemctl utility to stop, start, or restart an individual IdM service.

For example, use systemctl after customizing the Directory Server behavior, without modifying the other IdM services: 

# systemctl restart dirsrv@REALM-NAME.service
Copy to Clipboard Toggle word wrap

Also, when initially deploying an IdM trust with Active Directory, modify the /etc/sssd/sssd.conf file, adding:

  • Specific parameters to tune the timeout configuration options in an environment where remote servers have a high latency
  • Specific parameters to tune the Active Directory site affinity
  • Overrides for certain configuration options that are not provided by the global IdM settings

To apply the changes you have made in the /etc/sssd/sssd.conf file: 

# systemctl restart sssd.service
Copy to Clipboard Toggle word wrap

Running systemctl restart sssd.service is required because the System Security Services Daemon (SSSD) does not automatically re-read or re-apply its configuration.

Note that for changes that affect IdM identity ranges, a complete server reboot is recommended.

Important

To restart multiple IdM domain services, always use systemctl restart ipa. Because of dependencies between the services installed with the IdM server, the order in which they are started and stopped is critical. The ipa systemd service ensures that the services are started and stopped in the appropriate order.

Useful systemctl commands

To start a particular IdM service: 

# systemctl start name.service
Copy to Clipboard Toggle word wrap

To stop a particular IdM service: 

# systemctl stop name.service
Copy to Clipboard Toggle word wrap

To restart a particular IdM service: 

# systemctl restart name.service
Copy to Clipboard Toggle word wrap

To view the status of a particular IdM service: 

# systemctl status name.service
Copy to Clipboard Toggle word wrap
Important

You cannot use the IdM web UI to start or stop the individual services running on IdM servers. You can only use the web UI to modify the settings of a Kerberized service by navigating to IdentityServices and selecting the service.

2.5. Methods for displaying IdM software version
Copy link

You can display the IdM version number with:

  • The IdM WebUI
  • ipa commands
  • rpm commands

 

Displaying version through the WebUI

In the IdM WebUI, the software version can be displayed by choosing About from the username menu at the upper-right.

Checking IdM Software Version
View larger image
Checking IdM Software Version
Displaying version with ipa commands

From the command line, use the ipa --version command. 

[root@server ~]# ipa --version
VERSION: 4.8.0, API_VERSION: 2.233
Copy to Clipboard Toggle word wrap
Displaying version with rpm commands

If IdM services are not operating properly, you can use the rpm utility to determine the version number of the ipa-server package that is currently installed. 

[root@server ~]# rpm -q ipa-server
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
Copy to Clipboard Toggle word wrap

Learn more about the basics of using the Identity Management (IdM) command-line utilities.

Prerequisites

3.1. What is the IPA command-line interface
Copy link

The IPA command-line interface (CLI) is the basic command-line interface for Identity Management (IdM) administration.

It supports a lot of subcommands for managing IdM, such as the ipa user-add command to add a new user.

IPA CLI allows you to:

  • Add, manage, or remove users, groups, hosts and other objects in the network.
  • Manage certificates.
  • Search entries.
  • Display and list objects.
  • Set access rights.
  • Get help with the correct command syntax.

3.2. What is the IPA help
Copy link

The IPA help is a built-in documentation system for the IdM server.

The IPA command-line interface (CLI) generates available help topics from loaded IdM plugin modules. To use the IPA help utility, you must:

  • Have an IdM server installed and running.
  • Be authenticated with a valid Kerberos ticket.

Entering the ipa help command without options displays information about basic help usage and the most common command examples.

You can use the following options for different ipa help use cases: 

$ ipa help [TOPIC | COMMAND | topics | commands]
Copy to Clipboard Toggle word wrap
  • [] — Brackets mean that all parameters are optional and you can write just ipa help and the command will be executed.

  • | — The pipe character means or. Therefore, you can specify a TOPIC, a COMMAND, or topics, or commands, with the basic ipa help command:

    • topics — You can run the command ipa help topics to display a list of topics that are covered by the IPA help, such as user, cert, server and many others.
    • TOPIC — The TOPIC with capital letters is a variable. Therefore, you can specify a particular topic, for example, ipa help user.
    • commands — You can enter the command ipa help commands to display a list of commands which are covered by the IPA help, for example, user-add, ca-enable, server-show and many others.
    • COMMAND — The COMMAND with capital letters is a variable. Therefore, you can specify a particular command, for example, ipa help user-add.

3.3. Using IPA help topics
Copy link

The following procedure describes how to use the IPA help on the command line.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. Enter ipa help topics to display a list of topics covered by help. 

    $ ipa help topics
    Copy to Clipboard Toggle word wrap

  3. Select one of the topics and create a command according to the following pattern: ipa help [topic_name]. Instead of the topic_name string, add one of the topics you listed in the previous step.

    In the example, we use the following topic: user 

    $ ipa help user
    Copy to Clipboard Toggle word wrap

  4. (Optional) If the IPA help output is too long and you cannot see the whole text, use the following syntax: 

    $ ipa help user | less
    Copy to Clipboard Toggle word wrap

    You can then scroll down and read the whole help.

The IPA CLI displays a help page for the user topic. After reading the overview, you can see many examples with patterns for working with topic commands.

3.4. Using IPA help commands
Copy link

The following procedure describes how to create IPA help commands on the command line.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. Enter ipa help commands to display a list of commands covered by help. 

    $ ipa help commands
    Copy to Clipboard Toggle word wrap

  3. Select one of the commands and create a help command according to the following pattern: ipa help <COMMAND>. Instead of the <COMMAND> string, add one of the commands you listed in the previous step. 

    $ ipa help user-add
    Copy to Clipboard Toggle word wrap

3.5. Structure of IPA commands
Copy link

The IPA CLI distinguishes the following types of commands:

  • Built-in commands — Built-in commands are all available in the IdM server.
  • Plug-in provided commands

The structure of IPA commands allows you to manage various types of objects. For example:

  • Users
  • Hosts
  • DNS records
  • Certificates

and many others.

For most of these objects, the IPA CLI includes commands to:

  • Add (add)
  • Modify (mod)
  • Delete (del)
  • Search (find)
  • Display (show)

Commands have the following structure:

ipa user-add, ipa user-mod, ipa user-del, ipa user-find, ipa user-show

ipa host-add, ipa host-mod, ipa host-del, ipa host-find, ipa host-show

ipa dnsrecord-add, ipa dnsrecord-mod, ipa dnsrecord-del, ipa dnsrecord-find, ipa dnrecord-show

You can create a user with the ipa user-add [options], where [options] are optional. If you use just the ipa user-add command, the script asks you for details one by one.

Note that the [options] --raw and --structured are mutually exclusive and should not be run together.

To change an existing object, you need to define the object, therefore the command also includes an object: ipa user-mod USER_NAME [options].

Identity Management (IdM) stores values for multi-valued attributes in lists.

IdM supports the following methods of supplying multi-valued lists:

  • Using the same command-line argument multiple times within the same command invocation: 

    $ ipa permission-add --right=read --permissions=write --permissions=delete ...
    Copy to Clipboard Toggle word wrap

  • Alternatively, you can enclose the list in curly braces, in which case the shell performs the expansion: 

    $ ipa permission-add --right={read,write,delete} ...
    Copy to Clipboard Toggle word wrap

The examples above show a command permission-add which adds permissions to an object. The object is not mentioned in the example. Instead of …​ you need to add the object for which you want to add permissions.

When you update such multi-valued attributes from the command line, IdM completely overwrites the previous list of values with a new list. Therefore, when updating a multi-valued attribute, you must specify the whole new list, not just a single value you want to add.

For example, in the command above, the list of permissions includes reading, writing and deleting. When you decide to update the list with the permission-mod command, you must add all values, otherwise those not mentioned will be deleted.

Example 1: — The ipa permission-mod command updates all previously added permissions. 

$ ipa permission-mod --right=read --right=write --right=delete ...
Copy to Clipboard Toggle word wrap

or 

$ ipa permission-mod --right={read,write,delete} ...
Copy to Clipboard Toggle word wrap

Example 2 — The ipa permission-mod command deletes the --right=delete argument because it is not included in the command: 

$ ipa permission-mod --right=read --right=write ...
Copy to Clipboard Toggle word wrap

or 

$ ipa permission-mod --right={read,write} ...
Copy to Clipboard Toggle word wrap

When passing command-line arguments that include special characters to the ipa commands, escape these characters with a backslash (\). For example, common special characters include angle brackets (< and >), ampersand (&), asterisk (*), or vertical bar (|).

For example, to escape an asterisk (*): 

$ ipa certprofile-show certificate_profile --out=exported\*profile.cfg
Copy to Clipboard Toggle word wrap

Commands containing unescaped special characters do not work as expected because the shell cannot properly parse such characters.

The following sections describe how to use IPA commands, which helps you to find or show objects.

4.1. Overview of listing IdM entries
Copy link

You can use the ipa *-find commands to help you to search for particular types of IdM entries.

To list all the find commands, use the following ipa help command: 

$ ipa help commands | grep find
Copy to Clipboard Toggle word wrap

You may need to check if a particular user is included in the IdM database. You can then list all users with the following command: 

$ ipa user-find
Copy to Clipboard Toggle word wrap

To list user groups whose specified attributes contain a keyword: 

$ ipa group-find keyword
Copy to Clipboard Toggle word wrap

For example the ipa group-find admin command lists all groups whose names or descriptions include string admin: 

----------------
3 groups matched
----------------
   Group name: admins
   Description: Account administrators group
   GID: 427200002

   Group name: editors
   Description: Limited admins who can edit other users
   GID: 427200002

   Group name: trust admins
   Description: Trusts administrators group
Copy to Clipboard Toggle word wrap

When searching user groups, you can also limit the search results to groups that contain a particular user: 

$ ipa group-find --user=user_name
Copy to Clipboard Toggle word wrap

To search for groups that do not contain a particular user: 

$ ipa group-find --no-user=user_name
Copy to Clipboard Toggle word wrap

4.2. Showing details for a particular entry
Copy link

Use the ipa *-show command to display details about a particular IdM entry.

Procedure

  • To display details about a host named server.example.com: 

    $ ipa host-show server.example.com

Host name: server.example.com
Principal name: host/server.example.com@EXAMPLE.COM
...
    Copy to Clipboard Toggle word wrap

4.3. Adjusting the search size and time limit
Copy link

Some queries, such as requesting a list of IdM users, can return a very large number of entries. By tuning these search operations, you can improve the overall server performance when running the ipa *-find commands, such as ipa user-find, and when displaying corresponding lists in the Web UI.

Search size limit

Defines the maximum number of entries returned for a request sent to the server from a client’s CLI or from a browser accessing the IdM Web UI.

Default: 100 entries.

Search time limit

Defines the maximum time (in seconds) that the server waits for searches to run. Once the search reaches this limit, the server stops the search and returns the entries discovered in that time.

Default: 2 seconds.

If you set the values to -1, IdM will not apply any limits when searching.

Important

Setting search size or time limits too high can negatively affect server performance.

You can adjust the search size and time limits globally or for a specific entry to optimize search performance and responsiveness.

Procedure

  1. To display current search time and size limits in CLI, use the ipa config-show command: 

    $ ipa config-show

Search time limit: 2
Search size limit: 100
    Copy to Clipboard Toggle word wrap

  2. To adjust the limits globally for all queries, use the ipa config-mod command and add the --searchrecordslimit and --searchtimelimit options. For example: 

    $ ipa config-mod --searchrecordslimit=500 --searchtimelimit=5
    Copy to Clipboard Toggle word wrap

  3. To temporarily adjust the limits only for a specific query, add the --sizelimit or --timelimit options to the command. For example: 

    $ ipa user-find --sizelimit=200 --timelimit=120
    Copy to Clipboard Toggle word wrap

You can adjust global search size and time limits using the IdM Web UI to optimize search performance and responsiveness.

Procedure

  1. Log in to the IdM Web UI.
  2. Click IPA Server.
  3. On the IPA Server tab, click Configuration.

  4. Set the required values in the Search Options area.

    Default values are:

    • Search size limit: 100 entries
    • Search time limit: 2 seconds
  5. Click Save at the top of the page.

The IdM (Identity Management) Web UI is a web application for IdM administration, a graphical alternative to the IdM command-line interface (CLI).

5.1. What is the IdM Web UI
Copy link

The IdM (Identity Management) Web UI is a web application for IdM administration. You can access the IdM Web UI as:

  • IdM users: A limited set of operations depending on permissions granted to the user in the IdM server. Basically, active IdM users can log in to the IdM server and configure their own account. They cannot change settings of other users or the IdM server settings.
  • Administrators: Full access rights to the IdM server.
  • Active Directory users: A set of operations depending on permissions granted to the user. Active Directory users can now be administrators for Identity Management. For details, see Enabling AD users to administer IdM.

Identity Management (IdM) supports the following browsers for connecting to the Web UI:

  • Mozilla Firefox 38 and later
  • Google Chrome 46 and later

You might experience problems accessing the IdM Web UI with a smart card if your browser attempts to use TLS v1.3: 

[ssl:error] [pid 125757:tid 140436077168384] [client 999.999.999.999:99999] AH: verify client post handshake
[ssl:error] [pid 125757:tid 140436077168384] [client 999.999.999.999:99999] AH10158: cannot perform post-handshake authentication
[ssl:error] [pid 125757:tid 140436077168384] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
Copy to Clipboard Toggle word wrap

This is because the most recent versions of browsers do not have TLS Post-Handshake Authentication (PHA) enabled by default, or they do not support PHA. PHA is necessary to require a TLS client certificate for only a part of a web site, such as when accessing the IdM Web UI with smart card authentication.

To resolve this issue for Mozilla Firefox 68 and later, enable TLS PHA:

  1. Enter about:config in the address bar to access the Mozilla Firefox preferences menu.
  2. Enter security.tls.enable_post_handshake_auth in the search bar.
  3. Click the toggle button to set the parameter to true.

To resolve this issue for Chrome, which currently does not support PHA, disable TLS v1.3:

  1. Open the /etc/httpd/conf.d/ssl.conf configuration file.

  2. Add -TLSv1.3 to the SSLProtocol option: 

    SSLProtocol all -TLSv1 -TLSv1.1 -TLSv1.3
    Copy to Clipboard Toggle word wrap

  3. Restart the httpd service: 

    service httpd restart
    Copy to Clipboard Toggle word wrap

Note that IdM manages the ssl.conf file and might overwrite its contents during package updates. Verify custom settings after updating IdM packages.

5.3. Accessing the Web UI
Copy link

The following procedure describes the first logging in to the IdM (Identity Management) Web UI with a password.

After the first login you can configure your IdM server to authenticate with:

Procedure

  1. Type an IdM server URL into the browser address bar. The name will look similarly to the following example: 

    https://server.example.com
    Copy to Clipboard Toggle word wrap

    You just need to change server.example.com with a DNS name of your IdM server.

    This opens the IdM Web UI login screen in your browser.

    Screenshot of the IdM Web UI accessed within a web browser displaying a "Username" field and a "Password" field. There is a blue "Log in" button below and to the right of those two fields.

    • If the server does not respond or the login screen does not open, check the DNS settings on the IdM server to which you are connecting.

    • If you use a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

      To avoid security exceptions, install a certificate signed by a certificate authority.

  2. On the Web UI login screen, enter the administrator account credentials you added during the IdM server installation.

    For details, see Installing an Identity Management server: With integrated DNS, with an integrated CA.

    You can enter your personal account credentials as well if they are already entered in the IdM server.

    A Screenshot of the IdM Web UI with the "Username" field filled in with "admin" and the "Password" field displays several black circles obfuscating the password by replacing the characters tat were typed in.

  3. Click Log in.

After the successful login, you can start configuring the IdM server.

Learn more about how to configure your environment to enable Kerberos login to the IdM Web UI and accessing IdM using Kerberos authentication.

Prerequisites

Identity Management (IdM) uses the Kerberos protocol to support single sign-on. Single sign-on authentication allows you to provide the correct user name and password only once, and you can then access Identity Management services without the system prompting for credentials again.

The IdM server provides Kerberos authentication immediately after the installation if the DNS and certificate settings have been configured properly. For details, see Installing Identity Management.

To use Kerberos authentication on hosts, install:

6.2. Using kinit to log in to IdM manually
Copy link

Follow this procedure to use the kinit utility to authenticate to an Identity Management (IdM) environment manually. The kinit utility obtains and caches a Kerberos ticket-granting ticket (TGT) on behalf of an IdM user.

Only use this procedure if you have destroyed your initial Kerberos TGT or if it has expired. As an IdM user, when logging onto your local machine you are also automatically logging in to IdM. This means that after logging in, you are not required to use the kinit utility to access IdM resources.

Procedure

  • To log in under the user name of the user who is currently logged in on the local system, use kinit without specifying a user name. For example, if you are logged in as <example_user> on the local system: 

    [example_user@server ~]$ kinit
Password for example_user@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap

    If the user name of the local user does not match any user entry in IdM, the authentication attempt fails: 

    [example_user@server ~]$ kinit
kinit: Client 'example_user@EXAMPLE.COM' not found in Kerberos database while getting initial credentials
    Copy to Clipboard Toggle word wrap

  • To use a Kerberos principal that does not correspond to your local user name, pass the required user name to the kinit utility. For example, to log in as the admin user: 

    [example_user@server ~]$ kinit admin
Password for admin@EXAMPLE.COM:
[example_user@server ~]$
    Copy to Clipboard Toggle word wrap
Note

Requesting user tickets using kinit -kt KDB: user@EXAMPLE.COM is disabled. For more information, see the Why kinit -kt KDB: user@EXAMPLE.COM no longer work after CVE-2024-3183 solution.

Verification

  • To verify that the login was successful, use the klist utility to display the cached TGT. In the following example, the cache contains a ticket for the example_user principal, which means that on this particular host, only example_user is currently allowed to access IdM services: 

    $ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: example_user@EXAMPLE.COM

Valid starting     	Expires            	Service principal
11/10/2019 08:35:45  	11/10/2019 18:35:45  	krbtgt/EXAMPLE.COM@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

To enable authentication with a Kerberos ticket, you may need to change your browser configuration.

The following steps help you to support Kerberos negotiation for accessing the IdM domain.

Each browser supports Kerberos in a different way and needs a different configuration. The IdM Web UI includes guidelines for the following browsers:

  • Firefox
  • Chrome

Procedure

  1. Open the IdM Web UI login dialog in your web browser.

  2. Click the link for the browser configuration on the Web UI login screen.

    A screenshot of the IdM Web UI log in page with empty entry fields for the Username and Password and a blue "Log in" button below those fields. Text to the right of the "Log in" button explains "to log in with Kerberos please make sure you have valid tickets (obtainable via kinit) and configured the browser correctly then click Log in." The URL for the word "configured" has been highlighted.

  3. Follow the steps on the configuration page.

    A screenshot of a web browser with instructions for "Browser Kerberos Setup."

After the setup, go back to the IdM Web UI and click Log in.

Follow this procedure to log in to the IdM Web UI using a Kerberos ticket-granting ticket (TGT).

The TGT expires at a predefined time. The default time interval is 24 hours and you can change it in the IdM Web UI.

After the time interval expires, you need to renew the ticket:

  • Using the kinit command.
  • Using IdM login credentials in the Web UI login dialog.

Procedure

  • Open the IdM Web UI.

    If Kerberos authentication works correctly and you have a valid ticket, you will be automatically authenticated and the Web UI opens.

    If the ticket is expired, it is necessary to authenticate yourself with credentials first. However, next time the IdM Web UI will open automatically without opening the login dialog.

    If you see an error message Authentication with Kerberos failed, verify that your browser is configured for Kerberos authentication. See Configuring the browser for Kerberos authentication.

    A screenshot of the IdM Web UI log in screen displaying an error above the empty Username and Password fields. The error message says
    View larger image
    A screenshot of the IdM Web UI log in screen displaying an error above the empty Username and Password fields. The error message says

Follow this procedure to configure an external system so that Identity Management (IdM) users can log in to IdM from the external system using their Kerberos credentials.

Enabling Kerberos authentication on external systems is especially useful when your infrastructure includes multiple realms or overlapping domains. It is also useful if the system has not been enrolled into any IdM domain through ipa-client-install.

To enable Kerberos authentication to IdM from a system that is not a member of the IdM domain, define an IdM-specific Kerberos configuration file on the external system.

Prerequisites

  • The krb5-workstation package is installed on the external system.

    To find out whether the package is installed, use the following CLI command: 

    # yum list installed krb5-workstation
Installed Packages
krb5-workstation.x86_64    1.16.1-19.el8     @BaseOS
    Copy to Clipboard Toggle word wrap

Procedure

  1. Copy the /etc/krb5.conf file from the IdM server to the external system. For example: 

    # scp /etc/krb5.conf root@externalsystem.example.com:/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap
    Warning

    Do not overwrite the existing krb5.conf file on the external system.

  2. On the external system, set the terminal session to use the copied IdM Kerberos configuration file: 

    $ export KRB5_CONFIG=/etc/krb5_ipa.conf
    Copy to Clipboard Toggle word wrap

    The KRB5_CONFIG variable exists only temporarily until you log out. To prevent this loss, export the variable with a different file name.

  3. Copy the Kerberos configuration snippets from the /etc/krb5.conf.d/ directory to the external system.
  4. Configure the browser on the external system, as described in Configuring the browser for Kerberos authentication.

Users on the external system can now use the kinit utility to authenticate against the IdM server.

To enable Web UI login for Active Directory users, define an ID override for each Active Directory user in the Default Trust View.

Procedure

  • To define an ID override for ad_user@ad.example.com: 

    [admin@server ~]$ ipa idoverrideuser-add 'Default Trust View' ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap

Access to IdM Web UI can be secured using several methods. The basic one is password authentication.

To increase the security of password authentication, you can add a second step and require automatically generated one-time passwords (OTPs). The most common usage is to combine password connected with the user account and a time limited one time password generated by a hardware or software token.

The following sections help you to:

  • Understand how the OTP authentication works in IdM.
  • Configure OTP authentication on the IdM server.
  • Configure a RADIUS server for OTP validation in IdM.
  • Create OTP tokens and synchronize them with the FreeOTP app in your phone.
  • Authenticate to the IdM Web UI with the combination of user password and one time password.
  • Re-synchronize tokens in the Web UI.
  • Retrieve an IdM ticket-granting ticket as an OTP or RADIUS user
  • Enforce OTP usage for all LDAP clients

Prerequisites

One-time passwords bring an additional step to your authentication security. The authentication uses your password and an automatically generated one time password.

To generate one time passwords, you can use a hardware or software token. IdM supports both software and hardware tokens.

Identity Management supports the following standard OTP mechanisms:

  • The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
  • The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.
Important

IdM does not support OTP logins for Active Directory trust users.

Warning

The following security and other limitations currently relate to the OTP support in IdM:

  • The most important security limitation is the potential vulnerability to replay attacks across the system. Replication is asynchronous, and an OTP code can therefore be reused during the replication period. A user might be able to log on to two servers at the same time. However, this vulnerability is usually difficult to exploit due to comprehensive encryption.
  • It is not possible to obtain a ticket-granting ticket (TGT) using a client that does not support OTP authentication. This might affect certain use cases, such as authentication using the mod_auth_kerb module or the Generic Security Services API (GSSAPI).

7.1.1. Available OTP authentication methods
Copy link

When enabling OTP authentication, you can choose from the following authentication methods:

Two-factor authentication (password + OTP)
With this method, the user is always required to enter both a standard password and an OTP code.
Password
With this method, the user still has the option to authenticate using a standard password only.
RADIUS proxy server authentication
For information on configuring a RADIUS server for OTP validation in IdM, see Configuring a RADIUS server for OTP validation in IdM
Global and user-specific authentication methods

You can configure these authentication methods either globally or for individual users:

  • By default, user-specific authentication method settings take precedence over global settings. If no authentication method is set for a user, the globally-defined methods apply.
  • You can disable per-user authentication method settings for any user. This ensures IdM ignores the per-user settings and always applies the global settings for the user.
Combining multiple authentication methods

If you configure multiple authentication methods, any one of them will be sufficient to successfully authenticate the user. For example:

  • If you configure both two-factor and password authentication, the user must provide the password (first factor), but providing the OTP (second factor) is optional when using the command line: 

    First Factor:
Second Factor (optional):
    Copy to Clipboard Toggle word wrap
  • In the web UI, the user must still provide both factors.

However, a minor exception exists when RADIUS and another authentication method are configured:

  • Kerberos always uses RADIUS, but LDAP does not. LDAP only recognizes the password and two-factor authentication methods.
  • If you use an external two-factor authentication provider, use Kerberos from your applications. If you want to let users authenticate with a password only, use LDAP. It is recommended that the applications use Apache modules and SSSD, which allows configuring either Kerberos or LDAP.

7.1.2. GNOME Keyring service support
Copy link

IdM integrates OTP authentication with the GNOME Keyring service. Note that GNOME Keyring integration requires the user to enter the first and second factors separately: 

First factor: static_password
Second factor: one-time_password
Copy to Clipboard Toggle word wrap

7.1.3. Offline authentication with OTP
Copy link

IdM supports offline OTP authentication. However, to be able to log in offline, the user must first authenticate when the system is online by entering the static password and OTP separately: 

First factor: static_password
Second factor: one-time_password
Copy to Clipboard Toggle word wrap

If the user enters both passwords separately like this when logging in online, the user can subsequently authenticate even if the central authentication server is unavailable. Note that IdM only prompts for the first-factor traditional static password when the user authenticates offline.

IdM also supports entering both the static password and OTP together in one string in the First factor prompt. However, this method is not compatible with offline OTP authentication. If the user enters both factors in a single prompt, IdM must contact the central authentication server to validate the credentials, which requires the system to be online.

Important

If you use OTP authentication on devices that also operate offline, such as laptops, Red Hat recommends to enter the static password and OTP separately to make sure offline authentication is available. Otherwise, IdM does not allow you to log in after the system goes offline.

If you want to benefit from OTP offline authentication, apart from entering the static and OTP passwords separately, also make sure to meet the following conditions:

  • The cache_credentials option in the /etc/sssd/sssd.conf file is set to True, which enables caching the first factor password.
  • The first-factor static password meets the password length requirement defined in the cache_credentials_minimal_first_factor_length option set in /etc/sssd/sssd.conf. The default minimal length is 8 characters. For more information about the option, see the sssd.conf(5) man page.
Note

Even if the krb5_store_password_if_offline option is set to true in the /etc/sssd/sssd.conf file, SSSD does not attempt to refresh the Kerberos ticket-granting ticket (TGT) when the system returns to an online state. This is because the one-time password (OTP) may already be invalid at that point. To obtain a new TGT in this situation, the user must re-authenticate using both factors.

7.2. Enabling the one-time password in the Web UI
Copy link

Identity Management (IdM) administrators can enable two-factor authentication (2FA) for IdM users either globally or individually. The user enters the one-time password (OTP) after their regular password on the command line or in the dedicated field in the Web UI login dialog, with no space between these passwords.

Enabling 2FA is not the same as enforcing it. If you use logins based on LDAP-binds, IdM users can still authenticate by entering a password only. However, if you use krb5-based logins, the 2FA is enforced.

Note that there is an option to enforce 2FA for LDAP-binds by enforcing OTP usage for all LDAP clients. For more information, see Enforcing OTP usage for all LDAP clients.

Complete this procedure to use the IdM Web UI to enable 2FA for the individual example.user IdM user.

Prerequisites

  • Administrator privileges

Procedure

  1. Log in to the IdM Web UI with IdM admin privileges.

  2. Open the Identity → Users → Active users tab.

    A screenshot of the IdM Web UI displaying the "Active Users" page which is a sub-page of the Users submenu from the Identity tab.

  3. Select example.user to open the user settings.
  4. In the User authentication types, select Two factor authentication (password + OTP).
  5. Click Save.

At this point, the OTP authentication is enabled for the IdM user.

Now you or example.user must assign a new token ID to the example.user account.

To enable the migration of a large deployment from a proprietary one-time password (OTP) solution to the Identity Management (IdM)-native OTP solution, IdM offers a way to offload OTP validation to a third-party RADIUS server for a subset of users. The administrator creates a set of RADIUS proxies where each proxy can only reference a single RADIUS server. If more than one server needs to be addressed, it is recommended to create a virtual IP solution that points to multiple RADIUS servers.

Such a solution must be built outside of RHEL IdM with the help of the keepalived daemon, for example. The administrator then assigns one of these proxy sets to a user. As long as the user has a RADIUS proxy set assigned, IdM bypasses all other authentication mechanisms.

Note

IdM does not provide any token management or synchronization support for tokens in the third-party system.

Complete the procedure to configure a RADIUS server for OTP validation and to add a user to the proxy server:

Prerequisites

Procedure

  1. Add a RADIUS proxy: 

    $ ipa radiusproxy-add proxy_name --secret secret
    Copy to Clipboard Toggle word wrap

    The command prompts you for inserting the required information.

    The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the --secret parameter.

  2. Assign a user to the added proxy: 

    ipa user-mod radiususer --radius=proxy_name
    Copy to Clipboard Toggle word wrap

  3. If required, configure the user name to be sent to RADIUS: 

    ipa user-mod radiususer --radius-username=radius_user
    Copy to Clipboard Toggle word wrap

As a result, the RADIUS proxy server starts to process the user OTP authentication.

When the user is ready to be migrated to the IdM native OTP system, you can simply remove the RADIUS proxy assignment for the user.

In certain situations, such as running a RADIUS proxy in a slow network, the Identity Management (IdM) Kerberos Distribution Center (KDC) closes the connection before the RADIUS server responds because the connection timed out while waiting for the user to enter the token.

To change the timeout settings of the KDC:

  1. Change the value of the timeout parameter in the [otp] section in the /var/kerberos/krb5kdc/kdc.conf file. For example, to set the timeout to 120 seconds: 

    [otp]
DEFAULT = {
  timeout = 120
  ...
}
    Copy to Clipboard Toggle word wrap

  2. Restart the krb5kdc service: 

    # systemctl restart krb5kdc
    Copy to Clipboard Toggle word wrap

7.4. Adding OTP tokens in the Web UI
Copy link

The following section helps you to add a token to the IdM Web UI and to your software token generator.

Prerequisites

  • Active user account on the IdM server.
  • Administrator has enabled OTP for the particular user account in the IdM Web UI.
  • A software device generating OTP tokens, for example FreeOTP.

Procedure

  1. Log in to the IdM Web UI with your user name and password.
  2. To create the token in your mobile phone, open the Authentication → OTP Tokens tab.

  3. Click Add.

    Screenshot of the IdM Web UI highlighting the Add button near the upper-right of the OTP Tokens page which is a sub-page of the Authentication section

  4. In the Add OTP token dialog box, leave everything unfilled and click Add.

    At this stage, the IdM server creates a token with default parameters at the server and opens a page with a QR code.

  5. Copy the QR code into your mobile phone.
  6. Click OK to close the QR code.

Now you can generate one time passwords and log in with them to the IdM Web UI.

Screenshot of the FreeOTP application from a mobile telephone displaying two entries for OTP tokens. The first OTP token is for the example.user@IDM.EXAMPLE.COM domain and its entry displays a 6-digit OTP while its timer is running out.

Follow this procedure to login for the first time into the IdM Web UI using a one time password (OTP).

Prerequisites

  • OTP configuration enabled on the Identity Management server for the user account you are using for the OTP authentication. Administrators as well as users themselves can enable OTP.

    To enable the OTP configuration, see Enabling the one time password in the Web UI.

  • A hardware or software device generating OTP tokens configured.

Procedure

  1. In the Identity Management login screen, enter your user name or a user name of the IdM server administrator account.
  2. Add the password for the user name entered above.
  3. Generate a one time password on your device.
  4. Enter the one time password right after the password without a space.

  5. Click Log in.

    If the authentication fails, synchronize OTP tokens.

    If your CA uses a self-signed certificate, the browser issues a warning. Check the certificate and accept the security exception to proceed with the login.

    If the IdM Web UI does not open, verify the DNS configuration of your Identity Management server.

After a successful login, the IdM Web UI opens.

7.6. Synchronizing OTP tokens using the Web UI
Copy link

If the login with OTP (One Time Password) fails, OTP tokens are not synchronized correctly.

The following text describes token re-synchronization.

Prerequisites

  • A device generating OTP tokens.

Procedure

  1. On the IdM Web UI login screen, click Sync OTP Token.

    A screenshot of the IdM Web UI log in page. The "Username" and "Password" fields are empty. A link to "Sync OTP Token" at the bottom right next to the "Log In" button is highlighted.

  2. In the login screen, enter your username and the Identity Management password.
  3. Generate one time password and enter it in the First OTP field.
  4. Generate another one time password and enter it in the Second OTP field.

  5. Optional: Enter the token ID.

    A screenshot of the screen to change the OTP token. The "Username" field has been filled in with "admin". The password in the "Password" field has been obfuscated with solid circles. The "First OTP" and "Second OTP" fields also have their 6-character entries obfuscated. The last field is labeled "Token ID" and has 16 hexadecimal characters such as "18c5d06cfcbd4927". There are "Cancel" and "Sync OTP Token" buttons at the bottom right.

  6. Click Sync OTP Token.

After a successful synchronization, you can log in to the IdM server.

7.7. Changing expired passwords
Copy link

Administrators of Identity Management can enforce changing your password at the next login. In this case, you cannot successfully log in to the IdM Web UI until you change the password.

Password expiration can happen during your first login to the Web UI.

If the expiration password dialog appears, follow the instructions in the procedure.

Prerequisites

  • Active account on the IdM server.

Procedure

  1. In the password expiration login screen, enter the user name.
  2. Add the password for the user name entered above.
  3. In the OTP field, generate a one time password, if you use one time password authentication.
  4. Enter the new password twice for verification.

  5. Click Reset Password.

    A screenshot of the IdM Web UI with a banner across the top that states "Your password has expired. Please enter a new password." The "Username" field displays "example.user" and cannot be edited. The following fields have been filled in but their contents have been replaced with dots to obfuscate the passwords: "Current Password" - "OTP" - "New Password" - "Verify Password."

After a successful password change, the usual login dialog displays. Log in with the new password.

To retrieve a Kerberos ticket-granting ticket (TGT) as an OTP user, request an anonymous Kerberos ticket and enable Flexible Authentication via Secure Tunneling (FAST) channel to provide a secure connection between the Kerberos client and Kerberos Distribution Center (KDC).

Prerequisites

  • Your IdM client and IdM servers use RHEL 8.7 or later.
  • Your IdM client and IdM servers use SSSD 2.7.0 or later.
  • You have enabled OTP for the required user account.

Procedure

  1. Initialize the credentials cache by running the following command: 

    [root@client ~]# kinit -n @IDM.EXAMPLE.COM -c FILE:armor.ccache
    Copy to Clipboard Toggle word wrap

    Note that this command creates the armor.ccache file that you need to point to whenever you request a new Kerberos ticket.

  2. Request a Kerberos ticket by running the command: 

    [root@client ~]# kinit -T FILE:armor.ccache <username>@IDM.EXAMPLE.COM
Enter your OTP Token Value.
    Copy to Clipboard Toggle word wrap

Verification

  • Display your Kerberos ticket information: 

    [root@client ~]# klist -C
Ticket cache: KCM:0:58420
Default principal: <username>@IDM.EXAMPLE.COM

Valid starting     Expires            Service principal
05/09/22 07:48:23  05/10/22 07:03:07  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
config: fast_avail(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = yes
08/17/2022 20:22:45  08/18/2022 20:22:43  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
config: pa_type(krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM) = 141
    Copy to Clipboard Toggle word wrap

    The pa_type = 141 indicates OTP/RADIUS authentication.

7.9. Enforcing OTP usage for all LDAP clients
Copy link

In RHEL IdM, you can set the default behavior for LDAP server authentication of user accounts with two-factor (OTP) authentication configured. If OTP is enforced, LDAP clients cannot authenticate against an LDAP server using single-factor authentication (a password) for users that have associated OTP tokens. RHEL IdM already enforces this method through the Kerberos backend by using a special LDAP control with OID 2.16.840.1.113730.3.8.10.7 without any data.

Procedure

  • To enforce OTP usage for all LDAP clients, use the following command: 

    $ ipa config-mod --addattr ipaconfigstring=EnforceLDAPOTP
    Copy to Clipboard Toggle word wrap

  • To change back to the previous OTP behavior for all LDAP clients, use the following command: 

    $ ipa config-mod --delattr ipaconfigstring=EnforceLDAPOTP
    Copy to Clipboard Toggle word wrap

Authentication in an Identity Management (IdM) environment involves many components:

On the IdM client:

  • The SSSD service.
  • The Name Services Switch (NSS).
  • Pluggable Authentication Modules (PAM).

On the IdM server:

  • The SSSD service.
  • The IdM Directory Server.
  • The IdM Kerberos Key Distribution Center (KDC).

If you are authenticating as an Active Directory (AD) user:

  • The Directory Server on an AD Domain Controller.
  • The Kerberos server on an AD Domain Controller.

To authenticate users, you must be able to perform the following functions with the SSSD service:

  • Retrieve user information from the authentication server.
  • Prompt the user for their credentials, pass those credentials to the authentication server, and process the outcome.

Troubleshooting involves understanding how information flows between the SSSD service and the servers that store user information. This helps you to identify where the issue occurs and narrow down potential causes.

The following diagram is a simplification of the information flow between an IdM client and an IdM server during a request for IdM user information with the command getent passwd <idm_user_name>.

Information flow between an IdM client and server for user information retrieval using getent passwd

A diagram with numbered arrows representing the flow of information between an IdM client and an IdM server. The following numbered list describes each step in the process.

  1. The getent command triggers the getpwnam call from the libc library.
  2. The libc library references the /etc/nsswitch.conf configuration file to check which service is responsible for providing user information, and discovers the entry sss for the SSSD service.
  3. The libc library opens the nss_sss module.
  4. The nss_sss module checks the memory-mapped cache for the user information. If the data is present in the cache, the nss_sss module returns it.
  5. If the user information is not in the memory-mapped cache, the request is passed to the SSSD sssd_nss responder process.
  6. The SSSD service checks its cache. If the data is present in the cache and valid, the sssd_nss responder reads the data from the cache and returns it to the application.
  7. If the data is not present in the cache or it is expired, the sssd_nss responder queries the appropriate back-end process and waits for a reply. The SSSD service uses the IPA backend in an IdM environment, enabled by the setting id_provider=ipa in the sssd.conf configuration file.
  8. The sssd_be back-end process connects to the IdM server and requests the information from the IdM LDAP Directory Server.
  9. The SSSD back-end on the IdM server responds to the SSSD back-end process on the IdM client.
  10. The SSSD back-end on the client stores the resulting data in the SSSD cache and alerts the responder process that the cache has been updated.
  11. The sssd_nss front-end responder process retrieves the information from the SSSD cache.
  12. The sssd_nss responder sends the user information to the nss_sss responder, completing the request.
  13. The libc library returns the user information to the application that requested it.

If you have established a cross-forest trust between your IdM environment and an Active Directory (AD) domain, the information flow when retrieving AD user information about an IdM client is very similar to the information flow when retrieving IdM user information, with the additional step of contacting the AD user database.

The following diagram is a simplification of the information flow when a user requests information about an AD user with the command getent passwd <user_name@ad.example.com>. This diagram does not include the internal details discussed in the Data flow when retrieving IdM user information with SSSD section. It focuses on the communication between the SSSD service on an IdM client, the SSSD service on an IdM server, and the LDAP database on an AD Domain Controller.

Information flow for retrieval of AD user information between an IdM client, IdM server, and AD Domain controller

A diagram with numbered arrows representing the flow of information between an IdM client, an IdM server, and an AD Domain Controller. The following numbered list describes each step in the process.

  1. The IdM client looks to its local SSSD cache for AD user information.
  2. If the IdM client does not have the user information, or the information is stale, the SSSD service on the client contacts the extdom_extop plugin on the IdM server to perform an LDAP extended operation and requests the information.
  3. The SSSD service on the IdM server looks for the AD user information in its local cache.
  4. If the IdM server does not have the user information in its SSSD cache, or its information is stale, it performs an LDAP search to request the user information from an AD Domain Controller.
  5. The SSSD service on the IdM server receives the AD user information from the AD domain controller and stores it in its cache.
  6. The extdom_extop plugin receives the information from the SSSD service on the IdM server, which completes the LDAP extended operation.
  7. The SSSD service on the IdM client receives the AD user information from the LDAP extended operation.
  8. The IdM client stores the AD user information in its SSSD cache and returns the information to the application that requested it.

Authenticating as a user on an IdM server or client involves the following components:

  • The service that initiates the authentication request, such as the sshd service.
  • The Pluggable Authentication Module (PAM) library and its modules.
  • The SSSD service, its responders, and back-ends.
  • A smart card reader, if smart card authentication is configured.

  • The authentication server:

    • IdM users are authenticated against an IdM Kerberos Key Distribution Center (KDC).
    • Active Directory (AD) users are authenticated against an AD Domain Controller (DC).

The following diagram is a simplification of the information flow when a user needs to authenticate during an attempt to log in locally to a host via the SSH service on the command line.

Information flow between an IdM client and an IdM server or AD Domain Controller during an authentication attempt

A diagram with numbered arrows representing the flow of information between an IdM client and an IdM server or AD Domain Controller during an authentication attempt. The following numbered list describes each step in the process.

  1. The authentication attempt with the ssh command triggers the libpam library.

  2. The libpam library references the PAM file in the /etc/pam.d/ directory that corresponds to the service requesting the authentication attempt. In this example involving authenticating via the SSH service on the local host, the libpam library checks the /etc/pam.d/system-auth configuration file and discovers the pam_sss.so entry for the SSSD PAM: 

    auth    sufficient    pam_sss.so
    Copy to Clipboard Toggle word wrap
  3. To determine which authentication methods are available, the libpam library opens the pam_sss module and sends an SSS_PAM_PREAUTH request to the sssd_pam PAM responder of the SSSD service.
  4. If smart card authentication is configured, the SSSD service spawns a temporary p11_child process to check for a smart card and retrieve certificates from it.
  5. If smart card authentication is configured for the user, the sssd_pam responder attempts to match the certificate from the smart card with the user. The sssd_pam responder also performs a search for the groups that the user belongs to, since group membership might affect access control.
  6. The sssd_pam responder sends an SSS_PAM_PREAUTH request to the sssd_be back-end responder to see which authentication methods the server supports, such as passwords or 2-factor authentication. In an IdM environment, where the SSSD service uses the IPA responder, the default authentication method is Kerberos. For this example, the user authenticates with a simple Kerberos password.
  7. The sssd_be responder spawns a temporary krb5_child process.
  8. The krb5_child process contacts the KDC on the IdM server and checks for available authentication methods.

  9. The KDC responds to the request:

    1. The krb5_child process evaluates the reply and sends the results back to the sssd_be backend process.
    2. The sssd_be backend process receives the result.
    3. The sssd_pam responder receives the result.
    4. The pam_sss module receives the result.
  10. If password authentication is configured for the user, the pam_sss module prompts the user for their password. If smart card authentication is configured, the pam_sss module prompts the user for their smart card PIN.

  11. The module sends an SSS_PAM_AUTHENTICATE request with the user name and password, which travels to:

    1. The sssd_pam responder.
    2. The sssd_be back-end process.
  12. The sssd_be process spawns a temporary krb5_child process to contact the KDC.
  13. The krb5_child process attempts to retrieve a Kerberos Ticket Granting Ticket (TGT) from the KDC with the user name and password the user provided.
  14. The krb5_child process receives the result of the authentication attempt.

  15. The krb5_child process:

    1. Stores the TGT in a credential cache.
    2. Returns the authentication result to the sssd_be back-end process.

  16. The authentication result travels from the sssd_be process to:

    1. The sssd_pam responder.
    2. The pam_sss module.
  17. The pam_sss module sets an environment variable with the location of the user’s TGT so other applications can reference it.

8.4. Narrowing the scope of authentication issues
Copy link

To successfully authenticate a user, you must be able to retrieve user information with the SSSD service from the database that stores user information. The following procedure describes steps to test different components of the authentication process so you can narrow the scope of authentication issues when a user is unable to log in.

Procedure

  1. Verify that the SSSD service and its processes are running. 

    [root@client ~]# pstree -a | grep sssd
  |-sssd -i --logger=files
  |   |-sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
  |   |-sssd_be --domain <domain_name> --uid 0 --gid 0 --logger=files
  |   |-sssd_ifp --uid 0 --gid 0 --logger=files
  |   |-sssd_nss --uid 0 --gid 0 --logger=files
  |   |-sssd_pac --uid 0 --gid 0 --logger=files
  |   |-sssd_pam --uid 0 --gid 0 --logger=files
  |   |-sssd_ssh --uid 0 --gid 0 --logger=files
  |   `-sssd_sudo --uid 0 --gid 0 --logger=files
  |-sssd_kcm --uid 0 --gid 0 --logger=files
    Copy to Clipboard Toggle word wrap

  2. Verify that the client can contact the user database server via the IP address. 

    [user@client ~]$ ping <IP_address_of_the_database_server>
    Copy to Clipboard Toggle word wrap

    If this step fails, check that your network and firewall settings allow direct communication between IdM clients and servers. See Using and configuring firewalld.

  3. Verify that the client can discover and contact the IdM LDAP server (for IdM users) or AD domain controller (for AD users) via the fully qualified host name. 

    [user@client ~]$ dig -t SRV ldap._tcp.<domain>@<server_name>
[user@client ~]$ ping <fully_qualified_host_name_of_the_server>
    Copy to Clipboard Toggle word wrap

    If this step fails, check your Dynamic Name Service (DNS) settings, including the /etc/resolv.conf file. See Configuring the order of DNS servers.

    Note

    By default, the SSSD service attempts to automatically discover LDAP servers and AD DCs through DNS service (SRV) records. To restrict SSSD to specific servers, define them in the sssd.conf configuration file using the following options:

    • ipa_server = <fully_qualified_host_name_of_the_server>
    • ad_server = <fully_qualified_host_name_of_the_server>
    • ldap_uri = <fully_qualified_host_name_of_the_server>

    If you use these options, verify you can contact the servers listed in them.

  4. Verify that the client can authenticate to the LDAP server and retrieve user information with ldapsearch commands.

    1. If your LDAP server is an IdM server, like server.example.com, retrieve a Kerberos ticket for the host and perform the database search authenticating with the host Kerberos principal: 

      [user@client ~]$ kinit -k 'host/client.example.com@EXAMPLE.COM'
[user@client ~]$ ldapsearch -LLL -Y GSSAPI -h server.example.com -b “dc=example,dc=com” uid=<idm_user>
      Copy to Clipboard Toggle word wrap

    2. If your LDAP server is an Active Directory (AD) Domain Controller (DC), like server.ad.example.com, retrieve a Kerberos ticket for the host and perform the database search authenticating with the host Kerberos principal: 

      [user@client ~]$ kinit -k 'CLIENT$@AD.EXAMPLE.COM'
[user@client ~]$ ldapsearch -LLL -Y GSSAPI -h server.ad.example.com -b “dc=example,dc=com” sAMAccountname=<idm_user>
      Copy to Clipboard Toggle word wrap

    3. If your LDAP server is a plain LDAP server, and you have set the ldap_default_bind_dn and ldap_default_authtok options in the sssd.conf file, authenticate as the same ldap_default_bind_dn account: 

      [user@client ~]$ ldapsearch -xLLL -D "cn=ldap_default_bind_dn_value" -W -h ldapserver.example.com -b “dc=example,dc=com” uid=<idm_user>
      Copy to Clipboard Toggle word wrap

    If this step fails, verify that your database settings allow your host to search the LDAP server.

  5. Since the SSSD service uses Kerberos encryption, verify you can obtain a Kerberos ticket as the user that is unable to log in.

    1. If your LDAP server is an IdM server: 

      [user@client ~]$ kinit <idm_user>
      Copy to Clipboard Toggle word wrap

    2. If LDAP server database is an AD server: 

      [user@client ~]$ kinit <ad_user@AD.EXAMPLE.COM>
      Copy to Clipboard Toggle word wrap

    If this step fails, verify that your Kerberos server is operating properly, all servers have their times synchronized, and that the user account is not locked.

  6. Verify you can retrieve user information about the command line. 

    [user@client ~]$ getent passwd <idm_user>
[user@client ~]$ id <idm_user>
    Copy to Clipboard Toggle word wrap

    If this step fails, verify that the SSSD service on the client can receive information from the user database:

    1. Review errors in the /var/log/messages log file.
    2. Enable detailed logging in the SSSD service, collect debugging logs, and review the logs for indications to the source of the issue.
    3. Optional: Open a Red Hat Technical Support case and provide the troubleshooting information you have gathered.

  7. If you have sudo privileges on the host, use the sssctl utility to verify the user is allowed to log in. 

    [user@client ~]$ sudo sssctl user-checks -a auth -s ssh <idm_user>
    Copy to Clipboard Toggle word wrap

    If this step fails, verify your authorization settings, such as your PAM configuration, IdM HBAC rules, and IdM RBAC rules:

    1. Ensure that the user’s UID is equal to or higher than UID_MIN, which is defined in the /etc/login.defs file.
    2. Review authorization errors in the /var/log/secure and /var/log/messages log files.
    3. Enable detailed logging in the SSSD service, collect debugging logs, and review the logs for indications to the source of the issue.
    4. Optional: Open a Red Hat Technical Support case and provide the troubleshooting information you have gathered.

8.5. SSSD log files and logging levels
Copy link

Each SSSD service logs into its own log file in the /var/log/sssd/ directory. For an IdM server in the example.com IdM domain, its log files might look like this: 

[root@server ~]# ls -l /var/log/sssd/
total 620
-rw-------.  1 root root      0 Mar 29 09:21 krb5_child.log
-rw-------.  1 root root  14324 Mar 29 09:50 ldap_child.log
-rw-------.  1 root root 212870 Mar 29 09:50 sssd_example.com.log
-rw-------.  1 root root      0 Mar 29 09:21 sssd_ifp.log
-rw-------.  1 root root      0 Mar 29 09:21 sssd_implicit_files.log
-rw-------.  1 root root      0 Mar 29 09:21 sssd.log
-rw-------.  1 root root 219873 Mar 29 10:03 sssd_nss.log
-rw-------.  1 root root      0 Mar 29 09:21 sssd_pac.log
-rw-------.  1 root root  13105 Mar 29 09:21 sssd_pam.log
-rw-------.  1 root root   9390 Mar 29 09:21 sssd_ssh.log
-rw-------.  1 root root      0 Mar 29 09:21 sssd_sudo.log
Copy to Clipboard Toggle word wrap
SSSD log file purposes
krb5_child.log
Log file for the short-lived helper process involved in Kerberos authentication.
ldap_child.log
Log file for the short-lived helper process involved in getting a Kerberos ticket for the communication with the LDAP server.
sssd_<domain_name>.log

For each domain section in the sssd.conf file, the SSSD service logs information about communication with the LDAP server to a separate log file. For example, in an environment with an IdM domain named example.com, the SSSD service logs its information in a file named sssd_example.com.log. If a host is directly integrated with an AD domain named ad.example.com, information is logged to a file named sssd_ad.example.com.log.

Note

If you have an IdM environment and a cross-forest trust with an AD domain, information about the AD domain is still logged to the log file for the IdM domain.

Similarly, if a host is directly integrated to an AD domain, information about any child domains is written in the log file for the primary domain.

selinux_child.log
Log file for the short-lived helper process that retrieves and sets SELinux information.
sssd.log
Log file for SSSD monitoring and communicating with its responder and backend processes.
sssd_ifp.log
Log file for the InfoPipe responder, which provides a public D-Bus interface accessible over the system bus.
sssd_nss.log
Log file for the Name Services Switch (NSS) responder that retrieves user and group information.
sssd_pac.log
Log file for the Microsoft Privilege Attribute Certificate (PAC) responder, which collects the PAC from AD Kerberos tickets and derives information about AD users from the PAC, which avoids requesting it directly from AD.
sssd_pam.log
Log file for the Pluggable Authentication Module (PAM) responder.
sssd_ssh.log
Log file for the SSH responder process.
SSSD logging levels

Setting a debug level also enables all debug levels below it. For example, setting the debug level at 6 also enables debug levels 0 through 5.

Expand
Table 8.1. SSSD logging levels
LevelDescription

0

Fatal failures. Errors that prevent the SSSD service from starting up or cause it to terminate. This is the default debug log level for RHEL 8.3 and earlier.

1

Critical failures. Errors that do not terminate the SSSD service, but at least one major feature is not working properly.

2

Serious failures. Errors announcing that a particular request or operation has failed. This is the default debug log level for RHEL 8.4 and later.

3

Minor failures. Errors that cause the operation failures captured at level 2.

4

Configuration settings.

5

Function data.

6

Trace messages for operation functions.

7

Trace messages for internal control functions.

8

Contents of function-internal variables.

9

Extremely low-level tracing information.

By default, the SSSD service in RHEL 8.4 and later only logs serious failures (debug level 2), but it does not log at the level of detail necessary to troubleshoot authentication issues.

To enable detailed logging persistently across SSSD service restarts, add the option debug_level=<integer> in each section of the /etc/sssd/sssd.conf configuration file, where the <integer> value is a number between 0 and 9. Debug levels up to 3 log larger failures, and levels 8 and higher provide a large number of detailed log messages. Level 6 is a good starting point for debugging authentication issues.

Prerequisites

  • You need the root password to edit the sssd.conf configuration file and restart the SSSD service.

Procedure

  1. Open the /etc/sssd/sssd.conf file in a text editor.

  2. Add the debug_level option to every section of the file, and set the debug level to the verbosity of your choice. 

    [domain/<domain_name>]
debug_level = 6
id_provider = ipa
...

[sssd]
debug_level = 6
services = nss, pam, ifp, ssh, sudo
domains = <domain_name>

[nss]
debug_level = 6

[pam]
debug_level = 6

[sudo]
debug_level = 6

[ssh]
debug_level = 6

[pac]
debug_level = 6

[ifp]
debug_level = 6
    Copy to Clipboard Toggle word wrap
  3. Save and close the sssd.conf file.

  4. Restart the SSSD service to load the new configuration settings. 

    [root@server ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

By default, the SSSD service in RHEL 8.4 and later only logs serious failures (debug level 2), but it does not log at the level of detail necessary to troubleshoot authentication issues.

You can change the debug level of the SSSD service on the command line with the sssctl debug-level <integer> command, where the <integer> value is a number between 0 and 9. Debug levels up to 3 log larger failures, and levels 8 and higher provide a large number of detailed log messages. Level 6 is a good starting point for debugging authentication issues.

Prerequisites

  • You need the root password to run the sssctl command.

Procedure

  • Use the sssctl debug-level command to set the debug level to your desired verbosity. For example: 

    [root@server ~]# sssctl debug-level 6
    Copy to Clipboard Toggle word wrap

If you experience issues when attempting to authenticate as an IdM user to an IdM server, enable detailed debug logging in the SSSD service on the server and gather logs of an attempt to retrieve information about the user.

Prerequisites

  • You have root permissions.

Procedure

  1. Enable detailed SSSD debug logging on the IdM server. 

    [root@server ~]# sssctl debug-level 6
    Copy to Clipboard Toggle word wrap

  2. Invalidate objects in the SSSD cache for the user that is experiencing authentication issues, so you do not bypass the LDAP server and retrieve information SSSD has already cached. 

    [root@server ~]# sssctl cache-expire -u <idm_user>
    Copy to Clipboard Toggle word wrap

  3. Minimize the troubleshooting dataset by removing older SSSD logs. 

    [root@server ~]# sssctl logs-remove
    Copy to Clipboard Toggle word wrap

  4. Attempt to switch to the user experiencing authentication problems, while gathering timestamps before and after the attempt. These timestamps further narrow the scope of the dataset. 

    [root@server sssd]# date; su <idm_user>; date
Mon Mar 29 15:33:48 EDT 2021
su: user idm_user does not exist
Mon Mar 29 15:33:49 EDT 2021
    Copy to Clipboard Toggle word wrap

  5. Optional: Lower the debug level if you do not wish to continue gathering detailed SSSD logs. 

    [root@server ~]# sssctl debug-level 2
    Copy to Clipboard Toggle word wrap

  6. Review SSSD logs for information about the failed request. For example, reviewing the /var/log/sssd/sssd_example.com.log file shows that the SSSD service did not find the user in the cn=accounts,dc=example,dc=com LDAP subtree. This might indicate that the user does not exist, or exists in another location. 

    (Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [dp_get_account_info_send] (0x0200): Got request for [0x1][BE_REQ_USER][name=idm_user@example.com]
...
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=idm_user)(objectclass=posixAccount)(uid=)(&(uidNumber=)(!(uidNumber=0))))][cn=accounts,dc=example,dc=com].
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Mon Mar 29 15:33:48 2021) [sssd[be[example.com]]] [sysdb_search_by_name] (0x0400): No such entry
(Mon Mar 29 15:33:49 2021) [sssd[be[example.com]]] [ipa_id_get_account_info_orig_done] (0x0080): Object not found, ending request
    Copy to Clipboard Toggle word wrap

  7. If you are unable to determine the cause of the authentication issue:

    1. Collect the SSSD logs you recently generated. 

      [root@server ~]# sssctl logs-fetch sssd-logs-Mar29.tar
      Copy to Clipboard Toggle word wrap

    2. Open a Red Hat Technical Support case and provide:

      1. The SSSD logs: sssd-logs-Mar29.tar

      2. The console output, including the time stamps and user name, of the request that corresponds to the logs: 

        [root@server sssd]# date; id <idm_user>; date
Mon Mar 29 15:33:48 EDT 2021
id: 'idm_user': no such user
Mon Mar 29 15:33:49 EDT 2021
        Copy to Clipboard Toggle word wrap

If you experience issues when attempting to authenticate as an IdM user to an IdM client, verify that you can retrieve user information about the IdM server. If you cannot retrieve the user information about an IdM server, you will not be able to retrieve it on an IdM client (which retrieves information from the IdM server).

After you have confirmed that authentication issues do not originate from the IdM server, gather SSSD debugging logs from both the IdM server and IdM client.

Prerequisites

  • The user only has authentication issues on IdM clients, not IdM servers.
  • You need the root password to run the sssctl command and restart the SSSD service.

Procedure

  1. On the client: Open the /etc/sssd/sssd.conf file in a text editor.

  2. On the client: Add the ipa_server option to the [domain] section of the file and set it to an IdM server using its fully qualified domain name (FQDN). This avoids the IdM client autodiscovering other IdM servers, thus limiting this test to just one client and one server. 

    [domain/<idm_domain_name>]
ipa_server = <idm_server_fqdn>
...
    Copy to Clipboard Toggle word wrap
  3. On the client: Save and close the sssd.conf file.

  4. On the client: Restart the SSSD service to load the configuration changes. 

    [root@client ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

  5. On the server and client: Enable detailed SSSD debug logging. 

    [root@server ~]# sssctl debug-level 6
    Copy to Clipboard Toggle word wrap 
    [root@client ~]# sssctl debug-level 6
    Copy to Clipboard Toggle word wrap

  6. On the server and client: Invalidate objects in the SSSD cache for the user experiencing authentication issues, so you do not bypass the LDAP database and retrieve information SSSD has already cached. 

    [root@server ~]# sssctl cache-expire -u <idm_user>
    Copy to Clipboard Toggle word wrap 
    [root@client ~]# sssctl cache-expire -u <idm_user>
    Copy to Clipboard Toggle word wrap

  7. On the server and client: Minimize the troubleshooting dataset by removing older SSSD logs. 

    [root@server ~]# sssctl logs-remove
    Copy to Clipboard Toggle word wrap 
    [root@server ~]# sssctl logs-remove
    Copy to Clipboard Toggle word wrap

  8. On the client: Attempt to switch to the user experiencing authentication problems while gathering timestamps before and after the attempt. These timestamps further narrow the scope of the dataset. 

    [root@client sssd]# date; su <idm_user>; date
Mon Mar 29 16:20:13 EDT 2021
su: user idm_user does not exist
Mon Mar 29 16:20:14 EDT 2021
    Copy to Clipboard Toggle word wrap

  9. Optional: On the server and client: Lower the debug level if you do not wish to continue gathering detailed SSSD logs. 

    [root@server ~]# sssctl debug-level 0
    Copy to Clipboard Toggle word wrap 
    [root@client ~]# sssctl debug-level 0
    Copy to Clipboard Toggle word wrap

  10. On the server and client: Review SSSD logs for information about the failed request.

    1. Review the request from the client in the client logs.
    2. Review the request from the client in the server logs.
    3. Review the result of the request in the server logs.
    4. Review the outcome of the client receiving the results of the request from the server.

  11. If you are unable to determine the cause of the authentication issue:

    1. Collect the SSSD logs you recently generated on the IdM server and IdM client. Label them according to their hostname or role. 

      [root@server ~]# sssctl logs-fetch sssd-logs-server-Mar29.tar
      Copy to Clipboard Toggle word wrap 
      [root@client ~]# sssctl logs-fetch sssd-logs-client-Mar29.tar
      Copy to Clipboard Toggle word wrap

    2. Open a Red Hat Technical Support case and provide:

      1. The SSSD debug logs:

        1. sssd-logs-server-Mar29.tar from the server
        2. sssd-logs-client-Mar29.tar from the client

      2. The console output, including the time stamps and user name, of the request that corresponds to the logs: 

        [root@client sssd]# date; su <idm_user>; date
Mon Mar 29 16:20:13 EDT 2021
su: user idm_user does not exist
Mon Mar 29 16:20:14 EDT 2021
        Copy to Clipboard Toggle word wrap

8.10. Tracking client requests in the SSSD backend
Copy link

SSSD processes requests asynchronously and adds messages from different requests to the same log file. To track client request in the back-end logs, you can use the unique request identifier RID#<integer> and client ID `[CID #<integer>]. These identifiers help isolate logs to follow an individual request from start to finish across log files from multiple SSSD components.

Prerequisites

  • You have enabled debug logging and a request has been submitted from an IdM client.
  • You have root privileges.

Procedure

  1. To review your SSSD log file, open the log file /var/log/sssd/sssd_<domain_name>.log using the less utility. For example: 

    [root@server ~]# less /var/log/sssd/sssd_example.com.log
    Copy to Clipboard Toggle word wrap

  2. Review the SSSD logs for information about the client request. 

    (2021-07-26 18:26:37): [be[testidm.com]] [dp_req_destructor] (0x0400): [RID#3] Number of active DP request: 0
(2021-07-26 18:26:37): [be[testidm.com]] [dp_req_reply_std] (0x1000): [RID#3] DP Request AccountDomain #3: Returning [Internal Error]: 3,1432158301,GetAccountDomain() not supported
(2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): [RID#4] DP Request Account #4: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-07-26 18:26:37): [be[testidm.com]] [dp_attach_req] (0x0400): [RID#4] Number of active DP request: 1
    Copy to Clipboard Toggle word wrap

    This sample output from an SSSD log file shows the unique identifiers RID#3 and RID#4 for two different requests.

However, a single client request to the SSSD client interface often triggers multiple requests in the backend and as a result it is not a 1-to-1 correlation between client request and requests in the backend. Though the multiple requests in the backend have different RID numbers, each initial backend request includes the unique client ID so an administrator can track the multiple RID numbers to the single client request.

The following example shows one client request [sssd.nss CID #1] and the multiple requests generated in the backend, [RID#5] to [RID#13]: 

(2021-10-29 13:24:16): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#5] DP Request [Account #5]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:16): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#6] DP Request [AccountDomain #6]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:16): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#7] DP Request [Account #7]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#8] DP Request [Initgroups #8]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#9] DP Request [Account #9]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#10] DP Request [Account #10]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#11] DP Request [Account #11]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#12] DP Request [Account #12]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
(2021-10-29 13:24:17): [be[ad.vm]] [dp_attach_req] (0x0400): [RID#13] DP Request [Account #13]: REQ_TRACE: New request. [sssd.nss CID #1] Flags [0x0001].
Copy to Clipboard Toggle word wrap

The System Security Services Daemon (SSSD) includes a log parsing tool that you can use to track requests from start to finish across log files from multiple SSSD components.

8.11.1. How the log analyzer tool works
Copy link

Using the log parsing tool, you can track SSSD requests from start to finish across log files from multiple SSSD components. You run the analyzer tool using the sssctl analyze command.

The log analyzer tool helps you to troubleshoot NSS and PAM issues in SSSD and more easily review SSSD debug logs. You can extract and print SSSD logs related only to certain client requests across SSSD processes.

SSSD tracks user and group identity information (id, getent) separately from user authentication (su, ssh) information. The client ID (CID) in the NSS responder is independent of the CID in the PAM responder and you see overlapping numbers when analyzing NSS and PAM requests. Use the --pam option with the sssctl analyze command to review PAM requests.

Note

Requests returned from the SSSD memory cache are not logged and cannot be tracked by the log analyzer tool.

8.11.2. Running the log analyzer tool
Copy link

Use the log analyzer tool to track and analyze client requests in SSSD.

Prerequisites

  • You must set debug_level to at least 7 in the [$responder] section, and [domain/$domain] section of the /etc/sssd/sssd.conf file to enable log parsing functionality.
  • Logs to analyze must be from a compatible version of SSSD built with libtevent chain ID support, that is SSSD in RHEL 8.5 and later.

Procedure

  1. Run the log analyzer tool in list mode to determine the client ID of the request you are tracking, adding the -v option to display verbose output: 

    # sssctl analyze request list -v
    Copy to Clipboard Toggle word wrap

    A verbose list of recent client requests made to SSSD is displayed.

    Note

    If analyzing PAM requests, run the sssctl analyze request list command with the --pam option.

  2. Run the log analyzer tool with the show [unique client ID] option to display logs pertaining to the specified client ID number: 

    # sssctl analyze request show 20
    Copy to Clipboard Toggle word wrap

  3. If required, you can run the log analyzer tool against log files, for example: 

    # sssctl analyze --logdir=/tmp/var/log/sssd request list
    Copy to Clipboard Toggle word wrap

8.12. Additional resources
Copy link

As a system administrator managing Identity Management (IdM), when working with Red Hat Ansible Engine, it is good practice to do the following:

  • Keep a subdirectory dedicated to Ansible playbooks in your home directory, for example ~/MyPlaybooks.
  • Copy and adapt sample Ansible playbooks from the /usr/share/doc/ansible-freeipa/* and /usr/share/doc/rhel-system-roles/* directories and subdirectories into your ~/MyPlaybooks directory.
  • Include your inventory file in your ~/MyPlaybooks directory.

Using this practice, you can find all your playbooks in one place.

Note

You can run your ansible-freeipa playbooks without invoking root privileges on the managed nodes. Exceptions include playbooks that use the ipaserver, ipareplica, ipaclient, ipasmartcard_server, ipasmartcard_client and ipabackup ansible-freeipa roles. These roles require privileged access to directories and the dnf software package manager.

The playbooks in the Red Hat Enterprise Linux IdM documentation assume the following security configuration:

  • The IdM admin is your remote Ansible user on the managed nodes.
  • You store the IdM admin password encrypted in an Ansible vault.
  • You have placed the password that protects the Ansible vault in a password file.
  • You block access to the vault password file to everyone except your local ansible user.
  • You regularly remove and re-create the vault password file.

Consider also alternative security configurations.

Follow this procedure to create the ~/MyPlaybooks directory and configure it so that you can use it to store and run Ansible playbooks.

Prerequisites

  • You have installed an IdM server on your managed nodes, server.idm.example.com and replica.idm.example.com.
  • You have configured DNS and networking so you can log in to the managed nodes, server.idm.example.com and replica.idm.example.com, directly from the control node.
  • You know the IdM admin password.

Procedure

  1. Change into the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks
    Copy to Clipboard Toggle word wrap

  2. Create the ~/MyPlaybooks/ansible.cfg file with the following content: 

    [defaults]
inventory = /home/your_username/MyPlaybooks/inventory
remote_user = admin
    Copy to Clipboard Toggle word wrap

  3. Create the ~/MyPlaybooks/inventory file with the following content: 

    [eu]
server.idm.example.com

[us]
replica.idm.example.com

[ipaserver:children]
eu
us
    Copy to Clipboard Toggle word wrap

    This configuration defines two host groups, eu and us, for hosts in these locations. Additionally, this configuration defines the ipaserver host group, which contains all hosts from the eu and us groups.

  4. Optional: Create an SSH public and private key. To simplify access in your test environment, do not set a password on the private key: 

    $ ssh-keygen
    Copy to Clipboard Toggle word wrap

  5. Copy the SSH public key to the IdM admin account on each managed node: 

    $ ssh-copy-id admin@server.idm.example.com
$ ssh-copy-id admin@replica.idm.example.com
    Copy to Clipboard Toggle word wrap

    These commands require that you enter the IdM admin password.

  6. Create a password_file file that contains the vault password: 

    redhat
    Copy to Clipboard Toggle word wrap

  7. Change the permissions to modify the file: 

    $ chmod 0600 password_file
    Copy to Clipboard Toggle word wrap

  8. Create a secret.yml Ansible vault to store the IdM admin password:

    1. Configure password_file to store the vault password: 

      $ ansible-vault create --vault-password-file=password_file secret.yml
      Copy to Clipboard Toggle word wrap

    2. When prompted, enter the content of the secret.yml file: 

      ipaadmin_password: Secret123
      Copy to Clipboard Toggle word wrap
Note

To use the encrypted ipaadmin_password in a playbook, you must use the vars_file directive. For example, a simple playbook to delete an IdM user can look as follows: 

---
- name: Playbook to handle users
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Delete user robot
    ipauser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: robot
      state: absent
Copy to Clipboard Toggle word wrap

When executing a playbook, instruct Ansible use the vault password to decrypt ipaadmin_password by adding the --vault-password-file=password_file option. For example: 

ansible-playbook -i inventory --vault-password-file=password_file del-user.yml
Copy to Clipboard Toggle word wrap
Warning

For security reasons, remove the vault password file at the end of each session, and repeat steps 6-8 at the start of each new session.

There are advantages and disadvantages in the different methods for providing the credentials required for running playbooks that use ansible-freeipa roles and modules.

Storing passwords in plain text in a playbook

Benefits:

  • Not being prompted all the time you run the playbook.
  • Easy to implement.

Drawbacks:

  • Everyone with access to the file can read the password. Setting wrong permissions and sharing the file, for example in an internal or external repository, can compromise security.
  • High maintenance work: if the password is changed, it needs to be changed in all playbooks.

Entering passwords interactively when you execute a playbook

Benefits:

  • No-one can steal the password as it is not stored anywhere.
  • You can update the password easily.
  • Easy to implement.

Drawbacks:

  • If you are using Ansible playbooks in scripts, the requirement to enter the password interactively can be inconvenient.

Storing passwords in an Ansible vault and the vault password in a file:

Benefits:

  • The user password is stored encrypted.
  • You can update the user password easily, by creating a new Ansible vault.
  • You can update the password file that protects the ansible vault easily, by using the ansible-vault rekey --new-vault-password-file=NEW_VAULT_PASSWORD_FILE secret.yml command.
  • If you are using Ansible playbooks in scripts, it is convenient not to have to enter the password protecting the Ansible vault interactively.

Drawbacks:

  • It is vital that the file that contains the sensitive plain text password be protected through file permissions and other security measures.

Storing passwords in an Ansible vault and entering the vault password interactively

Benefits:

  • The user password is stored encrypted.
  • No-one can steal the vault password as it is not stored anywhere.
  • You can update the user password easily, by creating a new Ansible vault.
  • You can update the vault password easily too, by using the ansible-vault rekey file_name command.

Drawbacks:

  • If you are using Ansible playbooks in scripts, the need to enter the vault password interactively can be inconvenient.

Using the Ansible config module, you can retrieve and set global configuration parameters for Identity Management (IdM).

The following procedure describes how you can use an Ansible playbook to retrieve information about the current global IdM configuration.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Open the /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml Ansible playbook file for editing: 

    ---
- name: Playbook to handle global IdM configuration
  hosts: ipaserver
  become: no
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Query IPA global configuration
    ipaconfig:
      ipaadmin_password: "{{ ipaadmin_password }}"
    register: serverconfig

  - debug:
      msg: "{{ serverconfig }}"
    Copy to Clipboard Toggle word wrap

  2. Adapt the file by changing the following:

    • The password of IdM administrator.
    • Other values, if necessary.
  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml
[...]
TASK [debug]
ok: [server.idm.example.com] => {
    "msg": {
        "ansible_facts": {
            "discovered_interpreter_
        },
        "changed": false,
        "config": {
            "ca_renewal_master_server": "server.idm.example.com",
            "configstring": [
                "AllowNThash",
                "KDC:Disable Last Success"
            ],
            "defaultgroup": "ipausers",
            "defaultshell": "/bin/bash",
            "emaildomain": "idm.example.com",
            "enable_migration": false,
            "groupsearch": [
                "cn",
                "description"
            ],
            "homedirectory": "/home",
            "maxhostname": "64",
            "maxusername": "64",
            "pac_type": [
                "MS-PAC",
                "nfs:NONE"
            ],
            "pwdexpnotify": "4",
            "searchrecordslimit": "100",
            "searchtimelimit": "2",
            "selinuxusermapdefault": "unconfined_u:s0-s0:c0.c1023",
            "selinuxusermaporder": [
                "guest_u:s0$xguest_u:s0$user_
            ],
            "usersearch": [
                "uid",
                "givenname",
                "sn",
                "telephonenumber",
                "ou",
                "title"
            ]
        },
        "failed": false
    }
}
    Copy to Clipboard Toggle word wrap

In an Identity Management (IdM) deployment that uses an embedded certificate authority (CA), the CA renewal server maintains and renews IdM system certificates. It ensures robust IdM deployments.

For more details on the role of the IdM CA renewal server, see Using IdM CA renewal server.

The following procedure describes how you can use an Ansible playbook to configure the IdM CA renewal server.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Optional: Identify the current IdM CA renewal server: 

    $ ipa config-show | grep 'CA renewal'
  IPA CA renewal master: server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml Ansible playbook file for editing: 

    ---
- name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: set ca_renewal_master_server
    ipaconfig:
      ipaadmin_password: "{{ ipaadmin_password }}"
      ca_renewal_master_server: carenewal.idm.example.com
    Copy to Clipboard Toggle word wrap

  4. Adapt the file by changing:

    • The password of IdM administrator set by the ipaadmin_password variable.
    • The name of the CA renewal server set by the ca_renewal_master_server variable.
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify that the CA renewal server has been changed:

  1. Log into ipaserver as IdM administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request the identity of the IdM CA renewal server: 

    $ ipa config-show | grep ‘CA renewal’
IPA CA renewal master:  carenewal.idm.example.com
    Copy to Clipboard Toggle word wrap

    The output shows the carenewal.idm.example.com server is the new CA renewal server.

The shell is a program that accepts and interprets commands. Several shells are available in Red Hat Enterprise Linux (RHEL), such as bash, sh, ksh, zsh, fish, and others. Bash, or /bin/bash, is a popular shell on most Linux systems, and it is normally the default shell for user accounts on RHEL.

The following procedure describes how you can use an Ansible playbook to configure sh, an alternative shell, as the default shell for IdM users.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Optional: Use the retrieve-config.yml Ansible playbook to identify the current shell for IdM users. See Retrieving IdM configuration using an Ansible playbook for details.

  2. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml Ansible playbook file for editing: 

    ---
- name: Playbook to ensure some config options are set
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  # Set defaultlogin and maxusername
  - ipaconfig:
      ipaadmin_password: "{{ ipaadmin_password }}"
      defaultshell: /bin/bash
      maxusername: 64
    Copy to Clipboard Toggle word wrap

  4. Adapt the file by changing the following:

    • The password of IdM administrator set by the ipaadmin_password variable.
    • The default shell of the IdM users set by the defaultshell variable into /bin/sh.
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify that the default user shell has been changed by starting a new session in IdM:

  1. Log into ipaserver as IdM administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display the current shell: 

    [admin@server /]$ echo "$SHELL"
/bin/sh
    Copy to Clipboard Toggle word wrap

    The logged-in user is using the sh shell.

The NetBIOS name is used for Microsoft Windows' (SMB) type of sharing and messaging. You can use NetBIOS names to map a drive or connect to a printer.

Follow this procedure to use an Ansible playbook to configure a NetBIOS name for your Identity Management (IdM) domain.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • The ansible-freeipa package is installed.

Assumptions

  • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you know the vault file password.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap
  2. Create a netbios-domain-name-present.yml Ansible playbook file.

  3. Add the following content to the file: 

    ---
- name: Playbook to change IdM domain netbios name
  hosts: ipaserver
  become: no
  gather_facts: no


  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
    - name: Set IdM domain netbios name
      ipaconfig:
        ipaadmin_password: "{{ ipaadmin_password }}"
        netbios_name: IPADOM
    Copy to Clipboard Toggle word wrap
  4. Save the file.

  5. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory netbios-domain-name-present.yml
    Copy to Clipboard Toggle word wrap

    When prompted, provide the vault file password.

The Identity Management (IdM) server can assign unique security identifiers (SIDs) to IdM users and groups internally, based on the data from the ID ranges of the local domain. The SIDs are stored in the user and group objects.

The goal of ensuring that IdM users and groups have SIDs is to allow the generation of the Privileged Attribute Certificate (PAC), which is the first step towards IdM-IdM trusts. If IdM users and groups have SIDs, IdM is able to issue Kerberos tickets with PAC data.

Follow this procedure to achieve the following goals:

  • Generate SIDs for already existing IdM users and user groups.
  • Enable the generation of SIDs for IdM new users and groups.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • The ansible-freeipa package is installed.

Assumptions

  • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you know the vault file password.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap
  2. Create a sids-for-users-and-groups-present.yml Ansible playbook file.

  3. Add the following content to the file: 

    ---
- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
  hosts: ipaserver
  become: no
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
    - name: Enable SID and generate users and groups SIDS
      ipaconfig:
        ipaadmin_password: "{{ ipaadmin_password }}"
        enable_sid: true
        add_sids: true
    Copy to Clipboard Toggle word wrap

    The enable_sid variable enables SID generation for future IdM users and groups. The add_sids variable generates SIDs for existing IdM users and groups.

    Note

    When using add_sids: true, you must also set the enable_sid variable to true.

  4. Save the file.

  5. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory sids-for-users-and-groups-present.yml
    Copy to Clipboard Toggle word wrap

    When prompted, provide the vault file password.

There are several stages in the user life cycle in IdM (Identity Management), including the following:

  • Create user accounts
  • Activate stage user accounts
  • Preserve user accounts
  • Delete active, stage, or preserved user accounts
  • Restore preserved user accounts

11.1. User life cycle
Copy link

Identity Management (IdM) supports three user account states:

  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users cannot be set, for example, group membership.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users that are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

A flow chart displaying 4 items: Active users - Stage users - Preserved users - Deleted users. Arrows communicate the relationships between each kind of user: Active users can be "preserved" as Preserved users. Preserved users can be "restored" as Active users. Preserved users can be "staged" as Stage users and Stage users can be "activated" into Active users. All users can be deleted to become "Deleted users".

You can delete user entries permanently from the IdM database.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is permanently lost.

A new administrator can only be created by a user with administrator rights, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Warning

Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.

Warning

Do not add local users to IdM. The Name Service Switch (NSS) always resolves IdM users and groups before resolving local users and groups. This means that, for example, IdM group membership does not work for local users.

11.2. Adding users using the command line
Copy link

You can add users as:

  • Active — user accounts which can be actively used by their users.
  • Stage — users cannot use these accounts. Create stage users if you want to prepare new user accounts. When users are ready to use their accounts, then you can activate them.

The following procedure describes adding active users to the IdM server with the ipa user-add command.

Similarly, you can create stage user accounts with the ipa stageuser-add command.

Warning

IdM automatically assigns a unique user ID (UID) to new user accounts. You can assign a UID manually by using the --uid=INT option with the ipa user-add command, but the server does not validate whether the UID number is unique. Consequently, multiple user entries might have the same UID number. A similar problem can occur with user private group IDs (GIDs) if you assign a GID to a user account manually by using the --gidnumber=INT option. To check if you have multiple user entries with the same ID, enter ipa user-find --uid=<uid> or ipa user-find --gidnumber=<gidnumber>.

Red Hat recommends you do not have multiple entries with the same UIDs or GIDs. If you have objects with duplicate IDs, security identifiers (SIDs) are not generated correctly. SIDs are crucial for trusts between IdM and Active Directory and for Kerberos authentication to work correctly.

Prerequisites

Procedure

  1. Open terminal and connect to the IdM server.

  2. Add user login, user’s first name, last name and optionally, you can also add their email address. 

    $ ipa user-add user_login --first=first_name --last=last_name --email=email_address
    Copy to Clipboard Toggle word wrap

    IdM supports user names that can be described by the following regular expression: 

    [a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?
    Copy to Clipboard Toggle word wrap
    Note

    User names ending with the trailing dollar sign ($) are supported to enable Samba 3.x machine support.

    If you add a user name containing uppercase characters, IdM automatically converts the name to lowercase when saving it. Therefore, IdM always requires to enter user names in lowercase when logging in. Additionally, it is not possible to add user names which differ only in letter casing, such as user and User.

    The default maximum length for user names is 32 characters. To change it, use the ipa config-mod --maxusername command. For example, to increase the maximum user name length to 64 characters: 

    $ ipa config-mod --maxusername=64
 Maximum username length: 64
 ...
    Copy to Clipboard Toggle word wrap

    The ipa user-add command includes a lot of parameters. To list them all, use the ipa help command: 

    $ ipa help user-add
    Copy to Clipboard Toggle word wrap

    For details about ipa help command, see What is the IPA help.

You can verify if the new user account is successfully created by listing all IdM user accounts: 

$ ipa user-find
Copy to Clipboard Toggle word wrap

This command lists all user accounts with details.

11.3. Activating users using the command line
Copy link

To activate a user account by moving it from stage to active, use the ipa stageuser-activate command.

Prerequisites

Procedure

  1. Open terminal and connect to the IdM server.

  2. Activate the user account with the following command: 

    $ ipa stageuser-activate user_login
-------------------------
Stage user user_login activated
-------------------------
...
    Copy to Clipboard Toggle word wrap

You can verify if the new user account is successfully created by listing all IdM user accounts: 

$ ipa user-find
Copy to Clipboard Toggle word wrap

This command lists all user accounts with details.

11.4. Preserving users using the command line
Copy link

You can preserve a user account if you want to remove it, but keep the option to restore it later. To preserve a user account, use the --preserve option with the ipa user-del or ipa stageuser-del commands.

Prerequisites

Procedure

  1. Open terminal and connect to the IdM server.

  2. Preserve the user account with the following command: 

    $ ipa user-del --preserve user_login
--------------------
Deleted user "user_login"
--------------------
    Copy to Clipboard Toggle word wrap
    Note

    Despite the output saying the user account was deleted, it has been preserved.

11.5. Deleting users using the command line
Copy link

IdM (Identity Management) enables you to delete users permanently. You can delete:

  • Active users with the following command: ipa user-del
  • Stage users with the following command: ipa stageuser-del
  • Preserved users with the following command: ipa user-del

When deleting multiple users, use the --continue option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to the stdout standard output stream when the command completes. 

$ ipa user-del --continue user1 user2 user3
Copy to Clipboard Toggle word wrap

If you do not use --continue, the command proceeds with deleting users until it encounters an error, after which it stops and exits.

Prerequisites

Procedure

  1. Open terminal and connect to the IdM server.

  2. Delete the user account with the following command: 

    $ ipa user-del user_login
--------------------
Deleted user "user_login"
--------------------
    Copy to Clipboard Toggle word wrap

The user account has been permanently deleted from IdM.

11.6. Restoring users using the command line
Copy link

You can restore a preserved users to:

  • Active users: ipa user-undel
  • Stage users: ipa user-stage

Restoring a user account does not restore all of the account’s previous attributes. For example, the user’s password is not restored and must be set again.

Prerequisites

Procedure

  1. Open terminal and connect to the IdM server.

  2. Activate the user account with the following command: 

    $ ipa user-undel user_login
------------------------------
Undeleted user account "user_login"
------------------------------
    Copy to Clipboard Toggle word wrap

    Alternatively, you can restore user accounts as staged: 

    $ ipa user-stage user_login
------------------------------
Staged user account "user_login"
------------------------------
    Copy to Clipboard Toggle word wrap

Verification

  • You can verify if the new user account is successfully created by listing all IdM user accounts: 

    $ ipa user-find
    Copy to Clipboard Toggle word wrap

    This command lists all user accounts with details.

Identity Management (IdM) provides several stages that can help you to manage various user life cycle situations:

Creating a user account

Creating a stage user account before an employee starts their career in your company and be prepared in advance for the day when the employee appears in the office and want to activate the account.

You can omit this step and create the active user account directly. The procedure is similar to creating a stage user account.

Activating a user account
Activating the account the first working day of the employee.
Disabling a user account
If the user go to a parental leave for couple of months, you will need to disable the account temporarily.
Enabling a user account
When the user returns, you will need to re-enable the account.
Preserving a user account
If the user wants to leave the company, you will need to delete the account with a possibility to restore it because people can return to the company after some time.
Restoring a user account
Two years later, the user is back and you need to restore the preserved account.
Deleting a user account
If the employee is dismissed, delete the account without a backup.

12.1. User life cycle
Copy link

Identity Management (IdM) supports three user account states:

  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users cannot be set, for example, group membership.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users that are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

A flow chart displaying 4 items: Active users - Stage users - Preserved users - Deleted users. Arrows communicate the relationships between each kind of user: Active users can be "preserved" as Preserved users. Preserved users can be "restored" as Active users. Preserved users can be "staged" as Stage users and Stage users can be "activated" into Active users. All users can be deleted to become "Deleted users".

You can delete user entries permanently from the IdM database.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is permanently lost.

A new administrator can only be created by a user with administrator rights, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Warning

Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.

Warning

Do not add local users to IdM. The Name Service Switch (NSS) always resolves IdM users and groups before resolving local users and groups. This means that, for example, IdM group membership does not work for local users.

12.2. Adding users in the Web UI
Copy link

Usually, you need to create a new user account before a new employee starts to work. Such a stage account is not accessible and you need to activate it later.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Stage Users tab.

    Alternatively, you can add the user account in the Users → Active users, however, you cannot add user groups to the account.

  3. Click the + Add icon.

  4. Optional: In the User login field, add a login name.

    If you leave it empty, the IdM server creates the login name in the following pattern: The first letter of the first name and the surname. The whole login name can have up to 32 characters.

  5. Enter First name and Last name of the new user.

  6. Optional: In the GID drop down menu, select groups in which the user should be included.

    Note that this option is only available on the Active Users dialog box.

  7. Optional: In the Password and Verify password fields, enter your password and confirm it, ensuring they both match.
  8. Click the Add button.

At this point, you can see the user account in the Stage Users or Active Users table.

If you click on the user name, you can edit advanced settings, such as adding a phone number, address, or occupation.

Warning

IdM automatically assigns a unique user ID (UID) to new user accounts. You can assign a UID manually, or even modify an already existing UID. However, the server does not validate whether the new UID number is unique. Consequently, multiple user entries might have the same UID number assigned. A similar problem can occur with user private group IDs (GIDs) if you assign GIDs to user accounts manually. You can use the ipa user-find --uid=<uid> or ipa user-find --gidnumber=<gidnumber> commands on the IdM CLI to check if you have multiple user entries with the same ID.

You should not have multiple entries with the same UIDs or GIDs. If you have objects with duplicate IDs, security identifiers (SIDs) are not generated correctly. SIDs are crucial for trusts between IdM and Active Directory and for Kerberos authentication to work correctly.

12.3. Activating stage users in the IdM Web UI
Copy link

You must follow this procedure to activate a stage user account, before the user can log in to IdM and before the user can be added to an IdM group.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.
  • At least one staged user account in IdM.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Stage users tab.
  3. Click the checkbox of the user account you want to activate.
  4. Click on the Activate button.
  5. Click OK on the Confirmation dialog box.

If the activation is successful, the IdM Web UI displays a green confirmation that the user has been activated and the user account has been moved to Active users. The account is active and the user can authenticate to the IdM domain and IdM Web UI. The user is prompted to change their password on the first login.

Additionally, at this stage, you can add the active user account to user groups.

12.4. Disabling user accounts in the Web UI
Copy link

You can disable active user accounts. Disabling a user account deactivates the account, therefore, user accounts cannot be used to authenticate and using IdM services, such as Kerberos, or perform any tasks.

Disabled user accounts still exist within IdM and all of the associated information remains unchanged. Unlike preserved user accounts, disabled user accounts remain in the active state and can be a member of user groups.

Note

After disabling a user account, any existing connections remain valid until the user’s Kerberos TGT and other tickets expire. After the ticket expires, the user will not be able to renew it.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Active users tab.
  3. Click the checkbox of the user accounts you want to disable.
  4. Click the Disable button.
  5. Click the OK button on the Confirmation dialog box.

If the accounts are disabled successfully, you can verify this in the Status column in the Active users table.

12.5. Enabling user accounts in the Web UI
Copy link

With IdM you can enable disabled active user accounts. Enabling a user account activates the disabled account.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.
  2. Go to Users → Active users tab.
  3. Click the checkbox of the user accounts you want to enable.
  4. Click the Enable button.
  5. Click the OK button on the Confirmation dialog box.

If the change is successful, you can verify this in the Status column in the Active Users table.

12.6. Preserving active users in the IdM Web UI
Copy link

Preserving user accounts enables you to remove accounts from the Active users tab, yet keeping these accounts in IdM.

Preserve a user account if an employee leaves the company. If you want to disable user accounts for a couple of weeks or months (parental leave, for example), disable the account. For details, see Disabling user accounts in the Web UI. The preserved accounts are not active and users cannot use them to access your internal network, however, the account stays in the database with all the data.

You can move the restored accounts back to the active mode.

Prerequisites

  • Administrator privileges for managing the IdM (Identity Management) Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Active users tab.
  3. Click the checkbox of the user accounts you want to preserve.
  4. Click the Delete button.
  5. On the Remove users dialog box, click preserve.
  6. Click the Delete button.

The user account is moved to Preserved users.

If you need to restore preserved users, see the Restoring users in the IdM Web UI.

12.7. Restoring users in the IdM Web UI
Copy link

IdM (Identity Management) enables you to restore preserved user accounts back to the active state. You can restore a preserved user to an active user or a stage user.

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Preserved users tab.
  3. Click the checkbox at the user accounts you want to restore.
  4. Click the Restore button.
  5. On the Confirmation dialog box, click the OK button.

The IdM Web UI displays a green confirmation and moves the user accounts to the Active users tab.

12.8. Deleting users in the IdM Web UI
Copy link

Deleting users is an irreversible operation, causing the user accounts to be permanently deleted from the IdM database, including group memberships and passwords. Any external configuration for the user, such as the system account and home directory, is not deleted, but is no longer accessible through IdM.

You can delete:

  • Active users — the IdM Web UI offers you with the options:

  • Stage users — you can just delete stage users permanently.
  • Preserved users — you can delete preserved users permanently.

The following procedure describes deleting active users. Similarly, you can delete user accounts on:

  • The Stage users tab
  • The Preserved users tab

Prerequisites

  • Administrator privileges for managing the IdM Web UI or User Administrator role.

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Go to Users → Active users tab.

    Alternatively, you can delete the user account in the Users → Stage users or Users → Preserved users.

  3. Click the Delete icon.
  4. On the Remove users dialog box, click delete.
  5. Click the Delete button.

The users accounts are permanently deleted from IdM.

You can manage users in IdM using Ansible playbooks. After presenting the user life cycle, learn how to use Ansible playbooks to ensure the presence or absence of users listed directly directly in the YML file.

13.1. User life cycle
Copy link

Identity Management (IdM) supports three user account states:

  • Stage users are not allowed to authenticate. This is an initial state. Some of the user account properties required for active users cannot be set, for example, group membership.
  • Active users are allowed to authenticate. All required user account properties must be set in this state.
  • Preserved users are former active users that are considered inactive and cannot authenticate to IdM. Preserved users retain most of the account properties they had as active users, but they are not part of any user groups.

A flow chart displaying 4 items: Active users - Stage users - Preserved users - Deleted users. Arrows communicate the relationships between each kind of user: Active users can be "preserved" as Preserved users. Preserved users can be "restored" as Active users. Preserved users can be "staged" as Stage users and Stage users can be "activated" into Active users. All users can be deleted to become "Deleted users".

You can delete user entries permanently from the IdM database.

Important

Deleted user accounts cannot be restored. When you delete a user account, all the information associated with the account is permanently lost.

A new administrator can only be created by a user with administrator rights, such as the default admin user. If you accidentally delete all administrator accounts, the Directory Manager must create a new administrator manually in the Directory Server.

Warning

Do not delete the admin user. As admin is a pre-defined user required by IdM, this operation causes problems with certain commands. If you want to define and use an alternative admin user, disable the pre-defined admin user with ipa user-disable admin after you granted admin permissions to at least one different user.

Warning

Do not add local users to IdM. The Name Service Switch (NSS) always resolves IdM users and groups before resolving local users and groups. This means that, for example, IdM group membership does not work for local users.

The following procedure describes ensuring the presence of a user in IdM using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the data of the user whose presence in IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/add-user.yml file. For example, to create user named idm_user and add Password123 as the user password: 

    ---
- name: Playbook to handle users
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Create user idm_user
    ipauser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: idm_user
      first: Alice
      last: Acme
      uid: 1000111
      gid: 10011
      phone: "+555123457"
      email: idm_user@acme.com
      passwordexpiration: "2023-01-19 23:59:59"
      password: "Password123"
      update_password: on_create
    Copy to Clipboard Toggle word wrap

    You must use the following options to add a user:

    • name: the login name
    • first: the first name string
    • last: the last name string

    For the full list of available user options, see the /usr/share/doc/ansible-freeipa/README-user.md Markdown file.

    Note

    If you use the update_password: on_create option, Ansible only creates the user password when it creates the user. If the user is already created with a password, Ansible does not generate a new password.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-IdM-user.yml
    Copy to Clipboard Toggle word wrap

Verification

  • You can verify if the new user account exists in IdM by using the ipa user-show command:

    1. Log into ipaserver as admin: 

      $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
      Copy to Clipboard Toggle word wrap

    2. Request a Kerberos ticket for admin: 

      $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
      Copy to Clipboard Toggle word wrap

    3. Request information about idm_user: 

      $ ipa user-show idm_user
  User login: idm_user
  First name: Alice
  Last name: Acme
  ....
      Copy to Clipboard Toggle word wrap

    The user named idm_user is present in IdM.

The following procedure describes ensuring the presence of multiple users in IdM using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the data of the users whose presence you want to ensure in IdM. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1: 

    ---
- name: Playbook to handle users
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Create user idm_users
    ipauser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      users:
      - name: idm_user_1
        first: Alice
        last: Acme
        uid: 10001
        gid: 10011
        phone: "+555123457"
        email: idm_user@acme.com
        passwordexpiration: "2023-01-19 23:59:59"
        password: "Password123"
      - name: idm_user_2
        first: Bob
        last: Acme
        uid: 100011
        gid: 10011
      - name: idm_user_3
        first: Eve
        last: Acme
        uid: 1000111
        gid: 10011
    Copy to Clipboard Toggle word wrap
    Note

    If you do not specify the update_password: on_create option, Ansible resets the user password every time the playbook is run: if the user has changed the password since the last time the playbook was run, Ansible resets password.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-users.yml
    Copy to Clipboard Toggle word wrap

Verification

  • You can verify if the user account exists in IdM by using the ipa user-show command:

    1. Log into ipaserver as administrator: 

      $ ssh administrator@server.idm.example.com
Password:
[admin@server /]$
      Copy to Clipboard Toggle word wrap

    2. Display information about idm_user_1: 

      $ ipa user-show idm_user_1
  User login: idm_user_1
  First name: Alice
  Last name: Acme
  Password: True
  ....
      Copy to Clipboard Toggle word wrap

    The user named idm_user_1 is present in IdM.

The following procedure describes how you can ensure the presence of multiple users in IdM using an Ansible playbook. The users are stored in a JSON file.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap
  2. Create an Ansible playbook file with the necessary tasks. Reference the JSON file with the data of the users whose presence you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/README-user.md file: 
---
- name: Ensure users' presence
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Include users_present.json
    include_vars:
      file: users_present.json

  - name: Users present
    ipauser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      users: "{{ users }}"
Copy to Clipboard Toggle word wrap

  1. Create the users.json file, and add the IdM users into it. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/README-user.md file. For example, to create users idm_user_1, idm_user_2, and idm_user_3, and add Password123 as the password of idm_user_1: 

    {
  "users": [
   {
    "name": "idm_user_1",
    "first": "First 1",
    "last": "Last 1",
    "password": "Password123"
   },
   {
    "name": "idm_user_2",
    "first": "First 2",
    "last": "Last 2"
   },
   {
    "name": "idm_user_3",
    "first": "First 3",
    "last": "Last 3"
   }
  ]
}
    Copy to Clipboard Toggle word wrap

  2. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-users-present-jsonfile.yml
    Copy to Clipboard Toggle word wrap

Verification

  • You can verify if the user accounts are present in IdM using the ipa user-show command:

    1. Log into ipaserver as administrator: 

      $ ssh administrator@server.idm.example.com
Password:
[admin@server /]$
      Copy to Clipboard Toggle word wrap

    2. Display information about idm_user_1: 

      $ ipa user-show idm_user_1
  User login: idm_user_1
  First name: Alice
  Last name: Acme
  Password: True
  ....
      Copy to Clipboard Toggle word wrap

    The user named idm_user_1 is present in IdM.

The following procedure describes how you can use an Ansible playbook to ensure that specific users are absent from IdM.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the users whose absence from IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-users-present.yml file. For example, to delete users idm_user_1, idm_user_2, and idm_user_3: 

    ---
- name: Playbook to handle users
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Delete users idm_user_1, idm_user_2, idm_user_3
    ipauser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      users:
      - name: idm_user_1
      - name: idm_user_2
      - name: idm_user_3
      state: absent
    Copy to Clipboard Toggle word wrap

  3. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/delete-users.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify that the user accounts do not exist in IdM by using the ipa user-show command:

  1. Log into ipaserver as administrator: 

    $ ssh administrator@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request information about idm_user_1: 

    $ ipa user-show idm_user_1
ipa: ERROR: idm_user_1: user not found
    Copy to Clipboard Toggle word wrap

    The user named idm_user_1 does not exist in IdM.

Chapter 14. Managing user groups in IdM CLI
Copy link

Learn about user groups management using the IdM CLI. A user group is a set of users with common privileges, password policies, and other characteristics.

A user group in Identity Management (IdM) can include:

  • IdM users
  • other IdM user groups
  • external users, which are users that exist outside of IdM

14.1. The different group types in IdM
Copy link

IdM supports the following types of groups:

POSIX groups (the default)

POSIX groups support Linux POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.

POSIX attributes identify users as separate entities. Examples of POSIX attributes relevant to users include uidNumber, a user number (UID), and gidNumber, a group number (GID).

Non-POSIX groups

Non-POSIX groups do not support POSIX attributes. For example, these groups do not have a GID defined.

All members of this type of group must belong to the IdM domain.

External groups

Use external groups to add group members that exist in an identity store outside of the IdM domain, such as:

  • A local system
  • An Active Directory domain
  • A directory service

External groups do not support POSIX attributes. For example, these groups do not have a GID defined.

Expand
Table 14.1. User groups created by default
Group nameDefault group members

ipausers

All IdM users

admins

Users with administrative privileges, including the default admin user

editors

This is a legacy group that no longer has any special privileges

trust admins

Users with privileges to manage the Active Directory trusts

When you add a user to a user group, the user gains the privileges and policies associated with the group. For example, to grant administrative privileges to a user, add the user to the admins group.

Warning

Do not delete the admins group. As admins is a pre-defined group required by IdM, this operation causes problems with certain commands.

In addition, IdM creates user private groups by default whenever a new user is created in IdM. For more information about private groups, see Adding users without a private group.

14.2. Direct and indirect group members
Copy link

User group attributes in IdM apply to both direct and indirect members: when group B is a member of group A, all users in group B are considered indirect members of group A.

For example, in the following diagram:

  • User 1 and User 2 are direct members of group A.
  • User 3, User 4, and User 5 are indirect members of group A.

Figure 14.1. Direct and Indirect Group Membership

A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.
View larger image
A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.

If you set a password policy for user group A, the policy also applies to all users in user group B.

14.3. Adding a user group using IdM CLI
Copy link

Follow this procedure to add a user group using the IdM CLI.

Prerequisites

Procedure

  • Add a user group by using the ipa group-add group_name command. For example, to create group_a: 

    $ ipa group-add group_a
---------------------
Added group "group_a"
---------------------
  Group name: group_a
  GID: 1133400009
    Copy to Clipboard Toggle word wrap

By default, ipa group-add adds a POSIX user group. To specify a different group type, add options to ipa group-add:

  • --nonposix to create a non-POSIX group
  • --external to create an external group

For details on group types, see The different group types in IdM.

You can specify a custom GID when adding a user group by using the --gid=custom_GID option. If you do this, be careful to avoid ID conflicts. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.

14.4. Searching for user groups using IdM CLI
Copy link

Follow this procedure to search for existing user groups using the IdM CLI.

Procedure

  • Display all user groups by using the ipa group-find command. To specify a group type, add options to ipa group-find:

    • Display all POSIX groups using the ipa group-find --posix command.
    • Display all non-POSIX groups using the ipa group-find --nonposix command.
    • Display all external groups using the ipa group-find --external command.

For more information about different group types, see The different group types in IdM.

14.5. Deleting a user group using IdM CLI
Copy link

Follow this procedure to delete a user group using IdM CLI. Note that deleting a group does not delete the group members from IdM.

Prerequisites

Procedure

  • Delete a user group by using the ipa group-del group_name command. For example, to delete group_a: 

    $ ipa group-del group_a
--------------------------
Deleted group "group_a"
--------------------------
    Copy to Clipboard Toggle word wrap

You can add both users and user groups as members of a user group. For more information, see The different group types in IdM and Direct and indirect group members. Follow this procedure to add a member to a user group by using the IdM CLI.

Prerequisites

Procedure

  • Add a member to a user group by using the ipa group-add-member command.

    Specify the type of member using these options:

    • --users adds an IdM user
    • --external adds a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups adds an IdM user group

    For example, to add group_b as a member of group_a: 

    $ ipa group-add-member group_a --groups=group_b
Group name: group_a
GID: 1133400009
Member users: user_a
Member groups: group_b
Indirect Member users: user_b
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

    Members of group_b are now indirect members of group_a.

Important

When adding a group as a member of another group, do not create recursive groups. For example, if Group A is a member of Group B, do not add Group B as a member of Group A. Recursive groups can cause unpredictable behavior.

Note

After you add a member to a user group, the update may take some time to spread to all clients in your Identity Management environment. This is because when any given host resolves users, groups and netgroups, the System Security Services Daemon (SSSD) first looks into its cache and performs server lookups only for missing or expired records.

14.7. Adding users without a user private group
Copy link

By default, IdM creates user private groups (UPGs) whenever a new user is created in IdM. UPGs are a specific group type:

  • The UPG has the same name as the newly created user.
  • The user is the only member of the UPG. The UPG cannot contain any other members.
  • The GID of the private group matches the UID of the user.

However, it is possible to add users without creating a UPG.

14.7.1. Users without a user private group
Copy link

If a NIS group or another system group already uses the GID that would be assigned to a user private group, it is necessary to avoid creating a UPG.

You can do this in two ways:

In both cases, IdM will require specifying a GID when adding new users, otherwise the operation will fail. This is because IdM requires a GID for the new user, but the default user group ipausers is a non-POSIX group and therefore does not have an associated GID. The GID you specify does not have to correspond to an already existing group.

Note

Specifying the GID does not create a new group. It only sets the GID attribute for the new user, because the attribute is required by IdM.

You can add a user without creating a user private group (UPG) even when UPGs are enabled on the system. This requires manually setting a GID for the new user. For details on why this is needed, see Users without a user private group.

Procedure

  • To prevent IdM from creating a UPG, add the --noprivate option to the ipa user-add command.

    Note that for the command to succeed, you must specify a custom GID. For example, to add a new user with GID 10000: 

    $ ipa user-add jsmith --first=John --last=Smith --noprivate --gid 10000
    Copy to Clipboard Toggle word wrap

You can disable user private groups (UPGs) globally. This prevents the creation of UPGs for all new users. Existing users are unaffected by this change.

Procedure

  1. Obtain administrator privileges: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. IdM uses the Directory Server Managed Entries Plug-in to manage UPGs. List the instances of the plug-in: 

    $ ipa-managed-entries --list
    Copy to Clipboard Toggle word wrap

  3. To ensure IdM does not create UPGs, disable the plug-in instance responsible for managing user private groups: 

    $ ipa-managed-entries -e "UPG Definition" disable
Disabling Plugin
    Copy to Clipboard Toggle word wrap

    To re-enable the UPG Definition instance later, use the ipa-managed-entries -e "UPG Definition" enable command.

  4. Restart Directory Server to load the new configuration. 

    $ sudo systemctl restart dirsrv.target
    Copy to Clipboard Toggle word wrap

    To add a user after UPGs have been disabled, you need to specify a GID. For more information, see Adding a user when user private groups are globally disabled

Verification

  • To check if UPGs are globally disabled, use the disable command again: 

    $ ipa-managed-entries -e "UPG Definition" disable
Plugin already disabled
    Copy to Clipboard Toggle word wrap

When user private groups (UPGs) are disabled globally, IdM does not assign a GID to a new user automatically. To successfully add a user, you must assign a GID manually or by using an automember rule. For details on why this is required, see Users without a user private group.

Prerequisites

Procedure

  • To make sure adding a new user succeeds when creating UPGs is disabled, choose one of the following:

    • Specify a custom GID when adding a new user. The GID does not have to correspond to an already existing user group.

      For example, when adding a user from the command line, add the --gid option to the ipa user-add command.

    • Use an automember rule to add the user to an existing group with a GID.

Follow this procedure to add users or groups as member managers to an IdM user group using the IdM CLI. Member managers can add users or groups to IdM user groups but cannot change the attributes of a group.

Prerequisites

  • You must be logged in as the administrator. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the user or group you are adding as member managers and the name of the group you want them to manage.

Procedure

  • Add a user as a member manager to an IdM user group by using the ipa group-add-member-manager command.

    For example, to add the user test as a member manager of group_a: 

    $ ipa group-add-member-manager group_a --users=test
Group name: group_a
GID: 1133400009
Membership managed by users: test
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

    User test can now manage members of group_a.

  • Add a group as a member manager to an IdM user group by using the ipa group-add-member-manager command.

    For example, to add the group group_admins as a member manager of group_a: 

    $ ipa group-add-member-manager group_a --groups=group_admins
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
Membership managed by users: test
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

    Group group_admins can now manage members of group_a.

Note

After you add a member manager to a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the user and group were added as member managers. 

    $ ipa group-show group_a
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
Membership managed by users: test
    Copy to Clipboard Toggle word wrap

14.9. Viewing group members using IdM CLI
Copy link

Follow this procedure to view members of a group using IdM CLI. You can view both direct and indirect group members. For more information, see Direct and indirect group members.

Procedure

  • To list members of a group, use the ipa group-show group_name command. For example: 

    $ ipa group-show group_a
  ...
  Member users: user_a
  Member groups: group_b
  Indirect Member users: user_b
    Copy to Clipboard Toggle word wrap
    Note

    The list of indirect members does not include external users from trusted Active Directory domains. The Active Directory trust user objects are not visible in the Identity Management interface because they do not exist as LDAP objects within Identity Management.

Follow this procedure to remove a member from a user group using IdM CLI.

Prerequisites

Procedure

  1. Optional: Use the ipa group-show command to confirm that the group includes the member you want to remove.

  2. Remove a member from a user group by using the ipa group-remove-member command.

    Specify members to remove using these options:

    • --users removes an IdM user
    • --external removes a user that exists outside the IdM domain, in the format of DOMAIN\user_name or user_name@domain
    • --groups removes an IdM user group

    For example, to remove user1, user2, and group1 from a group called group_name: 

    $ ipa group-remove-member group_name --users=user1 --users=user2 --groups=group1
    Copy to Clipboard Toggle word wrap

Follow this procedure to remove users or groups as member managers from an IdM user group using the IdM CLI. Member managers can remove users or groups from IdM user groups but cannot change the attributes of a group.

Prerequisites

  • You must be logged in as the administrator. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the existing member manager user or group you are removing and the name of the group they are managing.

Procedure

  • Remove a user as a member manager of an IdM user group by using the ipa group-remove-member-manager command.

    For example, to remove the user test as a member manager of group_a: 

    $ ipa group-remove-member-manager group_a --users=test
Group name: group_a
GID: 1133400009
Membership managed by groups: group_admins
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap

    User test can no longer manage members of group_a.

  • Remove a group as a member manager of an IdM user group by using the ipa group-remove-member-manager command.

    For example, to remove the group group_admins as a member manager of group_a: 

    $ ipa group-remove-member-manager group_a --groups=group_admins
Group name: group_a
GID: 1133400009
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap

    Group group_admins can no longer manage members of group_a.

Note

After you remove a member manager from a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the user and group were removed as member managers. 

    $ ipa group-show group_a
Group name: group_a
GID: 1133400009
    Copy to Clipboard Toggle word wrap

Groups are either centrally managed, provided by a domain such as Identity Management (IdM) or Active Directory (AD), or they are managed on a local system in the etc/group file. In most cases, users rely on a centrally managed store. However, in some cases software still relies on membership in known groups for managing access control.

If you want to manage groups from a domain controller and from the local etc/group file, you can enable group merging. You can configure your nsswitch.conf file to check both the local files and the remote service. If a group appears in both, the list of member users is combined and returned in a single response.

The steps below describe how to enable group merging for a user, idmuser.

Note

In RHEL 9.6 or later, if you are using the authselect utility, you no longer need to manually edit nssswitch.conf to enable group merging. It is now integrated into authselect profiles, eliminating the need for manual changes.

Procedure

  1. Add [SUCCESS=merge] to the /etc/nsswitch.conf file: 

    # Allow initgroups to default to the setting for group.
initgroups: sss [SUCCESS=merge] files
    Copy to Clipboard Toggle word wrap

  2. Add the idmuser to IdM: 

    # ipa user-add idmuser
First name: idm
Last name: user
---------------------
Added user "idmuser"
---------------------
User login: idmuser
First name: idm
Last name: user
Full name: idm user
Display name: idm user
Initials: tu
Home directory: /home/idmuser
GECOS: idm user
Login shell: /bin/sh
Principal name: idmuser@IPA.TEST
Principal alias: idmuser@IPA.TEST
Email address: idmuser@ipa.test
UID: 19000024
GID: 19000024
Password: False
Member of groups: ipausers
Kerberos keys available: False
    Copy to Clipboard Toggle word wrap

  3. Verify the GID of the local audio group. 

    $ getent group audio
---------------------
audio:x:63
    Copy to Clipboard Toggle word wrap

  4. Add the group audio to IdM: 

    $ ipa group-add audio --gid 63
-------------------
Added group "audio"
-------------------
Group name: audio
GID: 63
    Copy to Clipboard Toggle word wrap
    Note

    The GID you define when adding the audio group to IdM must be the same as the GID of the local audio group.

  5. Add idmuser user to the IdM audio group: 

    $ ipa group-add-member audio --users=idmuser
Group name: audio
GID: 63
Member users: idmuser
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as the idmuser.

  2. Verify the idmuser has the local group in their session: 

    $ id idmuser
uid=1867800003(idmuser) gid=1867800003(idmuser) groups=1867800003(idmuser),63(audio),10(wheel)
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa group and idoverrideuser modules to make Identity Management (IdM) or Active Directory (AD) users members of the local audio group on an IdM client. This grants the IdM or AD users privileged access to the sound card on the host.

The procedure uses the example of the Default Trust View ID view to which the aduser@addomain.com ID override is added in the first playbook task. In the next playbook task, an audio group is created in IdM with the GID of 63, which corresponds to the GID of local audio groups on RHEL hosts. At the same time, the aduser@addomain.com ID override is added to the IdM audio group as a member.

Prerequisites

  • You have root access to the IdM client on which you want to perform the first part of the procedure. In the example, this is client.idm.example.com.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You are using RHEL 8.10 or later.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The AD forest is in trust with IdM. In the example, the name of the AD domain is addomain.com and the fully-qualified domain name (FQDN) of the AD user whose presence in the local audio group is being ensured is aduser@addomain.com.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. On client.idm.example.com, add [SUCCESS=merge] to the /etc/nsswitch.conf file: 

    [...]
# Allow initgroups to default to the setting for group.
initgroups: sss [SUCCESS=merge] files
    Copy to Clipboard Toggle word wrap

  2. Identify the GID of the local audio group: 

    $ getent group audio
---------------------
audio:x:63
    Copy to Clipboard Toggle word wrap

  3. On your Ansible control node, create an add-aduser-to-audio-group.yml playbook with a task to add the aduser@addomain.com user override to the Default Trust View: 

    ---
- name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false

  tasks:
  - name: Add aduser@addomain.com user to the Default Trust View
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: "Default Trust View"
      anchor: aduser@addomain.com
    Copy to Clipboard Toggle word wrap

  4. Use another playbook task in the same playbook to add the group audio to IdM with the GID of 63. Add the aduser idoverrideuser to the group: 

      - name: Add the audio group with the aduser member and GID of 63
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: audio
      idoverrideuser:
      - aduser@addomain.com
      gidnumber: 63
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory add-aduser-to-audio-group.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in to the IdM client as the AD user: 

    $ ssh aduser@addomain.com@client.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Verify the group membership of the AD user: 

    $ id aduser@addomain.com
uid=702801456(aduser@addomain.com) gid=63(audio) groups=63(audio)
    Copy to Clipboard Toggle word wrap

Chapter 15. Managing user groups in IdM Web UI
Copy link

This chapter introduces user groups management using the IdM web UI.

A user group is a set of users with common privileges, password policies, and other characteristics.

A user group in Identity Management (IdM) can include:

  • IdM users
  • other IdM user groups
  • external users, which are users that exist outside of IdM

15.1. The different group types in IdM
Copy link

IdM supports the following types of groups:

POSIX groups (the default)

POSIX groups support Linux POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.

POSIX attributes identify users as separate entities. Examples of POSIX attributes relevant to users include uidNumber, a user number (UID), and gidNumber, a group number (GID).

Non-POSIX groups

Non-POSIX groups do not support POSIX attributes. For example, these groups do not have a GID defined.

All members of this type of group must belong to the IdM domain.

External groups

Use external groups to add group members that exist in an identity store outside of the IdM domain, such as:

  • A local system
  • An Active Directory domain
  • A directory service

External groups do not support POSIX attributes. For example, these groups do not have a GID defined.

Expand
Table 15.1. User groups created by default
Group nameDefault group members

ipausers

All IdM users

admins

Users with administrative privileges, including the default admin user

editors

This is a legacy group that no longer has any special privileges

trust admins

Users with privileges to manage the Active Directory trusts

When you add a user to a user group, the user gains the privileges and policies associated with the group. For example, to grant administrative privileges to a user, add the user to the admins group.

Warning

Do not delete the admins group. As admins is a pre-defined group required by IdM, this operation causes problems with certain commands.

In addition, IdM creates user private groups by default whenever a new user is created in IdM. For more information about private groups, see Adding users without a private group.

15.2. Direct and indirect group members
Copy link

User group attributes in IdM apply to both direct and indirect members: when group B is a member of group A, all users in group B are considered indirect members of group A.

For example, in the following diagram:

  • User 1 and User 2 are direct members of group A.
  • User 3, User 4, and User 5 are indirect members of group A.

Figure 15.1. Direct and Indirect Group Membership

A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.
View larger image
A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.

If you set a password policy for user group A, the policy also applies to all users in user group B.

15.3. Adding a user group using IdM Web UI
Copy link

Follow this procedure to add a user group using the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. Click Identity → Groups, and select User Groups in the left sidebar.
  2. Click Add to start adding the group.

  3. Fill out the information about the group. For more information about user group types, see The different group types in IdM.

    You can specify a custom GID for the group. If you do this, be careful to avoid ID conflicts. If you do not specify a custom GID, IdM automatically assigns a GID from the available ID range.

  4. Click Add to confirm.

15.4. Deleting a user group using IdM Web UI
Copy link

Follow this procedure to delete a user group using the IdM Web UI. Note that deleting a group does not delete the group members from IdM.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. Click Identity → Groups and select User Groups.
  2. Select the group to delete.
  3. Click Delete.
  4. Click Delete to confirm.

You can add both users and user groups as members of a user group. For more information, see The different group types in IdM and Direct and indirect group members.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. Click Identity → Groups and select User Groups in the left sidebar.
  2. Click the name of the group.
  3. Select the type of group member you want to add: Users, User Groups, or External.
  4. Click Add.
  5. Select the checkbox next to one or more members you want to add.
  6. Click the right arrow to move the selected members to the group.
  7. Click Add to confirm.

Follow this procedure to add users or groups as member managers to an IdM user group using the Web UI. Member managers can add users or groups to IdM user groups but cannot change the attributes of a group.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must have the name of the user or group you are adding as member managers and the name of the group you want them to manage.

Procedure

  1. Click Identity → Groups and select User Groups in the left sidebar.
  2. Click the name of the group.
  3. Select the type of group member manager you want to add: Users or User Groups.
  4. Click Add.
  5. Select the checkbox next to one or more members you want to add.
  6. Click the right arrow to move the selected members to the group.
  7. Click Add to confirm.
Note

After you add a member manager to a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Verify the newly added user or user group has been added to the member manager list of users or user groups:

    groups member manager added
    View larger image
    groups member manager added

15.7. Viewing group members using IdM Web UI
Copy link

Follow this procedure to view members of a group using the IdM Web UI. You can view both direct and indirect group members. For more information, see Direct and indirect group members.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. Select Identity → Groups.
  2. Select User Groups in the left sidebar.
  3. Click the name of the group you want to view.
  4. Switch between Direct Membership and Indirect Membership.

Follow this procedure to remove a member from a user group using the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. Click Identity → Groups and select User Groups in the left sidebar.
  2. Click the name of the group.
  3. Select the type of group member you want to remove: Users, User Groups, or External.
  4. Select the checkbox next to the member you want to remove.
  5. Click Delete.
  6. Click Delete to confirm.

Follow this procedure to remove users or groups as member managers from an IdM user group using the Web UI. Member managers can remove users or groups from IdM user groups but cannot change the attributes of a group.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must have the name of the existing member manager user or group you are removing and the name of the group they are managing.

Procedure

  1. Click Identity → Groups and select User Groups in the left sidebar.
  2. Click the name of the group.
  3. Select the type of member manager you want to remove: Users or User Groups.
  4. Select the checkbox next to the member manager you want to remove.
  5. Click Delete.
  6. Click Delete to confirm.
Note

After you remove a member manager from a user group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Verify the user or user group has been removed from the member manager list of users or user groups:

    groups member manager removed
    View larger image
    groups member manager removed

This section introduces user group management using Ansible playbooks.

A user group is a set of users with common privileges, password policies, and other characteristics.

A user group in Identity Management (IdM) can include:

  • IdM users
  • other IdM user groups
  • external users, which are users that exist outside of IdM

16.1. The different group types in IdM
Copy link

IdM supports the following types of groups:

POSIX groups (the default)

POSIX groups support Linux POSIX attributes for their members. Note that groups that interact with Active Directory cannot use POSIX attributes.

POSIX attributes identify users as separate entities. Examples of POSIX attributes relevant to users include uidNumber, a user number (UID), and gidNumber, a group number (GID).

Non-POSIX groups

Non-POSIX groups do not support POSIX attributes. For example, these groups do not have a GID defined.

All members of this type of group must belong to the IdM domain.

External groups

Use external groups to add group members that exist in an identity store outside of the IdM domain, such as:

  • A local system
  • An Active Directory domain
  • A directory service

External groups do not support POSIX attributes. For example, these groups do not have a GID defined.

Expand
Table 16.1. User groups created by default
Group nameDefault group members

ipausers

All IdM users

admins

Users with administrative privileges, including the default admin user

editors

This is a legacy group that no longer has any special privileges

trust admins

Users with privileges to manage the Active Directory trusts

When you add a user to a user group, the user gains the privileges and policies associated with the group. For example, to grant administrative privileges to a user, add the user to the admins group.

Warning

Do not delete the admins group. As admins is a pre-defined group required by IdM, this operation causes problems with certain commands.

In addition, IdM creates user private groups by default whenever a new user is created in IdM. For more information about private groups, see Adding users without a private group.

16.2. Direct and indirect group members
Copy link

User group attributes in IdM apply to both direct and indirect members: when group B is a member of group A, all users in group B are considered indirect members of group A.

For example, in the following diagram:

  • User 1 and User 2 are direct members of group A.
  • User 3, User 4, and User 5 are indirect members of group A.

Figure 16.1. Direct and Indirect Group Membership

A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.
View larger image
A chart with Group A (with 2 users) and Group B (with 3 users). Group B is nested inside Group A so Group A contains a total of 5 users.

If you set a password policy for user group A, the policy also applies to all users in user group B.

The following procedure describes ensuring the presence of IdM groups and group members - both users and user groups - using an Ansible playbook.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The users you want to reference in your Ansible playbook exist in IdM. For details on ensuring the presence of users using Ansible, see Managing user accounts using Ansible playbooks.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary user and group information: 

    ---
- name: Playbook to handle groups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Create group ops with gid 1234
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: ops
      gidnumber: 1234

  - name: Create group sysops
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sysops
      user:
      - idm_user

  - name: Create group appops
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: appops

  - name: Add group members sysops and appops to group ops
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: ops
      group:
      - sysops
      - appops
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-group-members.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify if the ops group contains sysops and appops as direct members and idm_user as an indirect member by using the ipa group-show command:

  1. Log into ipaserver as administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about ops: 

    ipaserver]$ ipa group-show ops
  Group name: ops
  GID: 1234
  Member groups: sysops, appops
  Indirect Member users: idm_user
    Copy to Clipboard Toggle word wrap

    The appops and sysops groups - the latter including the idm_user user - exist in IdM.

You can use the ansible-freeipa ipagroup module to add, modify, and delete multiple Identity Management (IdM) user groups with a single Ansible task. For that, use the groups option of the ipagroup module.

Using the groups option, you can also specify multiple group variables that only apply to a particular group. Define this group by the name variable, which is the only mandatory variable for the groups option.

Complete this procedure to ensure the presence of the sysops and the appops groups in IdM in a single task. Define the sysops group as a nonposix group and the appops group as an external group.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You are using RHEL 8.9 and later.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.

Procedure

  1. Create your Ansible playbook file add-nonposix-and-external-groups.yml with the following content: 

    ---
- name: Playbook to add nonposix and external groups
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Add nonposix group sysops and external group appops
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      groups:
      - name: sysops
        nonposix: true
      - name: appops
        external: true
    Copy to Clipboard Toggle word wrap

  2. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/hosts <path_to_playbooks_directory>/add-nonposix-and-external-groups.yml
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa idoverrideuser and group modules to create a user ID override for an Active Directory (AD) user from a trusted AD domain and give that user rights identical to those of an IdM user. The procedure uses the example of the Default Trust View ID view to which the ad_user@ad.example.com ID override of a user stored in AD is added in the first playbook task. In the next playbook task, the ad_user@ad.example.com ID override is added to the IdM admins group as a member. As a result, an AD administrator can administer IdM without having two different accounts and passwords.

Prerequisites

  • You know the IdM admin password.
  • You have installed a trust with AD.
  • The group to which you are adding the user ID override already exists in IdM.
  • You are using the 4.8.7 version of IdM or later. To view the version of IdM you have installed on your server, enter ipa --version.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You are using RHEL 8.10 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The AD forest is in trust with IdM. In the example, the name of the AD domain is ad.example.com and the fully-qualified domain name (FQDN) of the AD administrator is ad_user@ad.example.com.
  • The ipaserver host in the inventory file is configured as a trust controller or a trust agent.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Create an enable-ad-admin-to-administer-idm.yml playbook with a task to add the ad_user@ad.example.com user override to the Default Trust View: 

    ---
- name: Enable AD administrator to act as a FreeIPA admin
  hosts: ipaserver
  become: false
  gather_facts: false

  tasks:
  - name: Ensure idoverride for ad_user@ad.example.com in 'Default Trust View'
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: "Default Trust View"
      anchor: ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap

    In the example:

    • ad_user@ad.example.com is the user ID override of an AD user that is stored in the AD domain with which a trust has been established.

  3. Use another playbook task in the same playbook to add the AD administrator user ID override to the admins group: 

      - name: Add the AD administrator to `admins` group
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: admins
      idoverrideuser:
      - ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap

    In the example:

    • admins is the name of the IdM POSIX group to which you are adding the ad_user@ad.example.com ID override. Members of this group have full administrator privileges.
  4. Save the file.

  5. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory enable-ad-admin-to-administer-idm.yml
    Copy to Clipboard Toggle word wrap

Next steps

The following procedure describes ensuring the presence of IdM member managers - both users and user groups - using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You must have the name of the user or group you are adding as member managers and the name of the group you want them to manage.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary user and group member management information: 

    ---
- name: Playbook to handle membership management
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure user test is present for group_a
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: group_a
      membermanager_user: test

  - name: Ensure group_admins is present for group_a
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: group_a
      membermanager_group: group_admins
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-member-managers-user-groups.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify if the group_a group contains test as a member manager and group_admins is a member manager of group_a by using the ipa group-show command:

  1. Log into ipaserver as administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about managergroup1: 

    ipaserver]$ ipa group-show group_a
  Group name: group_a
  GID: 1133400009
  Membership managed by groups: group_admins
  Membership managed by users: test
    Copy to Clipboard Toggle word wrap

The following procedure describes ensuring the absence of IdM member managers - both users and user groups - using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You must have the name of the existing member manager user or group you are removing and the name of the group they are managing.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary user and group member management information: 

    ---
- name: Playbook to handle membership management
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure member manager user and group members are absent for group_a
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: group_a
      membermanager_user: test
      membermanager_group: group_admins
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-member-managers-are-absent.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify if the group_a group does not contain test as a member manager and group_admins as a member manager of group_a by using the ipa group-show command:

  1. Log into ipaserver as administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about group_a: 

    ipaserver]$ ipa group-show group_a
  Group name: group_a
  GID: 1133400009
    Copy to Clipboard Toggle word wrap

Using automatic group membership allows you to assign users and hosts to groups automatically based on their attributes. For example, you can:

  • Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
  • Divide hosts based on their class, location, or any other attribute.
  • Add all users or all hosts to a single global group.

17.1. Benefits of automatic group membership
Copy link

Using automatic membership for users allows you to:

  • Reduce the overhead of manually managing group memberships

    You no longer have to assign every user and host to groups manually.

  • Improve consistency in user and host management

    Users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.

  • Simplify the management of group-based settings

    Various settings are defined for groups and then applied to individual group members, for example sudo rules, automount, or access control. Adding users and hosts to groups automatically makes managing these settings easier.

17.2. Automember rules
Copy link

When configuring automatic group membership, the administrator defines automember rules. An automember rule applies to a specific user or host target group. It cannot apply to more than one group at a time.

After creating a rule, the administrator adds conditions to it. These specify which users or hosts get included or excluded from the target group:

  • Inclusive conditions

    When a user or host entry meets an inclusive condition, it will be included in the target group.

  • Exclusive conditions

    When a user or host entry meets an exclusive condition, it will not be included in the target group.

The conditions are specified as regular expressions in the Perl-compatible regular expressions (PCRE) format. For more information about PCRE, see the pcresyntax(3) man page on your system.

Note

IdM evaluates exclusive conditions before inclusive conditions. In case of a conflict, exclusive conditions take precedence over inclusive conditions.

An automember rule applies to every entry created in the future. These entries will be automatically added to the specified target group. If an entry meets the conditions specified in multiple automember rules, it will be added to all the corresponding groups.

Existing entries are not affected by the new rule. If you want to change existing entries, see Applying automember rules to existing entries using IdM CLI.

17.3. Adding an automember rule using IdM CLI
Copy link

Follow this procedure to add an automember rule using the IdM CLI. For information about automember rules, see Automember rules.

After adding an automember rule, you can add conditions to it using the procedure described in Adding a condition to an automember rule.

Note

Existing entries are not affected by the new rule. If you want to change existing entries, see Applying automember rules to existing entries using IdM CLI.

Prerequisites

Procedure

  1. Enter the ipa automember-add command to add an automember rule.

  2. When prompted, specify:

    • Automember rule. This is the target group name.
    • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

    For example, to add an automember rule for a user group named user_group: 

    $ ipa automember-add
Automember Rule: user_group
Grouping Type: group
--------------------------------
Added automember rule "user_group"
--------------------------------
    Automember Rule: user_group
    Copy to Clipboard Toggle word wrap

Verification

After configuring automember rules, you can then add a condition to that automember rule using the IdM CLI. For information about automember rules, see Automember rules.

Prerequisites

Procedure

  1. Define one or more inclusive or exclusive conditions using the ipa automember-add-condition command.

  2. When prompted, specify:

    • Automember rule. This is the target rule name. See Automember rules for details.
    • Attribute Key. This specifies the entry attribute to which the filter will apply. For example, uid for users.
    • Grouping Type. This specifies whether the rule targets a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.
    • Inclusive regex and Exclusive regex. These specify one or more conditions as regular expressions. If you only want to specify one condition, press Enter when prompted for the other.

    For example, the following condition targets all users with any value (.*) in their user login attribute (uid). 

    $ ipa automember-add-condition
Automember Rule: user_group
Attribute Key: uid
Grouping Type: group
[Inclusive Regex]: .*
[Exclusive Regex]:
----------------------------------
Added condition(s) to "user_group"
----------------------------------
  Automember Rule: user_group
  Inclusive Regex: uid=.*
----------------------------
Number of conditions added 1
----------------------------
    Copy to Clipboard Toggle word wrap

    As another example, you can use an automembership rule to target all Windows users synchronized from Active Directory (AD). To achieve this, create a condition that that targets all users with ntUser in their objectClass attribute, which is shared by all AD users: 

    $ ipa automember-add-condition
Automember Rule: ad_users
Attribute Key: objectclass
Grouping Type: group
[Inclusive Regex]: ntUser
[Exclusive Regex]:
-------------------------------------
Added condition(s) to "ad_users"
-------------------------------------
  Automember Rule: ad_users
  Inclusive Regex: objectclass=ntUser
----------------------------
Number of conditions added 1
----------------------------
    Copy to Clipboard Toggle word wrap

Verification

Follow this procedure to view existing automember rules using the IdM CLI.

Prerequisites

Procedure

  1. Enter the ipa automember-find command.

  2. When prompted, specify the Grouping type:

    • To target a user group, enter group.

    • To target a host group, enter hostgroup.

      For example: 

    $ ipa automember-find
Grouping Type: group
---------------
1 rules matched
---------------
  Automember Rule: user_group
  Inclusive Regex: uid=.*
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

17.6. Deleting an automember rule using IdM CLI
Copy link

Follow this procedure to delete an automember rule using the IdM CLI.

Deleting an automember rule also deletes all conditions associated with the rule. To remove only specific conditions from a rule, see Removing a condition from an automember rule using IdM CLI.

Prerequisites

Procedure

  1. Enter the ipa automember-del command.

  2. When prompted, specify:

    • Automember rule. This is the rule you want to delete.
    • Grouping rule. This specifies whether the rule you want to delete is for a user group or a host group. Enter group or hostgroup.

Follow this procedure to remove a specific condition from an automember rule.

Prerequisites

Procedure

  1. Enter the ipa automember-remove-condition command.

  2. When prompted, specify:

    • Automember rule. This is the name of the rule from which you want to remove a condition.
    • Attribute Key. This is the target entry attribute. For example, uid for users.
    • Grouping Type. This specifies whether the condition you want to delete is for a user group or a host group. Enter group or hostgroup.

    • Inclusive regex and Exclusive regex. These specify the conditions you want to remove. If you only want to specify one condition, press Enter when prompted for the other.

      For example: 

    $ ipa automember-remove-condition
Automember Rule: user_group
Attribute Key: uid
Grouping Type: group
[Inclusive Regex]: .*
[Exclusive Regex]:
-----------------------------------
Removed condition(s) from "user_group"
-----------------------------------
  Automember Rule: user_group
------------------------------
Number of conditions removed 1
------------------------------
    Copy to Clipboard Toggle word wrap

Automember rules apply automatically to user and host entries created after the rules were added. They are not applied retroactively to entries that existed before the rules were added.

To apply automember rules to previously added entries, you have to manually rebuild automatic membership. Rebuilding automatic membership re-evaluates all existing automember rules and applies them either to all user or hosts entries, or to specific entries.

Rebuilding automatic membership does not remove user or host entries from groups, even if the entries no longer match the group’s inclusive conditions. To remove them manually, see Removing a member from a user group using IdM CLI or Removing IdM host group members using the CLI.

Prerequisites

Procedure

  • To rebuild automatic membership, enter the ipa automember-rebuild command. Use the following options to specify the entries to target:

    • To rebuild automatic membership for all users, use the --type=group option: 

      $ ipa automember-rebuild --type=group
--------------------------------------------------------
Automember rebuild task finished. Processed (9) entries.
--------------------------------------------------------
      Copy to Clipboard Toggle word wrap
    • To rebuild automatic membership for all hosts, use the --type=hostgroup option.

    • To rebuild automatic membership for a specified user or users, use the --users=target_user option: 

      $ ipa automember-rebuild --users=target_user1 --users=target_user2
--------------------------------------------------------
Automember rebuild task finished. Processed (2) entries.
--------------------------------------------------------
      Copy to Clipboard Toggle word wrap
    • To rebuild automatic membership for a specified host or hosts, use the --hosts=client.idm.example.com option.

When you configure a default automember group, new user or host entries that do not match any automember rule are automatically added to this default group.

Prerequisites

Procedure

  1. Enter the ipa automember-default-group-set command to configure a default automember group.

  2. When prompted, specify:

    • Default (fallback) Group, which specifies the target group name.

    • Grouping Type, which specifies whether the target is a user group or a host group. To target a user group, enter group. To target a host group, enter hostgroup.

      For example: 

      $ ipa automember-default-group-set
Default (fallback) Group: default_user_group
Grouping Type: group
---------------------------------------------------
Set default (fallback) group for automember "default_user_group"
---------------------------------------------------
  Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
      Copy to Clipboard Toggle word wrap
    Note

    To remove the current default automember group, enter the ipa automember-default-group-remove command.

Verification

  • To verify that the group is set correctly, enter the ipa automember-default-group-show command. The command displays the current default automember group. For example: 

    $ ipa automember-default-group-show
Grouping Type: group
  Default (fallback) Group: cn=default_user_group,cn=groups,cn=accounts,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

Using automatic group membership enables you to assign users and hosts to groups automatically based on their attributes. For example, you can:

  • Divide employees' user entries into groups based on the employees' manager, location, or any other attribute.
  • Divide hosts based on their class, location, or any other attribute.
  • Add all users or all hosts to a single global group.

18.1. Benefits of automatic group membership
Copy link

Using automatic membership for users allows you to:

  • Reduce the overhead of manually managing group memberships

    You no longer have to assign every user and host to groups manually.

  • Improve consistency in user and host management

    Users and hosts are assigned to groups based on strictly defined and automatically evaluated criteria.

  • Simplify the management of group-based settings

    Various settings are defined for groups and then applied to individual group members, for example sudo rules, automount, or access control. Adding users and hosts to groups automatically makes managing these settings easier.

18.2. Automember rules
Copy link

When configuring automatic group membership, the administrator defines automember rules. An automember rule applies to a specific user or host target group. It cannot apply to more than one group at a time.

After creating a rule, the administrator adds conditions to it. These specify which users or hosts get included or excluded from the target group:

  • Inclusive conditions

    When a user or host entry meets an inclusive condition, it will be included in the target group.

  • Exclusive conditions

    When a user or host entry meets an exclusive condition, it will not be included in the target group.

The conditions are specified as regular expressions in the Perl-compatible regular expressions (PCRE) format. For more information about PCRE, see the pcresyntax(3) man page on your system.

Note

IdM evaluates exclusive conditions before inclusive conditions. In case of a conflict, exclusive conditions take precedence over inclusive conditions.

An automember rule applies to every entry created in the future. These entries will be automatically added to the specified target group. If an entry meets the conditions specified in multiple automember rules, it will be added to all the corresponding groups.

Existing entries are not affected by the new rule. If you want to change existing entries, see Applying automember rules to existing entries using IdM Web UI.

18.3. Adding an automember rule using IdM Web UI
Copy link

Follow this procedure to add an automember rule using the IdM Web UI. For information about automember rules, see Automember rules.

Existing entries are not affected by the new rule. If you want to change existing entries, see Applying automember rules to existing entries using IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.
  • The target group of the new rule exists in IdM.

Procedure

  1. Click Identity → Automember, and select either User group rules or Host group rules.
  2. Click Add.
  3. In the Automember rule field, select the group to which the rule will apply. This is the target group name.
  4. Click Add to confirm.
  5. Optional: You can add conditions to the new rule using the procedure described in Adding a condition to an automember rule using IdM Web UI.

After configuring automember rules, you can then add a condition to that automember rule using the IdM Web UI. For information about automember rules, see Automember rules.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.
  • The target rule exists in IdM.

Procedure

  1. Click Identity → Automember, and select either User group rules or Host group rules.
  2. Click on the rule to which you want to add a condition.
  3. In the Inclusive or Exclusive sections, click Add.
  4. In the Attribute field, select the required attribute, for example uid.
  5. In the Expression field, define a regular expression.

  6. Click Add.

    For example, the following condition targets all users with any value (.*) in their user ID (uid) attribute.

    Screenshot of the
    View larger image
    Screenshot of the

Follow this procedure to view existing automember rules and conditions using the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.

Procedure

  1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
  2. Optional: Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.

18.6. Deleting an automember rule using IdM Web UI
Copy link

Follow this procedure to delete an automember rule using the IdM Web UI.

Deleting an automember rule also deletes all conditions associated with the rule. To remove only specific conditions from a rule, see Removing a condition from an automember rule using IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.

Procedure

  1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
  2. Select the checkbox next to the rule you want to remove.
  3. Click Delete.
  4. Click Delete to confirm.

Follow this procedure to remove a specific condition from an automember rule using the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.

Procedure

  1. Click Identity → Automember, and select either User group rules or Host group rules to view the respective automember rules.
  2. Click on a rule to see the conditions for that rule in the Inclusive or Exclusive sections.
  3. Select the checkbox next to the conditions you want to remove.
  4. Click Delete.
  5. Click Delete to confirm.

Automember rules apply automatically to user and host entries created after the rules were added. They are not applied retroactively to entries that existed before the rules were added.

To apply automember rules to previously added entries, you have to manually rebuild automatic membership. Rebuilding automatic membership re-evaluates all existing automember rules and applies them either to all user or hosts entries, or to specific entries.

Rebuilding automatic membership does not remove user or host entries from groups, even if the entries no longer match the group’s inclusive conditions. To remove them manually, see Removing a member from a user group using IdM Web UI or Removing host group members in the IdM Web UI.

Follow this procedure to rebuild automatic membership for all user or host entries.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.

Procedure

  1. Select IdentityUsers or Hosts.

  2. Click ActionsRebuild auto membership.

    A screenshot highlighting that
    View larger image
    A screenshot highlighting that

Follow this procedure to rebuild automatic membership for a specific user or host entry.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.

Procedure

  1. Select IdentityUsers or Hosts.
  2. Click on the required user or host name.

  3. Click ActionsRebuild auto membership.

    A screenshot highlighting the
    View larger image
    A screenshot highlighting the

When you configure a default user group, new user entries that do not match any automember rule are automatically added to this default group.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.
  • The target user group you want to set as default exists in IdM.

Procedure

  1. Click Identity → Automember, and select User group rules.
  2. In the Default user group field, select the group you want to set as the default user group.

When you configure a default host group, new host entries that do not match any automember rule are automatically added to this default group.

Prerequisites

  • You are logged in to the IdM Web UI.
  • You must be a member of the admins group.
  • The target host group you want to set as default exists in IdM.

Procedure

  1. Click Identity → Automember, and select Host group rules.
  2. In the Default host group field, select the group you want to set as the default host group.

Using automatic group membership, you can assign users and hosts user groups and host groups automatically, based on their attributes. For example, you can:

  • Divide employees' user entries into groups based on the employees' manager, location, position or any other attribute. You can list all attributes by entering ipa user-add --help on the command-line.
  • Divide hosts into groups based on their class, location, or any other attribute. You can list all attributes by entering ipa host-add --help on the command-line.
  • Add all users or all hosts to a single global group.

You can use Red Hat Ansible Engine to automate the management of automatic group membership in Identity Management (IdM).

As a system administrator managing Identity Management (IdM), when working with Red Hat Ansible Engine, it is good practice to do the following:

  • Create a subdirectory dedicated to Ansible playbooks in your home directory, for example ~/MyPlaybooks.
  • Copy and adapt sample Ansible playbooks from the /usr/share/doc/ansible-freeipa/* and /usr/share/doc/rhel-system-roles/* directories and subdirectories into your ~/MyPlaybooks directory.
  • Include your inventory file in your ~/MyPlaybooks directory.

By following this practice, you can find all your playbooks in one place and you can run your playbooks without invoking root privileges.

Note

You only need root privileges on the managed nodes to execute the ipaserver, ipareplica, ipaclient, ipabackup, ipasmartcard_server and ipasmartcard_client ansible-freeipa roles. These roles require privileged access to directories and the dnf software package manager.

Follow this procedure to create the ~/MyPlaybooks directory and configure it so that you can use it to store and run Ansible playbooks.

Prerequisites

  • You have installed an IdM server on your managed nodes, server.idm.example.com and replica.idm.example.com.
  • You have configured DNS and networking so you can log in to the managed nodes, server.idm.example.com and replica.idm.example.com, directly from the control node.
  • You know the IdM admin password.

Procedure

  1. Create a directory for your Ansible configuration and playbooks in your home directory: 

    $ mkdir ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Change into the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks
    Copy to Clipboard Toggle word wrap

  3. Create the ~/MyPlaybooks/ansible.cfg file with the following content: 

    [defaults]
inventory = /home/your_username/MyPlaybooks/inventory

[privilege_escalation]
become=True
    Copy to Clipboard Toggle word wrap

  4. Create the ~/MyPlaybooks/inventory file with the following content: 

    [ipaserver]
server.idm.example.com

[ipareplicas]
replica1.idm.example.com
replica2.idm.example.com

[ipacluster:children]
ipaserver
ipareplicas

[ipacluster:vars]
ipaadmin_password=SomeADMINpassword

[ipaclients]
ipaclient1.example.com
ipaclient2.example.com

[ipaclients:vars]
ipaadmin_password=SomeADMINpassword
    Copy to Clipboard Toggle word wrap

    This configuration defines two host groups, eu and us, for hosts in these locations. Additionally, this configuration defines the ipaserver host group, which contains all hosts from the eu and us groups.

  5. Optional: Create an SSH public and private key. To simplify access in your test environment, do not set a password on the private key: 

    $ ssh-keygen
    Copy to Clipboard Toggle word wrap

  6. Copy the SSH public key to the IdM admin account on each managed node: 

    $ ssh-copy-id admin@server.idm.example.com
$ ssh-copy-id admin@replica.idm.example.com
    Copy to Clipboard Toggle word wrap

    You must enter the IdM admin password when you enter these commands.

The following procedure describes how to use an Ansible playbook to ensure an automember rule for an Identity Management (IdM) group exists. In the example, the presence of an automember rule is ensured for the testing_group user group.

Prerequisites

  • You know the IdM admin password.
  • The testing_group user group exists in IdM.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the automember-group-present.yml Ansible playbook file located in the /usr/share/doc/ansible-freeipa/playbooks/automember/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/automember/automember-group-present.yml automember-group-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the automember-group-present-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipaautomember task section:

    • Set the ipaadmin_password variable to the password of the IdM admin.
    • Set the name variable to testing_group.
    • Set the automember_type variable to group.
    • Ensure that the state variable is set to present.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Automember group present example
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure group automember rule admins is present
    ipaautomember:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: testing_group
      automember_type: group
      state: present
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory automember-group-present-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure that a specified condition exists in an automember rule for an Identity Management (IdM) group. In the example, the presence of a UID-related condition in the automember rule is ensured for the testing_group group. By specifying the .* condition, you ensure that all future IdM users automatically become members of the testing_group.

Prerequisites

  • You know the IdM admin password.
  • The testing_group user group and automember user group rule exist in IdM.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the automember-hostgroup-rule-present.yml Ansible playbook file located in the /usr/share/doc/ansible-freeipa/playbooks/automember/ directory and name it, for example, automember-usergroup-rule-present.yml: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/automember/automember-hostgroup-rule-present.yml automember-usergroup-rule-present.yml
    Copy to Clipboard Toggle word wrap
  3. Open the automember-usergroup-rule-present.yml file for editing.

  4. Adapt the file by modifying the following parameters:

    • Rename the playbook to correspond to your use case, for example: Automember user group rule member present.
    • Rename the task to correspond to your use case, for example: Ensure an automember condition for a user group is present.

    • Set the following variables in the ipaautomember task section:

      • Set the ipaadmin_password variable to the password of the IdM admin.
      • Set the name variable to testing_group.
      • Set the automember_type variable to group.
      • Ensure that the state variable is set to present.
      • Ensure that the action variable is set to member.
      • Set the inclusive key variable to UID.
      • Set the inclusive expression variable to .*

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Automember user group rule member present
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure an automember condition for a user group is present
    ipaautomember:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: testing_group
      automember_type: group
      state: present
      action: member
      inclusive:
        - key: UID
          expression: .*
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory automember-usergroup-rule-present.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as an IdM administrator. 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add a user, for example: 

    $ ipa user-add user101 --first user --last 101
-----------------------
Added user "user101"
-----------------------
  User login: user101
  First name: user
  Last name: 101
  ...
  Member of groups: ipausers, testing_group
  ...
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure a condition is absent from an automember rule for an Identity Management (IdM) group. In the example, the absence of a condition in the automember rule is ensured that specifies that users whose initials are dp should be included. The automember rule is applied to the testing_group group. By applying the condition, you ensure that no future IdM user whose initials are dp becomes a member of the testing_group.

Prerequisites

  • You know the IdM admin password.
  • The testing_group user group and automember user group rule exist in IdM.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the automember-hostgroup-rule-absent.yml Ansible playbook file located in the /usr/share/doc/ansible-freeipa/playbooks/automember/ directory and name it, for example, automember-usergroup-rule-absent.yml: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/automember/automember-hostgroup-rule-absent.yml automember-usergroup-rule-absent.yml
    Copy to Clipboard Toggle word wrap
  3. Open the automember-usergroup-rule-absent.yml file for editing.

  4. Adapt the file by modifying the following parameters:

    • Rename the playbook to correspond to your use case, for example: Automember user group rule member absent.
    • Rename the task to correspond to your use case, for example: Ensure an automember condition for a user group is absent.

    • Set the following variables in the ipaautomember task section:

      • Set the ipaadmin_password variable to the password of the IdM admin.
      • Set the name variable to testing_group.
      • Set the automember_type variable to group.
      • Ensure that the state variable is set to absent.
      • Ensure that the action variable is set to member.
      • Set the inclusive key variable to initials.
      • Set the inclusive expression variable to dp.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Automember user group rule member absent
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure an automember condition for a user group is absent
    ipaautomember:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: testing_group
      automember_type: group
      state: absent
      action: member
      inclusive:
        - key: initials
          expression: dp
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory automember-usergroup-rule-absent.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in as an IdM administrator. 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. View the automember group: 

    $ ipa automember-show --type=group testing_group
 Automember Rule: testing_group
    Copy to Clipboard Toggle word wrap

The absence of an Inclusive Regex: initials=dp entry in the output confirms that the testing_group automember rule does not contain the condition specified.

The following procedure describes how to use an Ansible playbook to ensure an automember rule is absent for an Identity Management (IdM) group. In the example, the absence of an automember rule is ensured for the testing_group group.

Deleting an automember rule also deletes all conditions associated with the rule. To remove only specific conditions from a rule, see Using Ansible to ensure that a condition is absent in an IdM user group automember rule.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the automember-group-absent.yml Ansible playbook file located in the /usr/share/doc/ansible-freeipa/playbooks/automember/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/automember/automember-group-absent.yml automember-group-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the automember-group-absent-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipaautomember task section:

    • Set the ipaadmin_password variable to the password of the IdM admin.
    • Set the name variable to testing_group.
    • Set the automember_type variable to group.
    • Ensure that the state variable is set to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Automember group absent example
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure group automember rule admins is absent
    ipaautomember:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: testing_group
      automember_type: group
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory automember-group-absent.yml
    Copy to Clipboard Toggle word wrap

Follow this procedure to use Ansible to ensure that a condition is present in an IdM host group automember rule. The example describes how to ensure that hosts with the FQDN of .*.idm.example.com are members of the primary_dns_domain_hosts host group and hosts whose FQDN is .*.example.org are not members of the primary_dns_domain_hosts host group.

Prerequisites

  • You know the IdM admin password.
  • The primary_dns_domain_hosts host group and automember host group rule exist in IdM.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the automember-hostgroup-rule-present.yml Ansible playbook file located in the /usr/share/doc/ansible-freeipa/playbooks/automember/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/automember/automember-hostgroup-rule-present.yml automember-hostgroup-rule-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the automember-hostgroup-rule-present-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipaautomember task section:

    • Set the ipaadmin_password variable to the password of the IdM admin.
    • Set the name variable to primary_dns_domain_hosts.
    • Set the automember_type variable to hostgroup.
    • Ensure that the state variable is set to present.
    • Ensure that the action variable is set to member.
    • Ensure that the inclusive key variable is set to fqdn.
    • Set the corresponding inclusive expression variable to .*.idm.example.com.
    • Set the exclusive key variable to fqdn.
    • Set the corresponding exclusive expression variable to .*.example.org.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Automember user group rule member present
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure an automember condition for a user group is present
    ipaautomember:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: primary_dns_domain_hosts
      automember_type: hostgroup
      state: present
      action: member
      inclusive:
        - key: fqdn
          expression: .*.idm.example.com
      exclusive:
        - key: fqdn
          expression: .*.example.org
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory automember-hostgroup-rule-present-copy.yml
    Copy to Clipboard Toggle word wrap

In Identity Management (IdM), information is stored as LDAP attributes. When you create a user entry in IdM, the entry is automatically assigned certain LDAP object classes. These object classes define what attributes are available to the user entry. For more information about the default user objects classes and how they are organized, see the table below.

Expand
Table 20.1. Default IdM user object classes
Object classesDescription

ipaobject, ipasshuser

IdM object classes

person, organizationalperson, inetorgperson, inetuser, posixAccount

Person object classes

krbprincipalaux, krbticketpolicyaux

Kerberos object classes

mepOriginEntry

Managed entries (template) object classes

As an administrator, you can modify the list of user object classes as well as the format of the attributes. For example, you can specify how many characters are allowed in a user name.

The way that user and group object classes and attributes are organized in IdM is called the IdM user and group schema.

20.1. The default IdM user attributes
Copy link

A user entry contains attributes. The values of certain attributes are set automatically, based on defaults, unless you set a specific value yourself. For other attributes, you have to set the values manually. Certain attributes, such as First name, require a value, whereas others, such as Street address, do not. As an administrator, you can configure the values generated or used by the default attributes. For more information, see the Default IdM user attributes table below.

Expand
Table 20.2. Default IdM user attributes
Web UI fieldCommand-line optionRequired, optional, or default

User login

username

Required

First name

--first

Required

Last name

--last

Required

Full name

--cn

Optional

Display name

--displayname

Optional

Initials

--initials

Default

Home directory

--homedir

Default

GECOS field

--gecos

Default

Shell

--shell

Default

Kerberos principal

--principal

Default

Email address

--email

Optional

Password

--password

Optional. Note that the script prompts for a new password, rather than accepting a value with the argument.

User ID number

--uid

Default

Group ID number

--gidnumber

Default

Street address

--street

Optional

City

--city

Optional

State/Province

--state

Optional

Zip code

--postalcode

Optional

Telephone number

--phone

Optional

Mobile telephone number

--mobile

Optional

Pager number

--pager

Optional

Fax number

--fax

Optional

Organizational unit

--orgunit

Optional

Job title

--title

Optional

Manager

--manager

Optional

Car license

--carlicense

Optional

 

--noprivate

Optional

SSH Keys

--sshpubkey

Optional

Additional attributes

--addattr

Optional

Department Number

--departmentnumber

Optional

Employee Number

--employeenumber

Optional

Employee Type

--employeetype

Optional

Preferred Language

--preferredlanguage

Optional

You can also add any attributes available in the Default IdM user object classes, even if no Web UI or command-line argument for that attribute exists.

User and group accounts are created with a predefined set of LDAP object classes applied to them. While the standard IdM-specific LDAP object classes and attributes cover most deployment scenarios, you can create custom object classes with custom attributes for user and group entries.

When you modify object classes, IdM provides the following validation:

  • All of the object classes and their specified attributes must be known to the LDAP server.
  • All default attributes that are configured for the entry must be supported by the configured object classes.

The IdM schema validation has limitations and the IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject object class. However, if the user or group schema is changed, the server does not check if this object class is included. If the object class is accidentally deleted and you then try to add a new user, the attempt fails.

All object class changes are atomic, not incremental. You must define the entire list of default object classes every time a change occurs. For example, you may decide to create a custom object class to store employee information such as birthdays and employment start dates. In this scenario, you cannot simply add the custom object class to the list. Instead, you must set the entire list of current default object classes plus the new object class. If you do not include the existing default object classes when you update the configuration, the current settings are overwritten. This causes serious performance problems.

Note

After you modify the list of default object classes, new user and group entries contain the custom object classes but any old entries are not modified.

This procedure describes how you can use the IdM Web UI to modify object classes for future Identity Management (IdM) user entries. As a result, these entries will have different attributes than the current user entries do.

Prerequisites

  • You are logged in as the IdM administrator.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.

  3. Scroll to the User Options area.

    User options in IPA Server configuration

  4. Keep all the object classes listed in the Default IdM user object classes table.

    Important

    If any object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.

  5. At the bottom of the users area, click Add for a new field to appear.

    Changing default user object classes

  6. Enter the name of the user object class you want to add.
  7. Click Save at the top of the Configuration page.

20.4. Modifying user object classes in the IdM CLI
Copy link

This procedure describes how you can use the Identity Management (IdM) CLI to modify user object classes for future IdM user entries. As a result, these entries will have different attributes than the current user entries do.

Prerequisites

  • You have enabled the brace expansion feature: 

    # set -o braceexpand
    Copy to Clipboard Toggle word wrap
  • You are logged in as the IdM administrator.

Procedure

  • Use the ipa config-mod command to modify the current schema. For example, to add top and mailRecipient object classes to the future user entries: 

    [bjensen@server ~]$ ipa config-mod --userobjectclasses={person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,mepOriginEntry,top,mailRecipient}
    Copy to Clipboard Toggle word wrap

    The command adds all the ten user object classes that are native to IdM as well as the two new ones, top and mailRecipient.

    Important

    The information passed with the config-mod command overwrites the previous values. If any user object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.

Alternatively, you can add a user object class by using the ipa config-mod --addattr ipauserobjectclasses=<user object class> command. In this way, you do not risk forgetting a native IdM class in the list. For example, to add the mailRecipient user object class without overwriting the current configuration, enter ipa config-mod --addattr ipauserobjectclasses=mailRecipient. Analogously, to remove only the mailRecipient object class, enter ipa config-mod --delattr ipauserobjectclasses=mailRecipient.

Identity Management (IdM) has the following default group object classes:

  • top
  • groupofnames
  • nestedgroup
  • ipausergroup
  • ipaobject

This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.

Prerequisites

  • You are logged in as the IdM administrator.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Locate the Group Options area.

  4. Keep the default IdM group object classes.

    Important

    If any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.

  5. Click Add for a new field to appear.

    Group options in IPA Server configuration

  6. Enter the name of the group object class you want to add.
  7. Click Save at the top of the Configuration page.

Identity Management (IdM) has the following default group object classes:

  • top
  • groupofnames
  • nestedgroup
  • ipausergroup
  • ipaobject

This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.

Prerequisites

  • You have enabled the brace expansion feature: 

    # set -o braceexpand
    Copy to Clipboard Toggle word wrap
  • You are logged in as the IdM administrator.

Procedure

  • Use the ipa config-mod command to modify the current schema. For example, to add ipasshuser and employee group object classes to the future user entries: 

    [bjensen@server ~]$ ipa config-mod --groupobjectclasses={top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup}
    Copy to Clipboard Toggle word wrap

    The command adds all the default group object classes as well as the two new ones, ipasshuser and employeegroup.

    Important

    If any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.

    Note

    Instead of the comma-separated list inside curly braces with no spaces allowed that is used in the example above, you can use the --groupobjectclasses argument repeatedly.

20.7. Default user and group attributes in IdM
Copy link

Identity Management (IdM) uses a template when it creates new entries.

The template for users is more specific than the template for groups. IdM uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes, such as the home directory location, or they can define the formats of attribute values, such as the user name length. The template also defines the object classes assigned to users.

For groups, the template only defines the assigned object classes.

In the IdM LDAP directory, these default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.

You can modify the configuration of default user parameters in IdM by using the ipa config-mod command. The table below summarizes some of the key parameters, the command-line options that you can use with ipa config-mod to modify them, and the parameter descriptions.

Expand
Table 20.3. Default user parameters
Web UI fieldCommand-line optionDescription

Maximum user name length

--maxusername`

Sets the maximum number of characters for user names. Default: 32.

Root for home directories

--homedirectory

Sets the default directory for user home directories. Default: /home.

Default shell

--defaultshell

Sets the default shell for users. Default: /bin/sh.

Default user group

--defaultgroup

Sets the default group for newly created accounts. Default: ipausers.

Default e-mail domain

--emaildomain

Sets the email domain for creating addresses based on user accounts. Default: server domain.

Search time limit

--searchtimelimit

Sets the maximum time in seconds for a search before returning results.

Search size limit

--searchrecordslimit

Sets the maximum number of records to return in a search.

User search fields

--usersearch

Defines searchable fields in user entries, impacting server performance if too many attributes are set.

Group search fields

--groupsearch

Defines searchable fields in group entries.

Certificate subject base

 

Sets the base DN for creating subject DNs for client certificates during setup.

Default user object classes

--userobjectclasses

Defines object classes for creating user accounts. Must provide a complete list as it overwrites the existing one.

Default group object classes

--groupobjectclasses

Defines object classes for creating group accounts. Must provide a complete list.

Password expiration notification

--pwdexpnotify

Defines the number of days before a password expires for sending a notification.

Password plug-in features

 

Sets the format of allowable passwords for users.

You can view and modify the configuration of the default user and group attributes in the Identity Management (IdM) Web UI.

Prerequisites

  • You are logged in as IdM admin.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.

  3. The User Options section has multiple fields you can review and edit.

    User attributes

  4. For example, to change the default shell for future IdM users from /bin/sh to /bin/bash, locate the Default shell field, and replace /bin/sh with /bin/bash.

  5. In the Group Options section, you can only review and edit the Group search fields field.

    Group attributes

  6. Click the Save button at the top of the screen.

    The newly saved configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.

You can view and modify the configuration of the current or default user and group attributes in the Identity Management (IdM) CLI.

Prerequisites

  • You have the IdM admin credentials.

Procedure

  • The ipa config-show command displays the most common attribute settings. Use the --all option for a complete list: 

    [bjensen@server ~]$ ipa config-show --all
dn: cn=ipaConfig,cn=etc,dc=example,dc=com
Maximum username length: 32
Home directory base: /home
Default shell: /bin/sh
Default users group: ipausers
Default e-mail domain: example.com
Search time limit: 2
Search size limit: 100
User search fields: uid,givenname,sn,telephonenumber,ou,title
Group search fields: cn,description
Enable migration mode: FALSE
Certificate Subject base: O=EXAMPLE.COM
Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser
Password Expiration Notification (days): 4
Password plugin features: AllowNThash
SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
Default SELinux user: unconfined_u:s0-s0:c0.c1023
Default PAC types: MS-PAC, nfs:NONE
cn: ipaConfig
objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject
    Copy to Clipboard Toggle word wrap

  • Use the ipa config-mod command to modify an attribute. For example, to change the default shell for future IdM users from /bin/sh to /bin/bash, enter: 

    [bjensen@server ~]$ ipa config-mod --defaultshell "/bin/bash"
    Copy to Clipboard Toggle word wrap

    For more ipa config-mod options, see the Default user parameters table.

    The new configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.

Chapter 21. Access control in IdM
Copy link

Access control defines the rights or permissions users have been granted to perform operations on other users or objects, such as hosts or services. Identity Management (IdM) provides several access control areas to make it clear what kind of access is being granted and to whom it is granted. As part of this, IdM draws a distinction between access control to resources within the domain and access control to the IdM configuration itself.

This chapter outlines the different internal access control mechanisms that are available for IdM users both to the resources within the domain and to the IdM configuration itself.

21.1. Access control instructions in IdM
Copy link

The Identity Management (IdM) access control structure is based on the 389 Directory Server access control. By using access control instructions (ACIs), you can grant or deny specific IdM users access over other entries. All entries, including IdM users, are stored in LDAP.

An ACI has three parts:

Actor
The entity that is being granted permission to do something. In LDAP access control models, you can, for example, specify that the ACI rule is applied only when a user binds to the directory using their distinguished name (DN). Such a specification is called the bind rule: it defines who the user is and can optionally require other limits on the bind attempt, such as restricting attempts to a certain time of day or a certain machine.
Target
The entry that the actor is allowed to perform operations on.
Operation type
Determines what kinds of actions the actor is allowed to perform. The most common operations are add, delete, write, read, and search. In IdM, the read and search rights of a non-administrative user are limited, and even more so in the IdM Web UI than the IdM CLI.

When an LDAP operation is attempted, the following occurs:

  1. The IdM client sends user credentials to an IdM server as part of the bind operation.
  2. The IdM server DS checks the user credentials.
  3. The IdM server DS checks the user account to see if the user has a permission to perform the requested operation.

21.2. Access control methods in IdM
Copy link

Identity Management (IdM) divides access control methods into the following categories:

Self-service rules
Define what operations a user can perform on the user’s own personal entry. This access control type only allows write permissions to specific attributes within the user entry. Users can update the values of specific attributes but cannot add or delete the attributes as such.
Delegation rules
By using a delegation rule, you can allow a specific user group to perform write, that is edit, operations on specific attributes of users in another user group. Similarly to self-service rules, this form of access control rule is limited to editing the values of specific attributes. It does not grant the ability to add or remove whole entries or control over unspecified attributes.
Role-based access control

Creates special access control groups that are then granted much broader authority over all types of entities in the IdM domain. Roles can be granted edit, add, and delete rights, meaning they can be granted complete control over entire entries, not just selected attributes.

Certain roles are already available in IdM by default, for example Enrollment Administrator, IT Security Specialist, and IT Specialist. You can create additional roles to manage any types of entries, such as hosts, automount configuration, netgroups, DNS settings, and IdM configuration.

Learn about self-service rules in Identity Management (IdM) and how to create and edit self-service access rules on the command line (CLI).

22.1. Self-service access control in IdM
Copy link

Self-service access control rules define which operations an Identity Management (IdM) entity can perform on its IdM Directory Server entry: for example, IdM users have the ability to update their own passwords.

This method of control allows an authenticated IdM entity to edit specific attributes within its LDAP entry, but does not allow add or delete operations on the entire entry.

Warning

Be careful when working with self-service access control rules: configuring access control rules improperly can inadvertently elevate an entity’s privileges.

22.2. Creating self-service rules using the CLI
Copy link

Follow this procedure to create self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  • To add a self-service rule, use the ipa selfservice-add command and specify the following two options:

    --permissions
    sets the read and write permissions the Access Control Instruction (ACI) grants.
    --attrs
    sets the complete list of attributes to which this ACI grants permission.

For example, to create a self-service rule allowing users to modify their own name details:

$ ipa selfservice-add "Users can manage their own name details" --permissions=write --attrs=givenname --attrs=displayname --attrs=title --attrs=initials
-----------------------------------------------------------
Added selfservice "Users can manage their own name details"
-----------------------------------------------------------
    Self-service name: Users can manage their own name details
    Permissions: write
    Attributes: givenname, displayname, title, initials
Copy to Clipboard Toggle word wrap

22.3. Editing self-service rules using the CLI
Copy link

Follow this procedure to edit self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  1. Optional: Display existing self-service rules with the ipa selfservice-find command.
  2. Optional: Display details for the self-service rule you want to modify with the ipa selfservice-show command.
  3. Use the ipa selfservice-mod command to edit a self-service rule.

For example:

$ ipa selfservice-mod "Users can manage their own name details" --attrs=givenname --attrs=displayname --attrs=title --attrs=initials --attrs=surname
--------------------------------------------------------------
Modified selfservice "Users can manage their own name details"
--------------------------------------------------------------
Self-service name: Users can manage their own name details
Permissions: write
Attributes: givenname, displayname, title, initials
Copy to Clipboard Toggle word wrap
Important

Using the ipa selfservice-mod command overwrites the previously defined permissions and attributes, so always include the complete list of existing permissions and attributes along with any new ones you want to define.

Verification

  • Use the ipa selfservice-show command to display the self-service rule you edited. 
$ ipa selfservice-show "Users can manage their own name details"
--------------------------------------------------------------
Self-service name: Users can manage their own name details
Permissions: write
Attributes: givenname, displayname, title, initials
Copy to Clipboard Toggle word wrap

22.4. Deleting self-service rules using the CLI
Copy link

Follow this procedure to delete self-service access rules in IdM using the command line (CLI).

Prerequisites

Procedure

  • Use the ipa selfservice-del command to delete a self-service rule.

For example:

$ ipa selfservice-del "Users can manage their own name details"
-----------------------------------------------------------
Deleted selfservice "Users can manage their own name details"
-----------------------------------------------------------
Copy to Clipboard Toggle word wrap

Verification

  • Use the ipa selfservice-find command to display all self-service rules. The rule you just deleted should be missing.

Learn about self-service rules in Identity Management (IdM) and how to create and edit self-service access rules in the web interface (IdM Web UI).

23.1. Self-service access control in IdM
Copy link

Self-service access control rules define which operations an Identity Management (IdM) entity can perform on its IdM Directory Server entry: for example, IdM users have the ability to update their own passwords.

This method of control allows an authenticated IdM entity to edit specific attributes within its LDAP entry, but does not allow add or delete operations on the entire entry.

Warning

Be careful when working with self-service access control rules: configuring access control rules improperly can inadvertently elevate an entity’s privileges.

Follow this procedure to create self-service access rules in IdM using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. Open the IPA Server>Role-Based Access Control menu and select Self Service Permissions.
  2. Click Add at the upper-right of the list of the self-service access rules.
  3. On the Add Self Service Permission window, enter the name of the new self-service rule in the Self-service name field. Spaces are allowed.
  4. Select the checkboxes next to the attributes you want users to be able to edit.

  5. Optional: If an attribute you want to provide access to is not listed, you can add a listing for it:

    1. Click the Add button.
    2. On the Add Custom Attribute window, enter the attribute name in the Attribute text field.
    3. Click the OK button to add the attribute.
    4. Verify that the new attribute is selected.

  6. Click the Add button at the bottom of the form to save the new self-service rule.

    Alternatively, you can save and continue editing the self-service rule by clicking the Add and Edit button, or save and add further rules by clicking the Add and Add another button.

Follow this procedure to edit self-service access rules in IdM using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. Open the IPA Server>Role-Based Access Control menu and select Self Service Permissions.
  2. Click on the name of the self-service rule you want to modify.
  3. The edit page only allows you to edit the list of attributes to you want to add or remove to the self-service rule. Select or deselect the appropriate checkboxes.
  4. Click the Save button to save your changes to the self-service rule.

Follow this procedure to delete self-service access rules in IdM using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. Open the IPA Server>Role-Based Access Control menu and select Self Service Permissions.
  2. Select the checkbox next to the rule you want to delete, then click on the Delete button on the right of the list.
  3. A dialog opens, click on Delete to confirm.

Learn about self-service rules in Identity Management (IdM) and how to create and edit self-service access rules using Ansible playbooks. With self-service access control rules, an IdM entity can perform specified operations on its IdM Directory Server entry.

24.1. Self-service access control in IdM
Copy link

Self-service access control rules define which operations an Identity Management (IdM) entity can perform on its IdM Directory Server entry: for example, IdM users have the ability to update their own passwords.

This method of control allows an authenticated IdM entity to edit specific attributes within its LDAP entry, but does not allow add or delete operations on the entire entry.

Warning

Be careful when working with self-service access control rules: configuring access control rules improperly can inadvertently elevate an entity’s privileges.

The following procedure describes how to use an Ansible playbook to define self-service rules and ensure their presence on an Identity Management (IdM) server. In this example, the new Users can manage their own name details rule grants users the ability to change their own givenname, displayname, title and initials attributes. This allows them to, for example, change their display name or initials if they want to.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the selfservice-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-present.yml selfservice-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the selfservice-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaselfservice task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the new self-service rule.
    • Set the permission variable to a comma-separated list of permissions to grant: read and write.
    • Set the attribute variable to a list of attributes that users can manage themselves: givenname, displayname, title, and initials.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Self-service present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure self-service rule "Users can manage their own name details" is present
    ipaselfservice:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "Users can manage their own name details"
      permission: read, write
      attribute:
      - givenname
      - displayname
      - title
      - initials
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory selfservice-present-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure a specified self-service rule is absent from your IdM configuration. The example below describes how to make sure the Users can manage their own name details self-service rule does not exist in IdM. This will ensure that users cannot, for example, change their own display name or initials.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the selfservice-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-absent.yml selfservice-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the selfservice-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaselfservice task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the self-service rule.
    • Set the state variable to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Self-service absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure self-service rule "Users can manage their own name details" is absent
    ipaselfservice:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "Users can manage their own name details"
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory selfservice-absent-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure that an already existing self-service rule has specific settings. In the example, you ensure the Users can manage their own name details self-service rule also has the surname member attribute.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The Users can manage their own name details self-service rule exists in IdM.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the selfservice-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-member-present.yml selfservice-member-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the selfservice-member-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaselfservice task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the self-service rule to modify.
    • Set the attribute variable to surname.
    • Set the action variable to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Self-service member present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure selfservice "Users can manage their own name details" member attribute surname is present
    ipaselfservice:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "Users can manage their own name details"
      attribute:
      - surname
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory selfservice-member-present-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure that a self-service rule does not have specific settings. You can use this playbook to make sure a self-service rule does not grant undesired access. In the example, you ensure the Users can manage their own name details self-service rule does not have the givenname and surname member attributes.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The Users can manage their own name details self-service rule exists in IdM.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the selfservice-member-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/selfservice/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/selfservice/selfservice-member-absent.yml selfservice-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the selfservice-member-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaselfservice task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the self-service rule you want to modify.
    • Set the attribute variable to givenname and surname.
    • Set the action variable to member.
    • Set the state variable to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Self-service member absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure selfservice "Users can manage their own name details" member attributes givenname and surname are absent
    ipaselfservice:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "Users can manage their own name details"
      attribute:
      - givenname
      - surname
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory selfservice-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap

Delegation is one of the access control methods in IdM, along with self-service rules and role-based access control (RBAC). You can use delegation to assign permissions to one group of users to manage entries for another group of users.

25.1. Delegation rules
Copy link

You can delegate permissions to user groups to manage users by creating delegation rules.

Delegation rules allow a specific user group to perform write (edit) operations on specific attributes for users in another user group. This form of access control rule is limited to editing the values of a subset of attributes you specify in a delegation rule; it does not grant the ability to add or remove whole entries or control over unspecified attributes.

Delegation rules grant permissions to existing user groups in IdM. You can use delegation to, for example, allow the managers user group to manage selected attributes of users in the employees user group.

25.2. Creating a delegation rule using IdM CLI
Copy link

Follow this procedure to create a delegation rule using the IdM CLI.

Prerequisites

  • You are logged in as a member of the admins group.

Procedure

  • Enter the ipa delegation-add command. Specify the following options:

    • --group: the group who is being granted permissions to the entries of users in the user group.
    • --membergroup: the group whose entries can be edited by members of the delegation group.
    • --permissions: whether users will have the right to view the given attributes (read) and add or change the given attributes (write). If you do not specify permissions, only the write permission will be added.
    • --attrs: the attributes which users in the member group are allowed to view or edit.

    For example: 

$ ipa delegation-add "basic manager attributes" --permissions=read --permissions=write --attrs=businesscategory --attrs=departmentnumber --attrs=employeetype --attrs=employeenumber --group=managers --membergroup=employees
-------------------------------------------
Added delegation "basic manager attributes"
-------------------------------------------
  Delegation name: basic manager attributes
  Permissions: read, write
  Attributes: businesscategory, departmentnumber, employeetype, employeenumber
  Member user group: employees
  User group: managers
Copy to Clipboard Toggle word wrap

Follow this procedure to view existing delegation rules using the IdM CLI.

Prerequisites

  • You are logged in as a member of the admins group.

Procedure

  • Enter the ipa delegation-find command: 
$ ipa delegation-find
--------------------
1 delegation matched
--------------------
  Delegation name: basic manager attributes
  Permissions: read, write
  Attributes: businesscategory, departmentnumber, employeenumber, employeetype
  Member user group: employees
  User group: managers
----------------------------
Number of entries returned 1
----------------------------
Copy to Clipboard Toggle word wrap

25.4. Modifying a delegation rule using IdM CLI
Copy link

Follow this procedure to modify an existing delegation rule using the IdM CLI.

Important

The --attrs option overwrites whatever the previous list of supported attributes was, so always include the complete list of attributes along with any new attributes. This also applies to the --permissions option.

Prerequisites

  • You are logged in as a member of the admins group.

Procedure

  • Enter the ipa delegation-mod command with the desired changes. For example, to add the displayname attribute to the basic manager attributes example rule: 

    $ ipa delegation-mod "basic manager attributes" --attrs=businesscategory --attrs=departmentnumber --attrs=employeetype --attrs=employeenumber --attrs=displayname
----------------------------------------------
Modified delegation "basic manager attributes"
----------------------------------------------
  Delegation name: basic manager attributes
  Permissions: read, write
  Attributes: businesscategory, departmentnumber, employeetype, employeenumber, displayname
  Member user group: employees
  User group: managers
    Copy to Clipboard Toggle word wrap

25.5. Deleting a delegation rule using IdM CLI
Copy link

Follow this procedure to delete an existing delegation rule using the IdM CLI.

Prerequisites

  • You are logged in as a member of the admins group.

Procedure

  • Enter the ipa delegation-del command.

  • When prompted, enter the name of the delegation rule you want to delete: 

    $ ipa delegation-del
Delegation name: basic manager attributes
---------------------------------------------
Deleted delegation "basic manager attributes"
---------------------------------------------
    Copy to Clipboard Toggle word wrap

Delegation is one of the access control methods in IdM, along with self-service rules and role-based access control (RBAC). You can use delegation to assign permissions to one group of users to manage entries for another group of users.

26.1. Delegation rules
Copy link

You can delegate permissions to user groups to manage users by creating delegation rules.

Delegation rules allow a specific user group to perform write (edit) operations on specific attributes for users in another user group. This form of access control rule is limited to editing the values of a subset of attributes you specify in a delegation rule; it does not grant the ability to add or remove whole entries or control over unspecified attributes.

Delegation rules grant permissions to existing user groups in IdM. You can use delegation to, for example, allow the managers user group to manage selected attributes of users in the employees user group.

26.2. Creating a delegation rule using IdM WebUI
Copy link

Follow this procedure to create a delegation rule using the IdM WebUI.

Prerequisites

  • You are logged in to the IdM Web UI as a member of the admins group.

Procedure

  1. From the IPA Server>Role-Based Access Control menu, click Delegations.
  2. Click Add.

  3. On the Add delegation window, do the following:

    1. Name the new delegation rule.
    2. Set the permissions by selecting the checkboxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
    3. From the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
    4. On the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.
    5. In the attributes box, select the checkboxes by the attributes to which you want to grant permissions.
    6. Click the Add button to save the new delegation rule.

Follow this procedure to view existing delegation rules using the IdM WebUI.

Prerequisites

  • You are logged in to the IdM Web UI as a member of the admins group.

Procedure

  • From the IPA Server>Role-Based Access Control menu, click Delegations.

    A screenshot of the IdM Web UI displaying the
    View larger image
    A screenshot of the IdM Web UI displaying the

26.4. Modifying a delegation rule using IdM WebUI
Copy link

Follow this procedure to modify an existing delegation rule using the IdM WebUI.

Prerequisites

  • You are logged in to the IdM Web UI as a member of the admins group.

Procedure

  1. From the IPA Server>Role-Based Access Control menu, click Delegations.
  2. Click the rule you want to modify.

  3. Make the desired changes:

    • Change the name of the rule.
    • Change granted permissions by selecting the checkboxes that indicate whether users will have the right to view the given attributes (read) and add or change the given attributes (write).
    • In the User group drop-down menu, select the group who is being granted permissions to view or edit the entries of users in the member group.
    • In the Member user group drop-down menu, select the group whose entries can be edited by members of the delegation group.
    • In the attributes box, select the checkboxes by the attributes to which you want to grant permissions. To remove permissions to an attribute, uncheck the relevant checkbox.
    • Click the Save button to save the changes.

26.5. Deleting a delegation rule using IdM WebUI
Copy link

Follow this procedure to delete an existing delegation rule using the IdM WebUI.

Prerequisites

  • You are logged in to the IdM Web UI as a member of the admins group.

Procedure

  1. From the IPA Server>Role-Based Access Control menu, click Delegations.
  2. Select the checkbox next to the rule you want to remove.
  3. Click Delete.
  4. Click Delete to confirm.

Delegation is one of the access control methods in IdM, along with self-service rules and role-based access control (RBAC). You can use delegation to assign permissions to one group of users to manage entries for another group of users.

27.1. Delegation rules
Copy link

You can delegate permissions to user groups to manage users by creating delegation rules.

Delegation rules allow a specific user group to perform write (edit) operations on specific attributes for users in another user group. This form of access control rule is limited to editing the values of a subset of attributes you specify in a delegation rule; it does not grant the ability to add or remove whole entries or control over unspecified attributes.

Delegation rules grant permissions to existing user groups in IdM. You can use delegation to, for example, allow the managers user group to manage selected attributes of users in the employees user group.

27.2. Creating an Ansible inventory file for IdM
Copy link

When working with Ansible, it is good practice to create, in your home directory, a subdirectory dedicated to Ansible playbooks that you copy and adapt from the /usr/share/doc/ansible-freeipa/* and /usr/share/doc/rhel-system-roles/* subdirectories. This practice has the following advantages:

  • You can find all your playbooks in one place.
  • You can run your playbooks without invoking root privileges.

Procedure

  1. Create a directory for your Ansible configuration and playbooks in your home directory: 

    $ mkdir ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Change into the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks
    Copy to Clipboard Toggle word wrap

  3. Create the ~/MyPlaybooks/ansible.cfg file with the following content: 

    [defaults]
inventory = /home/<username>/MyPlaybooks/inventory

[privilege_escalation]
become=True
    Copy to Clipboard Toggle word wrap

  4. Create the ~/MyPlaybooks/inventory file with the following content: 

    [eu]
server.idm.example.com

[us]
replica.idm.example.com

[ipaserver:children]
eu
us
    Copy to Clipboard Toggle word wrap

    This configuration defines two host groups, eu and us, for hosts in these locations. Additionally, this configuration defines the ipaserver host group, which contains all hosts from the eu and us groups.

The following procedure describes how to use an Ansible playbook to define privileges for a new IdM delegation rule and ensure its presence. In the example, the new basic manager attributes delegation rule grants the managers group the ability to read and write the following attributes for members of the employees group:

  • businesscategory
  • departmentnumber
  • employeenumber
  • employeetype

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the delegation-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-present.yml delegation-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the delegation-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipadelegation task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the new delegation rule.
    • Set the permission variable to a comma-separated list of permissions to grant: read and write.
    • Set the attribute variable to a list of attributes the delegated user group can manage: businesscategory, departmentnumber, employeenumber, and employeetype.
    • Set the group variable to the name of the group that is being given access to view or modify attributes.
    • Set the membergroup variable to the name of the group whose attributes can be viewed or modified.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage a delegation rule
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure delegation "basic manager attributes" is present
    ipadelegation:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "basic manager attributes"
      permission: read, write
      attribute:
      - businesscategory
      - departmentnumber
      - employeenumber
      - employeetype
      group: managers
      membergroup: employees
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory delegation-present-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure a specified delegation rule is absent from your IdM configuration. The example below describes how to make sure the custom basic manager attributes delegation rule does not exist in IdM.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the delegation-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-present.yml delegation-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the delegation-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipadelegation task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the delegation rule.
    • Set the state variable to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Delegation absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure delegation "basic manager attributes" is absent
    ipadelegation:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "basic manager attributes"
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory delegation-absent-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure that a delegation rule has specific settings. You can use this playbook to modify a delegation role you have previously created. In the example, you ensure the basic manager attributes delegation rule only has the departmentnumber member attribute.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The basic manager attributes delegation rule exists in IdM.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the delegation-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-member-present.yml delegation-member-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the delegation-member-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipadelegation task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the delegation rule to modify.
    • Set the attribute variable to departmentnumber.
    • Set the action variable to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Delegation member present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
    ipadelegation:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "basic manager attributes"
      attribute:
      - departmentnumber
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory delegation-member-present-copy.yml
    Copy to Clipboard Toggle word wrap

The following procedure describes how to use an Ansible playbook to ensure that a delegation rule does not have specific settings. You can use this playbook to make sure a delegation role does not grant undesired access. In the example, you ensure the basic manager attributes delegation rule does not have the employeenumber and employeetype member attributes.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The basic manager attributes delegation rule exists in IdM.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the delegation-member-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/delegation/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/delegation/delegation-member-absent.yml delegation-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the delegation-member-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipadelegation task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the delegation rule to modify.
    • Set the attribute variable to employeenumber and employeetype.
    • Set the action variable to member.
    • Set the state variable to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Delegation member absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
    ipadelegation:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory delegation-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap

Learn more about role-based access control (RBAC) in Identity Management (IdM). RBAC is a security feature that restricts access to authorized users. You can define roles with specific permissions and then assign those roles to users.

28.1. Role-based access control in IdM
Copy link

Role-based access control (RBAC) in IdM grants a very different kind of authority to users compared to self-service and delegation access controls.

Role-based access control is composed of three parts:

  • Permissions grant the right to perform a specific task such as adding or deleting users, modifying a group, and enabling read-access.
  • Privileges combine permissions, for example all the permissions needed to add a new user.
  • Roles grant a set of privileges to users, user groups, hosts or host groups.

28.1.1. Permissions in IdM
Copy link

Permissions are the lowest level unit of role-based access control, they define operations together with the LDAP entries to which those operations apply. Comparable to building blocks, permissions can be assigned to as many privileges as needed.

One or more rights define what operations are allowed:

  • write
  • read
  • search
  • compare
  • add
  • delete
  • all

These operations apply to three basic targets:

  • subtree: a domain name (DN); the subtree under this DN
  • target filter: an LDAP filter
  • target: DN with possible wildcards to specify entries

Additionally, the following convenience options set the corresponding attribute(s):

  • type: a type of object (user, group, etc); sets subtree and target filter

  • memberof: members of a group; sets a target filter

    Note

    Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

  • targetgroup: grants access to modify a specific group (such as granting the rights to manage group membership); sets a target

With IdM permissions, you can control which users have access to which objects and even which attributes of these objects. IdM enables you to allow or block individual attributes or change the entire visibility of a specific IdM function, such as users, groups, or sudo, to all anonymous users, all authenticated users, or just a certain group of privileged users.

For example, the flexibility of this approach to permissions is useful for an administrator who wants to limit access of users or groups only to the specific sections these users or groups need to access and to make the other sections completely hidden to them.

Note

A permission cannot contain other permissions.

28.1.2. Default managed permissions
Copy link

Managed permissions are permissions that come by default with IdM. They behave like other permissions created by the user, with the following differences:

  • You cannot delete them or modify their name, location, and target attributes.

  • They have three sets of attributes:

    • Default attributes, the user cannot modify them, as they are managed by IdM
    • Included attributes, which are additional attributes added by the user
    • Excluded attributes, which are attributes removed by the user

A managed permission applies to all attributes that appear in the default and included attribute sets but not in the excluded set.

Note

While you cannot delete a managed permission, setting its bind type to permission and removing the managed permission from all privileges effectively disables it.

Names of all managed permissions start with System:, for example System: Add Sudo rule or System: Modify Services. Earlier versions of IdM used a different scheme for default permissions. For example, the user could not delete them and was only able to assign them to privileges. Most of these default permissions have been turned into managed permissions, however, the following permissions still use the previous scheme:

  • Add Automember Rebuild Membership Task
  • Add Configuration Sub-Entries
  • Add Replication Agreements
  • Certificate Remove Hold
  • Get Certificates status from the CA
  • Read DNA Range
  • Modify DNA Range
  • Read PassSync Managers Configuration
  • Modify PassSync Managers Configuration
  • Read Replication Agreements
  • Modify Replication Agreements
  • Remove Replication Agreements
  • Read LDBM Database Configuration
  • Request Certificate
  • Request Certificate ignoring CA ACLs
  • Request Certificates from a different host
  • Retrieve Certificates from the CA
  • Revoke Certificate
  • Write IPA Configuration
Note

If you attempt to modify a managed permission from the command line, the system does not allow you to change the attributes that you cannot modify, the command fails. If you attempt to modify a managed permission from the Web UI, the attributes that you cannot modify are disabled.

28.1.3. Privileges in IdM
Copy link

A privilege is a group of permissions applicable to a role. While a permission provides the rights to do a single operation, there are certain IdM tasks that require multiple permissions to succeed. Therefore, a privilege combines the different permissions required to perform a specific task.

For example, setting up an account for a new IdM user requires the following permissions:

  • Creating a new user entry
  • Resetting a user password
  • Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the form of a custom privilege named, for example, Add User makes it easier for a system administrator to manage roles. IdM already contains several default privileges. Apart from users and user groups, privileges are also assigned to hosts and host groups, as well as network services. This practice permits a fine-grained control of operations by a set of users on a set of hosts using specific network services.

Note

A privilege may not contain other privileges.

28.1.4. Roles in IdM
Copy link

A role is a list of privileges that users specified for the role possess.

In effect, permissions grant the ability to perform given low-level tasks (such as creating a user entry and adding an entry to a group), privileges combine one or more of these permissions needed for a higher-level task (such as creating a new user in a given group). Roles gather privileges together as needed: for example, a User Administrator role would be able to add, modify, and delete users.

Important

Roles are used to classify permitted actions. They are not used as a tool to implement privilege separation or to protect from privilege escalation.

Note

Roles cannot contain other roles.

28.1.5. Predefined roles in Identity Management
Copy link

Red Hat Enterprise Linux Identity Management provides the following range of pre-defined roles:

Expand
Table 28.1. Predefined Roles in Identity Management
RolePrivilegeDescription

Enrollment Administrator

Host Enrollment

Responsible for client, or host, enrollment

helpdesk

Modify Users and Reset passwords, Modify Group membership

Responsible for performing simple user administration tasks

IT Security Specialist

Netgroups Administrators, HBAC Administrator, Sudo Administrator

Responsible for managing security policy such as host-based access controls, sudo rules

IT Specialist

Host Administrators, Host Group Administrators, Service Administrators, Automount Administrators

Responsible for managing hosts

Security Architect

Delegation Administrator, Replication Administrators, Write IPA Configuration, Password Policy Administrator

Responsible for managing the Identity Management environment, creating trusts, creating replication agreements

User Administrator

User Administrators, Group Administrators, Stage User Administrators

Responsible for creating users and groups

28.2. Managing IdM permissions in the CLI
Copy link

Follow this procedure to manage Identity Management (IdM) permissions using the command line (CLI).

Prerequisites

Procedure

  1. Create new permission entries with the ipa permission-add command. For example, to add a permission named dns admin: 

    $ ipa permission-add "dns admin"
    Copy to Clipboard Toggle word wrap

  2. Specify the properties of the permission with the following options:

    • --bindtype specifies the bind rule type. This option accepts the all, anonymous, and permission arguments. The permission bindtype means that only the users who are granted this permission via a role can exercise it.

      For example: 

      $ ipa permission-add "dns admin" --bindtype=all
      Copy to Clipboard Toggle word wrap

      If you do not specify --bindtype, then permission is the default value.

      Note

      It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

    • --right lists the rights granted by the permission, it replaces the deprecated --permissions option. The available values are add, delete, read, search, compare, write, all.

      You can set multiple attributes by using multiple --right options or with a comma-separated list inside curly braces. For example: 

      $ ipa permission-add "dns admin" --right=read --right=write
$ ipa permission-add "dns admin" --right={read,write}
      Copy to Clipboard Toggle word wrap
      Note

      add and delete are entry-level operations (for example, deleting a user, adding a group, and so on) while read, search, compare and write are more attribute-level: you can write to userCertificate but not read userPassword.

    • --attrs gives the list of attributes over which the permission is granted.

      You can set multiple attributes by using multiple --attrs options or by listing the options in a comma-separated list inside curly braces. For example: 

      $ ipa permission-add "dns admin" --attrs=description --attrs=automountKey
$ ipa permission-add "dns admin" --attrs={description,automountKey}
      Copy to Clipboard Toggle word wrap

      The attributes provided with --attrs must exist and be allowed attributes for the given object type, otherwise the command fails with schema syntax errors.

    • --type defines the entry object type to which the permission applies, such as user, host, or service. Each type has its own set of allowed attributes.
      For example: 

      $ ipa permission-add "manage service" --right=all --type=service --attrs=krbprincipalkey --attrs=krbprincipalname --attrs=managedby
      Copy to Clipboard Toggle word wrap

    • --subtree gives a subtree entry; the filter then targets every entry beneath this subtree entry. Provide an existing subtree entry; --subtree does not accept wildcards or non-existent domain names (DNs). Include a DN within the directory.

      Because IdM uses a simplified, flat directory tree structure, --subtree can be used to target some types of entries, like automount locations, which are containers or parent entries for other configuration. For example: 

      $ ipa permission-add "manage automount locations" --subtree="ldap://ldap.example.com:389/cn=automount,dc=example,dc=com" --right=write --attrs=automountmapname --attrs=automountkey --attrs=automountInformation
      Copy to Clipboard Toggle word wrap
      Note

      The --type and --subtree options are mutually exclusive: you can see the inclusion of filters for --type as a simplification of --subtree, intending to make life easier for an admin.

    • --filter uses an LDAP filter to identify which entries the permission applies to.

      IdM automatically checks the validity of the given filter. The filter can be any valid LDAP filter, for example: 

      $ ipa permission-add "manage Windows groups" --filter="(!(objectclass=posixgroup))" --right=write --attrs=description
      Copy to Clipboard Toggle word wrap

    • --memberof sets the target filter to members of the given group after checking that the group exists. For example, to let the users with this permission modify the login shell of members of the engineers group: 

      $ ipa permission-add ManageShell --right="write" --type=user --attr=loginshell --memberof=engineers
      Copy to Clipboard Toggle word wrap
      Note

      Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

    • --targetgroup sets target to the specified user group after checking that the group exists. For example, to let those with the permission write the member attribute in the engineers group (so they can add or remove members): 

      $ ipa permission-add ManageMembers --right="write" --subtree=cn=groups,cn=accounts,dc=example,dc=test --attr=member --targetgroup=engineers
      Copy to Clipboard Toggle word wrap

    • Optionally, you can specify a target domain name (DN):

      • --target specifies the DN to apply the permission to. Wildcards are accepted.
      • --targetto specifies the DN subtree where an entry can be moved to.
      • --targetfrom specifies the DN subtree from where an entry can be moved.

28.3. Command options for existing permissions
Copy link

Use the following variants to modify existing permissions as needed:

  • To edit existing permissions, use the ipa permission-mod command. You can use the same command options as for adding permissions.
  • To find existing permissions, use the ipa permission-find command. You can use the same command options as for adding permissions.

  • To view a specific permission, use the ipa permission-show command.

    The --raw argument shows the raw 389-ds ACI that is generated. For example: 

     $ ipa permission-show <permission> --raw
    Copy to Clipboard Toggle word wrap
  • The ipa permission-del command deletes a permission completely.

28.4. Managing IdM privileges in the CLI
Copy link

Follow this procedure to manage Identity Management (IdM) privileges using the command line (CLI).

Prerequisites

Procedure

  1. Add privilege entries using the ipa privilege-add command

    For example, to add a privilege named managing filesystems with a description: 

    $ ipa privilege-add "managing filesystems" --desc="for filesystems"
    Copy to Clipboard Toggle word wrap

  2. Assign the required permissions to the privilege group with the privilege-add-permission command

    For example, to add the permissions named managing automount and managing ftp services to the managing filesystems privilege: 

    $ ipa privilege-add-permission "managing filesystems" --permissions="managing automount" --permissions="managing ftp services"
    Copy to Clipboard Toggle word wrap

28.5. Command options for existing privileges
Copy link

Use the following variants to modify existing privileges as needed:

  • To modify existing privileges, use the ipa privilege-mod command.
  • To find existing privileges, use the ipa privilege-find command.
  • To view a specific privilege, use the ipa privilege-show command.
  • The ipa privilege-remove-permission command removes one or more permissions from a privilege.
  • The ipa privilege-del command deletes a privilege completely.

28.6. Managing IdM roles in the CLI
Copy link

Follow this procedure to manage Identity Management (IdM) roles using the command line (CLI).

Prerequisites

Procedure

  1. Add new role entries using the ipa role-add command: 

    $ ipa role-add --desc="User Administrator" useradmin
------------------------
Added role "useradmin"
------------------------
Role name: useradmin
Description: User Administrator
    Copy to Clipboard Toggle word wrap

  2. Add the required privileges to the role using the ipa role-add-privilege command: 

    $ ipa role-add-privilege --privileges="user administrators" useradmin
Role name: useradmin
Description: User Administrator
Privileges: user administrators
----------------------------
Number of privileges added 1
----------------------------
    Copy to Clipboard Toggle word wrap

  3. Add the required members to the role using the ipa role-add-member command. Allowed member types are: users, groups, hosts and hostgroups.
    For example, to add the group named useradmins to the previously created useradmin role: 

    $ ipa role-add-member --groups=useradmins useradmin
Role name: useradmin
Description: User Administrator
Member groups: useradmins
Privileges: user administrators
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

28.7. Command options for existing roles
Copy link

Use the following variants to modify existing roles as needed:

  • To modify existing roles, use the ipa role-mod command.
  • To find existing roles, use the ipa role-find command.
  • To view a specific role, use the ipa role-show command.
  • To remove a member from the role, use the ipa role-remove-member command.
  • The ipa role-remove-privilege command removes one or more privileges from a role.
  • The ipa role-del command deletes a role completely.

Learn more about role-based access control (RBAC) in Identity Management (IdM). RBAC is a security feature that restricts access to authorized users. You can define roles with specific permissions and then assign those roles to users.

29.1. Role-based access control in IdM
Copy link

Role-based access control (RBAC) in IdM grants a very different kind of authority to users compared to self-service and delegation access controls.

Role-based access control is composed of three parts:

  • Permissions grant the right to perform a specific task such as adding or deleting users, modifying a group, and enabling read-access.
  • Privileges combine permissions, for example all the permissions needed to add a new user.
  • Roles grant a set of privileges to users, user groups, hosts or host groups.

29.1.1. Permissions in IdM
Copy link

Permissions are the lowest level unit of role-based access control, they define operations together with the LDAP entries to which those operations apply. Comparable to building blocks, permissions can be assigned to as many privileges as needed.

One or more rights define what operations are allowed:

  • write
  • read
  • search
  • compare
  • add
  • delete
  • all

These operations apply to three basic targets:

  • subtree: a domain name (DN); the subtree under this DN
  • target filter: an LDAP filter
  • target: DN with possible wildcards to specify entries

Additionally, the following convenience options set the corresponding attribute(s):

  • type: a type of object (user, group, etc); sets subtree and target filter

  • memberof: members of a group; sets a target filter

    Note

    Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

  • targetgroup: grants access to modify a specific group (such as granting the rights to manage group membership); sets a target

With IdM permissions, you can control which users have access to which objects and even which attributes of these objects. IdM enables you to allow or block individual attributes or change the entire visibility of a specific IdM function, such as users, groups, or sudo, to all anonymous users, all authenticated users, or just a certain group of privileged users.

For example, the flexibility of this approach to permissions is useful for an administrator who wants to limit access of users or groups only to the specific sections these users or groups need to access and to make the other sections completely hidden to them.

Note

A permission cannot contain other permissions.

29.1.2. Default managed permissions
Copy link

Managed permissions are permissions that come by default with IdM. They behave like other permissions created by the user, with the following differences:

  • You cannot delete them or modify their name, location, and target attributes.

  • They have three sets of attributes:

    • Default attributes, the user cannot modify them, as they are managed by IdM
    • Included attributes, which are additional attributes added by the user
    • Excluded attributes, which are attributes removed by the user

A managed permission applies to all attributes that appear in the default and included attribute sets but not in the excluded set.

Note

While you cannot delete a managed permission, setting its bind type to permission and removing the managed permission from all privileges effectively disables it.

Names of all managed permissions start with System:, for example System: Add Sudo rule or System: Modify Services. Earlier versions of IdM used a different scheme for default permissions. For example, the user could not delete them and was only able to assign them to privileges. Most of these default permissions have been turned into managed permissions, however, the following permissions still use the previous scheme:

  • Add Automember Rebuild Membership Task
  • Add Configuration Sub-Entries
  • Add Replication Agreements
  • Certificate Remove Hold
  • Get Certificates status from the CA
  • Read DNA Range
  • Modify DNA Range
  • Read PassSync Managers Configuration
  • Modify PassSync Managers Configuration
  • Read Replication Agreements
  • Modify Replication Agreements
  • Remove Replication Agreements
  • Read LDBM Database Configuration
  • Request Certificate
  • Request Certificate ignoring CA ACLs
  • Request Certificates from a different host
  • Retrieve Certificates from the CA
  • Revoke Certificate
  • Write IPA Configuration
Note

If you attempt to modify a managed permission from the command line, the system does not allow you to change the attributes that you cannot modify, the command fails. If you attempt to modify a managed permission from the Web UI, the attributes that you cannot modify are disabled.

29.1.3. Privileges in IdM
Copy link

A privilege is a group of permissions applicable to a role. While a permission provides the rights to do a single operation, there are certain IdM tasks that require multiple permissions to succeed. Therefore, a privilege combines the different permissions required to perform a specific task.

For example, setting up an account for a new IdM user requires the following permissions:

  • Creating a new user entry
  • Resetting a user password
  • Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the form of a custom privilege named, for example, Add User makes it easier for a system administrator to manage roles. IdM already contains several default privileges. Apart from users and user groups, privileges are also assigned to hosts and host groups, as well as network services. This practice permits a fine-grained control of operations by a set of users on a set of hosts using specific network services.

Note

A privilege may not contain other privileges.

29.1.4. Roles in IdM
Copy link

A role is a list of privileges that users specified for the role possess.

In effect, permissions grant the ability to perform given low-level tasks (such as creating a user entry and adding an entry to a group), privileges combine one or more of these permissions needed for a higher-level task (such as creating a new user in a given group). Roles gather privileges together as needed: for example, a User Administrator role would be able to add, modify, and delete users.

Important

Roles are used to classify permitted actions. They are not used as a tool to implement privilege separation or to protect from privilege escalation.

Note

Roles cannot contain other roles.

29.1.5. Predefined roles in Identity Management
Copy link

Red Hat Enterprise Linux Identity Management provides the following range of pre-defined roles:

Expand
Table 29.1. Predefined Roles in Identity Management
RolePrivilegeDescription

Enrollment Administrator

Host Enrollment

Responsible for client, or host, enrollment

helpdesk

Modify Users and Reset passwords, Modify Group membership

Responsible for performing simple user administration tasks

IT Security Specialist

Netgroups Administrators, HBAC Administrator, Sudo Administrator

Responsible for managing security policy such as host-based access controls, sudo rules

IT Specialist

Host Administrators, Host Group Administrators, Service Administrators, Automount Administrators

Responsible for managing hosts

Security Architect

Delegation Administrator, Replication Administrators, Write IPA Configuration, Password Policy Administrator

Responsible for managing the Identity Management environment, creating trusts, creating replication agreements

User Administrator

User Administrators, Group Administrators, Stage User Administrators

Responsible for creating users and groups

29.2. Managing permissions in the IdM Web UI
Copy link

Follow this procedure to manage permissions in Identity Management (IdM) using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. To add a new permission, open the IPA Server>Role-Based Access Control submenu and select Permissions:
  2. The list of permissions opens: Click the Add button at the top of the list of the permissions:
  3. The Add Permission form opens. Specify the name of the new permission and define its properties.

  4. Select the appropriate bind rule type:

    • permission is the default permission type, granting access through privileges and roles
    • all specifies that the permission applies to all authenticated users

    • anonymous specifies that the permission applies to all users, including unauthenticated users

      Note

      It is not possible to add permissions with a non-default bind rule type to privileges. You also cannot set a permission that is already present in a privilege to a non-default bind rule type.

  5. Choose the rights to grant with this permission in Granted rights.

  6. Define the method to identify the target entries for the permission:

    • Type specifies an entry type, such as user, host, or service. If you choose a value for the Type setting, a list of all possible attributes which will be accessible through this ACI for that entry type appears under Effective Attributes. Defining Type sets Subtree and Target DN to one of the predefined values.
    • Subtree (required) specifies a subtree entry; every entry beneath this subtree entry is then targeted. Provide an existing subtree entry, as Subtree does not accept wildcards or non-existent domain names (DNs). For example: cn=automount,dc=example,dc=com

    • Extra target filter uses an LDAP filter to identify which entries the permission applies to. The filter can be any valid LDAP filter, for example: (!(objectclass=posixgroup))

      IdM automatically checks the validity of the given filter. If you enter an invalid filter, IdM warns you about this when you attempt to save the permission.

    • Target DN specifies the domain name (DN) and accepts wildcards. For example: uid=*,cn=users,cn=accounts,dc=com

    • Member of group sets the target filter to members of the given group. After you specify the filter settings and click Add, IdM validates the filter. If all the permission settings are correct, IdM will perform the search. If some of the permissions settings are incorrect, IdM will display a message informing you about which setting is set incorrectly.

      Note

      Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

  7. Add attributes to the permission:

    • If you set Type, choose the Effective attributes from the list of available ACI attributes.

    • If you did not use Type, add the attributes manually by writing them into the Effective attributes field. Add a single attribute at a time; to add multiple attributes, click Add to add another input field.

      Important

      If you do not set any attributes for the permission, then the permissions includes all attributes by default.

  8. Finish adding the permissions with the Add buttons at the bottom of the form:

    • Click the Add button to save the permission and go back to the list of permissions.
    • To save the permission and continue adding additional permissions in the same form, click the Add and Add another button.
    • The Add and Edit button enables you to save and continue editing the newly created permission.
  9. Optional: You can also edit the properties of an existing permission by clicking its name from the list of permissions to display the Permission settings page.

  10. Optional: If you need to remove an existing permission, select the checkbox next to its name in the list and click the Delete button to display The Remove permissions dialog. Click Delete.

    Note

    Operations on default managed permissions are restricted: the attributes you cannot modify are disabled in the IdM Web UI and you cannot delete the managed permissions completely.

    However, you can effectively disable a managed permission that has a bind type set to permission, by removing the managed permission from all privileges.

For example, the following shows how to configure the permission write on the member attribute in the engineers group (so they can add or remove members):

+ Example for adding a permission

29.3. Managing privileges in the IdM WebUI
Copy link

Follow this procedure to manage privileges in IdM using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. To add a new privilege, open the IPA Server>Role-Based Access Control submenu and select Privileges:
  2. The list of privileges opens. Click the Add button at the top of the list of privileges.
  3. The Add Privilege form opens. Enter the name and a description of the privilege.
  4. Click the Add and Edit button to save the new privilege and continue to the privilege configuration page to add permissions.
  5. Click the Permissions tab to display a list of permissions included in the selected privilege. Click the Add button at the top of the list to add permissions to the privilege:
  6. Select the checkbox next to the name of each permission to add, and use the > button to move the permissions to the Prospective column.
  7. Confirm by clicking the Add button.
  8. Optional: If you need to remove permissions, select the checkbox next to the relevant permissions and click the Delete button to display the Remove privileges from permissions dialog. Click Delete.
  9. Optional: If you need to delete an existing privilege, select the checkbox next to its name in the list and click the Delete button to open the Remove privileges dialog. Click Delete.

29.4. Managing roles in the IdM Web UI
Copy link

Follow this procedure to manage roles in Identity Management (IdM) using the web interface (IdM Web UI).

Prerequisites

Procedure

  1. To add a new role, open the IPA Server>Role-Based Access Control submenu and select Roles:
  2. The list of roles opens. Click the Add button at the top of the list of roles.
  3. The Add Role form opens. Enter the role name and a description:
  4. Click the Add and Edit button to save the new role and continue to the role configuration page to add privileges and users.
  5. Add members using the Users, Users Groups, Hosts, Host Groups or Services tabs, by clicking the Add button on top of the relevant list(s).
  6. In the window that opens, select the members on the left and use the > button to move them to the Prospective column.
  7. Select the Privileges tab and click Add.
  8. Select the privileges on the left and use the > button to move them to the Prospective column.
  9. Click the Add button to save.
  10. Optional: If you need to remove privileges or members from a role, select the checkbox next to the name of the entity you want to remove and click the Delete button. A dialog opens. Click Delete.
  11. Optional: If you need to remove an existing role, select the checkbox next to its name in the list and click the Delete button to display the Remove roles dialog. Click Delete.

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges. The components of RBAC in Identity Management (IdM) are roles, privileges and permissions:

  • Permissions grant the right to perform a specific task such as adding or deleting users, modifying a group, and enabling read-access.
  • Privileges combine permissions, for example all the permissions needed to add a new user.
  • Roles grant a set of privileges to users, user groups, hosts or host groups.

Especially in large companies, using RBAC can help create a hierarchical system of administrators with their individual areas of responsibility.

Learn about operations you can perform when managing RBAC using Ansible playbooks.

30.1. Permissions in IdM
Copy link

Permissions are the lowest level unit of role-based access control, they define operations together with the LDAP entries to which those operations apply. Comparable to building blocks, permissions can be assigned to as many privileges as needed.

One or more rights define what operations are allowed:

  • write
  • read
  • search
  • compare
  • add
  • delete
  • all

These operations apply to three basic targets:

  • subtree: a domain name (DN); the subtree under this DN
  • target filter: an LDAP filter
  • target: DN with possible wildcards to specify entries

Additionally, the following convenience options set the corresponding attribute(s):

  • type: a type of object (user, group, etc); sets subtree and target filter

  • memberof: members of a group; sets a target filter

    Note

    Setting the memberof attribute permission is not applied if the target LDAP entry does not contain any reference to group membership.

  • targetgroup: grants access to modify a specific group (such as granting the rights to manage group membership); sets a target

With IdM permissions, you can control which users have access to which objects and even which attributes of these objects. IdM enables you to allow or block individual attributes or change the entire visibility of a specific IdM function, such as users, groups, or sudo, to all anonymous users, all authenticated users, or just a certain group of privileged users.

For example, the flexibility of this approach to permissions is useful for an administrator who wants to limit access of users or groups only to the specific sections these users or groups need to access and to make the other sections completely hidden to them.

Note

A permission cannot contain other permissions.

30.2. Default managed permissions
Copy link

Managed permissions are permissions that come by default with IdM. They behave like other permissions created by the user, with the following differences:

  • You cannot delete them or modify their name, location, and target attributes.

  • They have three sets of attributes:

    • Default attributes, the user cannot modify them, as they are managed by IdM
    • Included attributes, which are additional attributes added by the user
    • Excluded attributes, which are attributes removed by the user

A managed permission applies to all attributes that appear in the default and included attribute sets but not in the excluded set.

Note

While you cannot delete a managed permission, setting its bind type to permission and removing the managed permission from all privileges effectively disables it.

Names of all managed permissions start with System:, for example System: Add Sudo rule or System: Modify Services. Earlier versions of IdM used a different scheme for default permissions. For example, the user could not delete them and was only able to assign them to privileges. Most of these default permissions have been turned into managed permissions, however, the following permissions still use the previous scheme:

  • Add Automember Rebuild Membership Task
  • Add Configuration Sub-Entries
  • Add Replication Agreements
  • Certificate Remove Hold
  • Get Certificates status from the CA
  • Read DNA Range
  • Modify DNA Range
  • Read PassSync Managers Configuration
  • Modify PassSync Managers Configuration
  • Read Replication Agreements
  • Modify Replication Agreements
  • Remove Replication Agreements
  • Read LDBM Database Configuration
  • Request Certificate
  • Request Certificate ignoring CA ACLs
  • Request Certificates from a different host
  • Retrieve Certificates from the CA
  • Revoke Certificate
  • Write IPA Configuration
Note

If you attempt to modify a managed permission from the command line, the system does not allow you to change the attributes that you cannot modify, the command fails. If you attempt to modify a managed permission from the Web UI, the attributes that you cannot modify are disabled.

30.3. Privileges in IdM
Copy link

A privilege is a group of permissions applicable to a role. While a permission provides the rights to do a single operation, there are certain IdM tasks that require multiple permissions to succeed. Therefore, a privilege combines the different permissions required to perform a specific task.

For example, setting up an account for a new IdM user requires the following permissions:

  • Creating a new user entry
  • Resetting a user password
  • Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the form of a custom privilege named, for example, Add User makes it easier for a system administrator to manage roles. IdM already contains several default privileges. Apart from users and user groups, privileges are also assigned to hosts and host groups, as well as network services. This practice permits a fine-grained control of operations by a set of users on a set of hosts using specific network services.

Note

A privilege may not contain other privileges.

30.4. Roles in IdM
Copy link

A role is a list of privileges that users specified for the role possess.

In effect, permissions grant the ability to perform given low-level tasks (such as creating a user entry and adding an entry to a group), privileges combine one or more of these permissions needed for a higher-level task (such as creating a new user in a given group). Roles gather privileges together as needed: for example, a User Administrator role would be able to add, modify, and delete users.

Important

Roles are used to classify permitted actions. They are not used as a tool to implement privilege separation or to protect from privilege escalation.

Note

Roles cannot contain other roles.

30.5. Predefined roles in Identity Management
Copy link

Red Hat Enterprise Linux Identity Management provides the following range of pre-defined roles:

Expand
Table 30.1. Predefined Roles in Identity Management
RolePrivilegeDescription

Enrollment Administrator

Host Enrollment

Responsible for client, or host, enrollment

helpdesk

Modify Users and Reset passwords, Modify Group membership

Responsible for performing simple user administration tasks

IT Security Specialist

Netgroups Administrators, HBAC Administrator, Sudo Administrator

Responsible for managing security policy such as host-based access controls, sudo rules

IT Specialist

Host Administrators, Host Group Administrators, Service Administrators, Automount Administrators

Responsible for managing hosts

Security Architect

Delegation Administrator, Replication Administrators, Write IPA Configuration, Password Policy Administrator

Responsible for managing the Identity Management environment, creating trusts, creating replication agreements

User Administrator

User Administrators, Group Administrators, Stage User Administrators

Responsible for creating users and groups

To exercise more granular control over role-based access (RBAC) to resources in Identity Management (IdM) than the default roles provide, create a custom role.

The following procedure describes how to use an Ansible playbook to define privileges for a new IdM custom role and ensure its presence. In the example, the new user_and_host_administrator role contains a unique combination of the following privileges that are present in IdM by default:

  • Group Administrators
  • User Administrators
  • Stage User Administrators
  • Group Administrators

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-user-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-user-present.yml role-member-user-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-user-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the new role.
    • Set the privilege list to the names of the IdM privileges that you want to include in the new role.
    • Optionally, set the user variable to the name of the user to whom you want to grant the new role.
    • Optionally, set the group variable to the name of the group to which you want to grant the new role.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: user_and_host_administrator
      user: idm_user01
      group: idm_group01
      privilege:
      - Group Administrators
      - User Administrators
      - Stage User Administrators
      - Group Administrators
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-user-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control (RBAC) in Identity Management (IdM), you may want to ensure the absence of an obsolete role so that no administrator assigns it to any user accidentally.

The following procedure describes how to use an Ansible playbook to ensure a role is absent. The example below describes how to make sure the custom user_and_host_administrator role does not exist in IdM.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-is-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-is-absent.yml role-is-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-is-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role.
    • Ensure that the state variable is set to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: user_and_host_administrator
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-is-absent-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control (RBAC) in Identity Management (IdM), you may want to assign a role to a specific group of users, for example junior administrators.

The following example describes how to use an Ansible playbook to ensure the built-in IdM RBAC helpdesk role is assigned to junior_sysadmins.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-group-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-group-present.yml role-member-group-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-group-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role you want to assign.
    • Set the group variable to the name of the group.
    • Set the action variable to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: helpdesk
      group: junior_sysadmins
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-group-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control (RBAC) in Identity Management (IdM), you may want to ensure that an RBAC role is not assigned to specific users after they have, for example, moved to different positions within the company.

The following procedure describes how to use an Ansible playbook to ensure that the users named user_01 and user_02 are not assigned to the helpdesk role.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-user-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-user-absent.yml role-member-user-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-user-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role you want to assign.
    • Set the user list to the names of the users.
    • Set the action variable to member.
    • Set the state variable to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: helpdesk
      user
      - user_01
      - user_02
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-user-absent-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control (RBAC) in Identity Management (IdM), you may want to ensure that a specific service that is enrolled into IdM is a member of a particular role. The following example describes how to ensure that the custom web_administrator role can manage the HTTP service that is running on the client01.idm.example.com server.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The web_administrator role exists in IdM.
  • The HTTP/client01.idm.example.com@IDM.EXAMPLE.COM service exists in IdM.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-service-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-service-present-absent.yml role-member-service-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-service-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role you want to assign.
    • Set the service list to the name of the service.
    • Set the action variable to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web_administrator
      service:
      - HTTP/client01.idm.example.com
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-service-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control in Identity Management (IdM), you may want to ensure that a specific host or host group is associated with a specific role. The following example describes how to ensure that the custom web_administrator role can manage the client01.idm.example.com IdM host on which the HTTP service is running.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The web_administrator role exists in IdM.
  • The client01.idm.example.com host exists in IdM.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-host-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-host-present.yml role-member-host-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-host-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role you want to assign.
    • Set the host list to the name of the host.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web_administrator
      host:
      - client01.idm.example.com
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-host-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator managing role-based access control in Identity Management (IdM), you may want to ensure that a specific host or host group is associated with a specific role. The following example describes how to ensure that the custom web_administrator role can manage the web_servers group of IdM hosts on which the HTTP service is running.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The web_administrator role exists in IdM.
  • The web_servers host group exists in IdM.

Procedure

  1. Navigate to the ~/<MyPlaybooks>/ directory: 

    $ cd ~/<MyPlaybooks>/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the role-member-hostgroup-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/role/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/role/role-member-hostgroup-present.yml role-member-hostgroup-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the role-member-hostgroup-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the iparole task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the role you want to assign.
    • Set the hostgroup list to the name of the hostgroup.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: true
  gather_facts: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - iparole:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web_administrator
      hostgroup:
      - web_servers
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/<MyPlaybooks>/inventory role-member-hostgroup-present-copy.yml
    Copy to Clipboard Toggle word wrap

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles, privileges, and permissions. Especially in large companies, using RBAC can help create a hierarchical system of administrators with their individual areas of responsibility.

Learn how to use Ansible playbooks to manage RBAC privileges in Identity Management (IdM).

Prerequisites

To have a fully-functioning custom privilege in Identity Management (IdM) role-based access control (RBAC), you need to proceed in stages:

  1. Create a privilege with no permissions attached.
  2. Add permissions of your choice to the privilege.

The following procedure describes how to create an empty privilege using an Ansible playbook so that you can later add permissions to it. The example describes how to create a privilege named full_host_administration that is meant to combine all IdM permissions related to host administration.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the privilege-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/privilege/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/privilege/privilege-present.yml privilege-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the privilege-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaprivilege task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the new privilege, full_host_administration.
    • Optionally, describe the privilege using the description variable.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Privilege present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure privilege full_host_administration is present
    ipaprivilege:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: full_host_administration
      description: This privilege combines all IdM permissions related to host administration
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory privilege-present-copy.yml
    Copy to Clipboard Toggle word wrap

To have a fully-functioning custom privilege in Identity Management (IdM) role-based access control (RBAC), you need to proceed in stages:

  1. Create a privilege with no permissions attached.
  2. Add permissions of your choice to the privilege.

The following procedure describes how to use an Ansible playbook to add permissions to a privilege created in the previous step. The example describes how to add all IdM permissions related to host administration to a privilege named full_host_administration. By default, the permissions are distributed between the Host Enrollment, Host Administrators and Host Group Administrator privileges.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The full_host_administration privilege exists. For information about how to create a privilege using Ansible, see Using Ansible to ensure a custom IdM RBAC privilege is present.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the privilege-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/privilege/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/privilege/privilege-member-present.yml privilege-member-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the privilege-member-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaprivilege task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the privilege.
    • Set the permission list to the names of the permissions that you want to include in the privilege.
    • Make sure that the action variable is set to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Privilege member present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that permissions are present for the "full_host_administration" privilege
    ipaprivilege:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: full_host_administration
      permission:
      - "System: Add krbPrincipalName to a Host"
      - "System: Enroll a Host"
      - "System: Manage Host Certificates"
      - "System: Manage Host Enrollment Password"
      - "System: Manage Host Keytab"
      - "System: Manage Host Principals"
      - "Retrieve Certificates from the CA"
      - "Revoke Certificate"
      - "System: Add Hosts"
      - "System: Add krbPrincipalName to a Host"
      - "System: Enroll a Host"
      - "System: Manage Host Certificates"
      - "System: Manage Host Enrollment Password"
      - "System: Manage Host Keytab"
      - "System: Manage Host Keytab Permissions"
      - "System: Manage Host Principals"
      - "System: Manage Host SSH Public Keys"
      - "System: Manage Service Keytab"
      - "System: Manage Service Keytab Permissions"
      - "System: Modify Hosts"
      - "System: Remove Hosts"
      - "System: Add Hostgroups"
      - "System: Modify Hostgroup Membership"
      - "System: Modify Hostgroups"
      - "System: Remove Hostgroups"
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory privilege-member-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control.

The following procedure describes how to use an Ansible playbook to remove a permission from a privilege. The example describes how to remove the Request Certificates ignoring CA ACLs permission from the default Certificate Administrators privilege because, for example, the administrator considers it a security risk.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the privilege-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/privilege/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/privilege/privilege-member-absent.yml privilege-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the privilege-member-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaprivilege task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the privilege.
    • Set the permission list to the names of the permissions that you want to remove from the privilege.
    • Make sure that the action variable is set to member.
    • Make sure that the state variable is set to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Privilege absent example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that the "Request Certificate ignoring CA ACLs" permission is absent from the "Certificate Administrators" privilege
    ipaprivilege:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: Certificate Administrators
      permission:
      - "Request Certificate ignoring CA ACLs"
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory privilege-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control.

The following procedure describes how to rename a privilege because, for example, you have removed a few permissions from it. As a result, the name of the privilege is no longer accurate. In the example, the administrator renames a full_host_administration privilege to limited_host_administration.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The full_host_administration privilege exists. For more information about how to add a privilege, see Using Ansible to ensure a custom IdM RBAC privilege is present.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the privilege-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/privilege/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/privilege/privilege-present.yml rename-privilege.yml
    Copy to Clipboard Toggle word wrap
  3. Open the rename-privilege.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaprivilege task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the current name of the privilege.
    • Add the rename variable and set it to the new name of the privilege.
    • Add the state variable and set it to renamed.

  5. Rename the playbook itself, for example: 

    ---
- name: Rename a privilege
  hosts: ipaserver
    Copy to Clipboard Toggle word wrap

  6. Rename the task in the playbook, for example: 

    [...]
tasks:
- name: Ensure the full_host_administration privilege is renamed to limited_host_administration
  ipaprivilege:
  [...]
    Copy to Clipboard Toggle word wrap

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Rename a privilege
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure the full_host_administration privilege is renamed to limited_host_administration
    ipaprivilege:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: full_host_administration
      rename: limited_host_administration
      state: renamed
    Copy to Clipboard Toggle word wrap
  7. Save the file.

  8. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory rename-privilege.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control. The following procedure describes how to use an Ansible playbook to ensure that an RBAC privilege is absent. The example describes how to ensure that the CA administrator privilege is absent. As a result of the procedure, the admin administrator becomes the only user capable of managing certificate authorities in IdM.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the privilege-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/privilege/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/privilege/privilege-absent.yml privilege-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the privilege-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipaprivilege task section:

    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the privilege you want to remove.
    • Make sure that the state variable is set it to absent.

  5. Rename the task in the playbook, for example: 

    [...]
tasks:
- name: Ensure privilege "CA administrator" is absent
  ipaprivilege:
  [...]
    Copy to Clipboard Toggle word wrap

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Privilege absent example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure privilege "CA administrator" is absent
    ipaprivilege:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: CA administrator
      state: absent
    Copy to Clipboard Toggle word wrap
  6. Save the file.

  7. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory privilege-absent-copy.yml
    Copy to Clipboard Toggle word wrap

Role-based access control (RBAC) is a policy-neutral access control mechanism defined around roles, privileges, and permissions. Especially in large companies, using RBAC can help create a hierarchical system of administrators with their individual areas of responsibility.

Learn about operations you can perform when managing RBAC permissions in Identity Management (IdM) using Ansible playbooks:

Prerequisites

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control (RBAC).

The following procedure describes how to use an Ansible playbook to ensure a permission is present in IdM so that it can be added to a privilege. The example describes how to ensure the following target state:

  • The MyPermission permission exists.
  • The MyPermission permission can only be applied to hosts.

  • A user granted a privilege that contains the permission can do all of the following possible operations on an entry:

    • Write
    • Read
    • Search
    • Compare
    • Add
    • Delete

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-present.yml permission-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.
    • Set the object_type variable to host.
    • Set the right variable to all.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that the "MyPermission" permission is present
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      object_type: host
      right: all
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control (RBAC).

The following procedure describes how to use an Ansible playbook to ensure a permission is present in IdM so that it can be added to a privilege. The example describes how to ensure the following target state:

  • The MyPermission permission exists.
  • The MyPermission permission can only be used to add hosts.

  • A user granted a privilege that contains the permission can do all of the following possible operations on a host entry:

    • Write
    • Read
    • Search
    • Compare
    • Add
    • Delete
  • The host entries created by a user that is granted a privilege that contains the MyPermission permission can have a description value.
Note

The type of attribute that you can specify when creating or modifying a permission is not constrained by the IdM LDAP schema. However, specifying, for example, attrs: car_licence if the object_type is host later results in the ipa: ERROR: attribute "car-license" not allowed error message when you try to exercise the permission and add a specific car licence value to a host.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-present.yml permission-present-with-attribute.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-present-with-attribute.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.
    • Set the object_type variable to host.
    • Set the right variable to all.
    • Set the attrs variable to description.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that the "MyPermission" permission is present with an attribute
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      object_type: host
      right: all
      attrs: description
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-present-with-attribute.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control (RBAC).

The following procedure describes how to use an Ansible playbook to ensure a permission is absent in IdM so that it cannot be added to a privilege.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-absent.yml permission-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission absent example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that the "MyPermission" permission is absent
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-absent-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control (RBAC).

The following procedure describes how to use an Ansible playbook to ensure that an attribute is a member of an RBAC permission in IdM. As a result, a user with the permission can create entries that have the attribute.

The example describes how to ensure that the host entries created by a user with a privilege that contains the MyPermission permission can have gecos and description values.

Note

The type of attribute that you can specify when creating or modifying a permission is not constrained by the IdM LDAP schema. However, specifying, for example, attrs: car_licence if the object_type is host later results in the ipa: ERROR: attribute "car-license" not allowed error message when you try to exercise the permission and add a specific car licence value to a host.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The MyPermission permission exists.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-member-present.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-member-present.yml permission-member-present-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-member-present-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.
    • Set the attrs list to the description and gecos variables.
    • Make sure the action variable is set to member.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission member present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that the "gecos" and "description" attributes are present in "MyPermission"
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      attrs:
      - description
      - gecos
      action: member
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-member-present-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control (RBAC).

The following procedure describes how to use an Ansible playbook to ensure that an attribute is not a member of an RBAC permission in IdM. As a result, when a user with the permission creates an entry in IdM LDAP, that entry cannot have a value associated with the attribute.

The example describes how to ensure the following target state:

  • The MyPermission permission exists.
  • The host entries created by a user with a privilege that contains the MyPermission permission cannot have the description attribute.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The MyPermission permission exists.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-member-absent.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-member-absent.yml permission-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-member-absent-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.
    • Set the attrs variable to description.
    • Set the action variable to member.
    • Make sure the state variable is set to absent

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission absent example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure that an attribute is not a member of "MyPermission"
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      attrs: description
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-member-absent-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator of Identity Management (IdM), you can customize the IdM role-based access control.

The following procedure describes how to use an Ansible playbook to rename a permission. The example describes how to rename MyPermission to MyNewPermission.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The MyPermission exists in IdM.
  • The MyNewPermission does not exist in IdM.

Procedure

  1. Navigate to the ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Make a copy of the permission-renamed.yml file located in the /usr/share/doc/ansible-freeipa/playbooks/permission/ directory: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/permission/permission-renamed.yml permission-renamed-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the permission-renamed-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipapermission task section:

    • Adapt the name of the task to correspond to your use case.
    • Set the ipaadmin_password variable to the password of the IdM administrator.
    • Set the name variable to the name of the permission.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Permission present example
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Rename the "MyPermission" permission
    ipapermission:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: MyPermission
      rename: MyNewPermission
      state: renamed
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory permission-renamed-copy.yml
    Copy to Clipboard Toggle word wrap

Chapter 33. Managing user passwords in IdM
Copy link

33.1. Who can change IdM user passwords and how
Copy link

Regular users without the permission to change other users' passwords can change only their own personal password. The new password must meet the IdM password policies applicable to the groups of which the user is a member. For details on configuring password policies, see Defining IdM password policies.

Administrators and users with password change rights can set initial passwords for new users and reset passwords for existing users. These passwords:

Note that the LDAP Directory Manager (DM) user can change user passwords using LDAP tools. A new password can override any IdM password policies. Passwords set by DM do not expire after the first login.

As an Identity Management (IdM) user, you can change your user password in the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI.

Procedure

  1. In the upper right corner, click the name of the user who is logged into the IdM Web UI.
  2. Select Change password.
  3. Enter the current password.
  4. Enter the new password in the New Password field.
  5. Confirm the new password by entering it in the Verify Password field.
  6. Click Reset Password.

As an administrative user of Identity Management (IdM), you can change passwords for other users in the IdM Web UI.

Prerequisites

  • You are logged in to the IdM Web UI as an administrative user.

Procedure

  1. Select Identity>Users.
  2. Click the name of the user to edit.
  3. Click Actions and select Reset password.
  4. Enter the new password in the New Password field.
  5. Confirm the new password by entering it in the Verify Password field.
  6. Click Reset Password.

If you lose the Identity Management (IdM) Directory Manager password, you can reset it.

Prerequisites

  • You have root access to an IdM server.

Procedure

  1. Generate a new password hash by using the pwdhash command. For example: 

    # pwdhash -D /etc/dirsrv/slapd-IDM-EXAMPLE-COM password
{PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...
    Copy to Clipboard Toggle word wrap

    By specifying the path to the Directory Server configuration, you automatically use the password storage scheme set in the nsslapd-rootpwstoragescheme attribute to encrypt the new password.

  2. On every IdM server in your topology, execute the following steps:

    1. Stop all IdM services installed on the server: 

      # ipactl stop
      Copy to Clipboard Toggle word wrap

    2. Edit the /etc/dirsrv/IDM-EXAMPLE-COM/dse.ldif file and set the nsslapd-rootpw attribute to the value generated by the pwdhash command: 

      nsslapd-rootpw: {PBKDF2_SHA256}AAAgABU0bKhyjY53NcxY33ueoPjOUWtl4iyYN5uW...
      Copy to Clipboard Toggle word wrap
    3. Start all IdM services installed on the server: 
    # ipactl start
    Copy to Clipboard Toggle word wrap

You can change your user password using the Identity Management (IdM) command-line interface (CLI). If you are an administrative user, you can use the CLI to reset another user’s password.

Prerequisites

  • You have obtained a ticket-granting ticket (TGT) for an IdM user.
  • If you are resetting another user’s password, you must have obtained a TGT for an administrative user in IdM.

Procedure

  • Enter the ipa user-mod command with the name of the user and the --password option. The command will prompt you for the new password. 

    $ ipa user-mod idm_user --password
Password:
Enter Password again to verify:
--------------------
Modified user "idm_user"
--------------------
...
    Copy to Clipboard Toggle word wrap

Note that you can also use the ipa passwd idm_user command instead of ipa user-mod.

By default, when an administrator resets another user’s password, the password expires after the first successful login.

As IdM Directory Manager, you can specify the following privileges for individual IdM administrators:

  • They can perform password change operations without requiring users to change their passwords subsequently on their first login.
  • They can bypass the password policy so that no strength or history enforcement is applied.
Warning

Bypassing the password policy can be a security threat. Exercise caution when selecting users to whom you grant these additional privileges.

Prerequisites

  • You know the Directory Manager password.

Procedure

On every Identity Management (IdM) server in the domain, make the following changes:

  1. Enter the ldapmodify command to modify LDAP entries. Specify the name of the IdM server and the 389 port and press Enter: 

    $ ldapmodify -x -D "cn=Directory Manager" -W -h server.idm.example.com -p 389
Enter LDAP Password:
    Copy to Clipboard Toggle word wrap
  2. Enter the Directory Manager password.

  3. Enter the distinguished name for the ipa_pwd_extop password synchronization entry and press Enter: 

    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
    Copy to Clipboard Toggle word wrap

  4. Specify the modify type of change and press Enter: 

    changetype: modify
    Copy to Clipboard Toggle word wrap

  5. Specify what type of modification you want LDAP to execute and to which attribute. Press Enter: 

    add: passSyncManagersDNs
    Copy to Clipboard Toggle word wrap

  6. Specify the administrative user accounts in the passSyncManagersDNs attribute. The attribute is multi-valued. For example, to grant the admin user the password resetting powers of Directory Manager: 

    passSyncManagersDNs: \
uid=admin,cn=users,cn=accounts,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
  7. Press Enter twice to stop editing the entry.

The admin user, listed under passSyncManagerDNs, now has the additional privileges.

As an Identity Management (IdM) administrator, you can check if an IdM user’s account is locked. For that, you must compare a user’s maximum allowed number of failed login attempts with the number of the user’s actual failed logins.

Prerequisites

  • You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.

Procedure

  1. Display the status of the user account to see the number of failed logins: 

    $ ipa user-status example_user
-----------------------
Account disabled: False
-----------------------
  Server: idm.example.com
  Failed logins: 8
  Last successful authentication: N/A
  Last failed authentication: 20220229080317Z
  Time now: 2022-02-29T08:04:46Z
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Display the number of allowed login attempts for a particular user: 

    $ ipa pwpolicy-show --user example_user
  Group: global_policy
  Max lifetime (days): 90
  Min lifetime (hours): 1
  History size: 0
  Character classes: 0
  Min length: 8
  Max failures: 6
  Failure reset interval: 60
  Lockout duration: 600
  Grace login limit: -1
    Copy to Clipboard Toggle word wrap
  3. Compare the number of failed logins as displayed in the output of the ipa user-status command with the Max failures number displayed in the output of the ipa pwpolicy-show command. If the number of failed logins equals that of maximum allowed login attempts, the user account is locked.

If a user attempts to log in using an incorrect password a certain number of times, Identity Management (IdM) locks the user account, which prevents the user from logging in. For security reasons, IdM does not display any warning message that the user account has been locked. Instead, the CLI prompt might continue asking the user for a password again and again.

IdM automatically unlocks the user account after a specified amount of time has passed. Alternatively, you can unlock the user account manually with the following procedure.

Prerequisites

  • You have obtained the ticket-granting ticket of an IdM administrative user.

Procedure

  • To unlock a user account, use the ipa user-unlock command. 

    $ ipa user-unlock idm_user
-----------------------
Unlocked account "idm_user"
-----------------------
    Copy to Clipboard Toggle word wrap

    After this, the user can log in again.

For performance reasons, Identity Management (IdM) running in Red Hat Enterprise Linux 8 does not store the time stamp of the last successful Kerberos authentication of a user. As a consequence, certain commands, such as ipa user-status, do not display the time stamp.

Prerequisites

  • You have obtained the ticket-granting ticket (TGT) of an administrative user in IdM.
  • You have root access to the IdM server on which you are executing the procedure.

Procedure

  1. Display the currently enabled password plug-in features: 

    # ipa config-show | grep "Password plugin features"
  Password plugin features: AllowNThash, KDC:Disable Last Success
    Copy to Clipboard Toggle word wrap

    The output shows that the KDC:Disable Last Success plug-in is enabled. The plug-in hides the last successful Kerberos authentication attempt from being visible in the ipa user-status output.

  2. Add the --ipaconfigstring=feature parameter for every feature to the ipa config-mod command that is currently enabled, except for KDC:Disable Last Success: 

    # ipa config-mod --ipaconfigstring='AllowNThash'
    Copy to Clipboard Toggle word wrap

    This command enables only the AllowNThash plug-in. To enable multiple features, specify the --ipaconfigstring=feature parameter separately for each feature.

  3. Restart IdM: 

    # ipactl restart
    Copy to Clipboard Toggle word wrap

Chapter 34. Defining IdM password policies
Copy link

Password policies help to reduce the risk of someone discovering and misusing a user’s password. You can add Identity Management (IdM) password policies in the IdM WebUI or the CLI. Additionally, you can add a new password policy in IdM using an Ansible playbook.

34.1. What is a password policy
Copy link

A password policy is a set of rules that passwords must meet. For example, a password policy can define the minimum password length and the maximum password lifetime. All users affected by this policy are required to set a sufficiently long password and change it frequently enough to meet the specified conditions. In this way, password policies help reduce the risk of someone discovering and misusing a user’s password.

34.2. Password policies in IdM
Copy link

Passwords are the most common way for Identity Management (IdM) users to authenticate to the IdM Kerberos domain. Password policies define the requirements that these IdM user passwords must meet. The IdM password policy is set in the underlying LDAP directory, but the Kerberos Key Distribution Center (KDC) enforces the password policy.

Password policy attributes lists the attributes you can use to define a password policy in IdM.

Expand
Table 34.1. Password Policy Attributes
AttributeExplanationExample

Max lifetime

The maximum amount of time in days that a password is valid before a user must reset it. The default value is 90 days.

Note that if the attribute is set to 0, the password never expires.

Max lifetime = 180

User passwords are valid only for 180 days. After that, IdM prompts users to change them.

Min lifetime

The minimum amount of time in hours that must pass between two password change operations.

Min lifetime = 1

After users change their passwords, they must wait at least 1 hour before changing them again.

History size

The number of previous passwords that are stored. A user cannot reuse a password from their password history but can reuse old passwords that are not stored.

History size = 0

In this case, the password history is empty and users can reuse any of their previous passwords.

Character classes

The number of different character classes the user must use in the password. The character classes are:

* Uppercase characters

* Lowercase characters

* Digits

* Special characters, such as comma (,), period (.), asterisk (*)

* Other UTF-8 characters

Using a character three or more times in a row decreases the character class by one. For example:

* Secret1 has 3 character classes: uppercase, lowercase, digits

* Secret111 has 2 character classes: uppercase, lowercase, digits, and a -1 penalty for using 1 repeatedly

Character classes = 0

The default number of classes required is 0. To configure the number, run the ipa pwpolicy-mod command with the --minclasses option.

See also the Important note below this table.

Min length

The minimum number of characters in a password.

If any of the additional password policy options are set, then the minimum length of passwords is 6 characters.

Min length = 8

Users cannot use passwords shorter than 8 characters.

Max failures

The maximum number of failed login attempts before IdM locks the user account.

Max failures = 6

IdM locks the user account when the user enters a wrong password 7 times in a row.

Failure reset interval

The amount of time in seconds after which IdM resets the current number of failed login attempts.

Failure reset interval = 60

If the user waits for more than 1 minute after the number of failed login attempts defined in Max failures, the user can attempt to log in again without risking a user account lock.

Lockout duration

The amount of time in seconds that the user account is locked after the number of failed login attempts defined in Max failures.

Lockout duration = 600

Users with locked accounts are unable to log in for 10 minutes.

Important

Use the English alphabet and common symbols for the character classes requirement if you have a diverse set of hardware that may not have access to international characters and symbols. For more information about character class policies in passwords, see the Red Hat Knowledgebase solution What characters are valid in a password?.

34.3. Password policy priorities in IdM
Copy link

Password policies help reduce the risk of someone discovering and misusing a user’s password. The default password policy is the global password policy. You can also create additional group password policies. The global policy rules apply to all users without a group password policy. Group password policies apply to all members of the corresponding user group.

Note that only one password policy can be in effect at a time for any user. If a user has multiple password policies assigned, one of them takes precedence based on priority according to the following rules:

  • Every group password policy has a priority set. The lower the value, the higher the policy’s priority. The lowest supported value is 0.
  • If multiple password policies are applicable to a user, the policy with the lowest priority value takes precedence. All rules defined in other policies are ignored.
  • The password policy with the lowest priority value applies to all password policy attributes, even the attributes that are not defined in the policy.

The global password policy does not have a priority value set. It serves as a fallback policy when no group policy is set for a user. The global policy can never take precedence over a group policy.

You can use the ipa pwpolicy-show --user=user_name command to check which policy is currently in effect for a particular user.

Follow this procedure to ensure the presence of a password policy in Identity Management (IdM) using an Ansible playbook.

In the default global_policy password policy in IdM, the number of different character classes in the password is set to 0. The history size is also set to 0.

Complete this procedure to enforce a stronger password policy for an IdM group using an Ansible playbook.

Note

You cannot define a password policy for an individual user.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You know the IdM administrator password.
  • The group for which you are ensuring the presence of a password policy exists in IdM.

Procedure

  1. Create an inventory file, for example inventory.file, and define the FQDN of your IdM server in the [ipaserver] section: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create your Ansible playbook file that defines the password policy whose presence you want to ensure. To simplify this step, copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/pwpolicy/pwpolicy_present.yml file: 

    ---
- name: Tests
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure presence of pwpolicy for group ops
    ipapwpolicy:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: ops
      minlife: 7
      maxlife: 49
      history: 5
      priority: 1
      lockouttime: 300
      minlength: 8
      minclasses: 4
      maxfail: 3
      failinterval: 5
    Copy to Clipboard Toggle word wrap

    For details on what the individual variables mean, see Password policy attributes.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory_/new_pwpolicy_present.yml
    Copy to Clipboard Toggle word wrap

You have successfully used an Ansible playbook to ensure that a password policy for the ops group is present in IdM.

Important

The priority of the ops password policy is set to 1, whereas the global_policy password policy has no priority set. For this reason, the ops policy automatically supersedes global_policy for the ops group and is enforced immediately.

global_policy serves as a fallback policy when no group policy is set for a user, and it can never take precedence over a group policy.

Password policies help reduce the risk of someone discovering and misusing a user’s password. The default password policy is the global password policy. You can also create additional group password policies.

Password policies help reduce the risk of someone discovering and misusing a user’s password. The default password policy is the global password policy. You can also create additional group password policies.

Prerequisites

  • A user group to which the policy applies.
  • A priority assigned to the policy

Procedure

  1. Log in to the IdM Web UI.

    For details, see Accessing the IdM Web UI in a web browser.

  2. Select Policy>Password Policies.
  3. Click Add.
  4. Define the user group and priority.
  5. Click Add to confirm.

To configure the attributes of the new password policy, see Password policies in IdM.

Password policies help reduce the risk of someone discovering and misusing a user’s password. The default password policy is the global password policy. You can also create additional group password policies.

Prerequisites

  • A user group to which the policy applies.
  • A priority assigned to the policy

Procedure

  1. Open terminal and connect to the IdM server.

  2. Use the ipa pwpolicy-add command. Specify the user group and priority: 

    $ ipa pwpolicy-add
Group: group_name
Priority: priority_level
    Copy to Clipboard Toggle word wrap

  3. Optional: Use the ipa pwpolicy-find command to verify that the policy has been successfully added: 

    $ ipa pwpolicy-find
    Copy to Clipboard Toggle word wrap

To configure the attributes of the new password policy, see Password policies in IdM.

34.6. Additional password policy options in IdM
Copy link

As an Identity Management (IdM) administrator, you can strengthen the default password requirements by enabling additional password policy options based on the libpwquality feature set. The additional password policy options include the following:

--maxrepeat
Specifies the maximum acceptable number of same consecutive characters in the new password.
--maxsequence
Specifies the maximum length of monotonic character sequences in the new password. Examples of such a sequence are 12345 or fedcb. Most such passwords will not pass the simplicity check.
--dictcheck
If nonzero, checks whether the password, with possible modifications, matches a word in a dictionary. Currently libpwquality performs the dictionary check using the cracklib library.
--usercheck
If nonzero, checks whether the password, with possible modifications, contains the user name in some form. It is not performed for user names shorter than 3 characters.

You cannot apply the additional password policy options to existing passwords. If you apply any of the additional options, IdM automatically sets the --minlength option, the minimum number of characters in a password, to 6 characters.

Note

In a mixed environment with RHEL 7 and RHEL 8 servers, you can enforce the additional password policy settings only on servers running on RHEL 8.4 and later. If a user is logged in to an IdM client and the IdM client is communicating with an IdM server running on RHEL 8.3 or earlier, then the new password policy requirements set by the system administrator are not applied. To ensure consistent behavior, upgrade or update all servers to RHEL 8.4 and later.

Follow this procedure to apply additional password policy options in Identity Management (IdM). The example describes how to strengthen the password policy for the managers group by making sure that the new passwords do not contain the users' respective user names and that the passwords contain no more than two identical characters in succession.

Prerequisites

  • You are logged in as an IdM administrator.
  • The managers group exists in IdM.
  • The managers password policy exists in IdM.

Procedure

  1. Apply the user name check to all new passwords suggested by the users in the managers group: 

    $ ipa pwpolicy-mod --usercheck=True managers
    Copy to Clipboard Toggle word wrap
    Note

    If you do not specify the name of the password policy, the default global_policy is modified.

  2. Set the maximum number of identical consecutive characters to 2 in the managers password policy: 

    $ ipa pwpolicy-mod --maxrepeat=2 managers
    Copy to Clipboard Toggle word wrap

    A password now will not be accepted if it contains more than 2 identical consecutive characters. For example, the eR873mUi111YJQ combination is unacceptable because it contains three 1s in succession.

Verification

  1. Add a test user named test_user: 

    $ ipa user-add test_user
First name: test
Last name: user
----------------------------
Added user "test_user"
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Add the test user to the managers group:

    1. In the IdM Web UI, click Identity>Groups>User Groups.
    2. Click the managers group name.
    3. Click Add.
    4. On the Add users into user group 'managers' page, check test_user.
    5. Click the > arrow to move the user to the Prospective column.
    6. Click Add.

  3. Reset the password for the test user:

    1. Go to Identity>Users.
    2. Click test_user.
    3. From the Actions menu, click Reset Password.
    4. Enter a temporary password for the user.

  4. Try to obtain a Kerberos ticket-granting ticket (TGT) for the test_user:

    1. On the command line, run the following command: 

      $ kinit test_user
      Copy to Clipboard Toggle word wrap
    2. Enter the temporary password.

    3. The system informs you that you must change your password. Enter a password that contains the user name of test_user: 

      Password expired. You must change it now.
Enter new password:
Enter it again:
Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.
      Copy to Clipboard Toggle word wrap

    4. The system informs you that the entered password was rejected. Enter a password that contains three or more identical characters in succession: 

      Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.

Enter new password:
Enter it again:
      Copy to Clipboard Toggle word wrap

    5. The system informs you that the entered password was rejected. Enter a password that meets the criteria of the managers password policy: 

      Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.

Enter new password:
Enter it again:
      Copy to Clipboard Toggle word wrap

  5. View the obtained TGT: 

    $ klist
Ticket cache: KCM:0:33945
Default principal: test_user@IDM.EXAMPLE.COM

Valid starting       Expires              Service principal
07/07/2021 12:44:44  07/08/2021 12:44:44  krbtgt@IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

The managers password policy now works correctly for users in the managers group.

You can use an Ansible playbook to apply additional password policy options to strengthen the password policy requirements for a specific IdM group. You can use the maxrepeat, maxsequence, dictcheck and usercheck password policy options for this purpose. The example describes how to set the following requirements for the managers group:

  • A users new password does not contain the users respective user name.
  • The password contains no more than two identical characters in succession.
  • Any monotonic character sequences in the passwords are not longer than 3 characters. This means that the system does not accept a password with a sequence such as 1234 or abcd.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • The group for which you are ensuring the presence of a password policy exists in IdM.

Procedure

  1. Create your Ansible playbook file manager_pwpolicy_present.yml that defines the password policy whose presence you want to ensure. To simplify this step, copy and modify the following example: 

    ---
- name: Tests
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure presence of usercheck and maxrepeat pwpolicy for group managers
    ipapwpolicy:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: managers
      usercheck: True
      maxrepeat: 2
      maxsequence: 3
    Copy to Clipboard Toggle word wrap

  2. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory_/manager_pwpolicy_present.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Add a test user named test_user: 

    $ ipa user-add test_user
First name: test
Last name: user
----------------------------
Added user "test_user"
----------------------------
    Copy to Clipboard Toggle word wrap

  2. Add the test user to the managers group:

    1. In the IdM Web UI, click Identity>Groups>User Groups.
    2. Click managers.
    3. Click Add.
    4. On the Add users into user group 'managers' page, check test_user.
    5. Click the > arrow to move the user to the Prospective column.
    6. Click Add.

  3. Reset the password for the test user:

    1. Go to Identity>Users.
    2. Click test_user.
    3. From the Actions menu, click Reset Password.
    4. Enter a temporary password for the user.

  4. Try to obtain a Kerberos ticket-granting ticket (TGT) for the test_user:

    1. On the command line, enter the following command: 

      $ kinit test_user
      Copy to Clipboard Toggle word wrap
    2. Enter the temporary password.

    3. The system informs you that you must change your password. Enter a password that contains the user name of test_user: 

      Password expired. You must change it now.
Enter new password:
Enter it again:
Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.
      Copy to Clipboard Toggle word wrap

    4. The system informs you that the entered password was rejected. Enter a password that contains three or more identical characters in succession: 

      Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.

Enter new password:
Enter it again:
      Copy to Clipboard Toggle word wrap

    5. The system informs you that the entered password was rejected. Enter a password that contains a monotonic character sequence longer than 3 characters. Examples of such sequences include 1234 and fedc: 

      Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.

Enter new password:
Enter it again:
      Copy to Clipboard Toggle word wrap

    6. The system informs you that the entered password was rejected. Enter a password that meets the criteria of the managers password policy: 

      Password change rejected: Password not changed.
Unspecified password quality failure while trying to change password.
Please try again.

Enter new password:
Enter it again:
      Copy to Clipboard Toggle word wrap

  5. Verify that you have obtained a TGT, which is only possible after having entered a valid password: 

    $ klist
Ticket cache: KCM:0:33945
Default principal: test_user@IDM.EXAMPLE.COM

Valid starting       Expires              Service principal
07/07/2021 12:44:44  07/08/2021 12:44:44  krbtgt@IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

You can use the Expiring Password Notification (EPN) tool, provided by the ipa-client-epn package, to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time. To install, configure, and use the EPN tool, refer to the relevant sections.

The Expiring Password Notification (EPN) tool is a standalone tool you can use to build a list of Identity Management (IdM) users whose passwords are expiring in a configured amount of time.

IdM administrators can use EPN to:

  • Display a list of affected users in JSON format, which is created when run in dry-run mode.
  • Calculate how many emails will be sent for a given day or date range.
  • Send password expiration email notifications to users.
  • Configure the ipa-epn.timer to run the EPN tool daily and send an email to users whose passwords are expiring within the defined future date ranges.
  • Customize the email notification to send to users.
Note

If a user account is disabled, no email notifications are sent if the password is going to expire.

Follow this procedure to install the Expiring Password Notification (EPN) tool.

Prerequisites

  • Install the EPN tool on either an Identity Management (IdM) replica or an IdM client with a local Postfix SMTP server configured as a smart host.

Procedure

  • Install the EPN tool: 

    # yum install ipa-client-epn
    Copy to Clipboard Toggle word wrap

You can use the Expiring Password Notification (EPN) tool to send emails to Identity Management (IdM) users whose passwords are expiring. You can choose one of the following methods:

  • Update the epn.conf configuration file and enable the ipa-epn.timer tool.
  • Update the epn.conf configuration file and run the EPN tool directly on the command line.
Note

The EPN tool is stateless. If the EPN tool fails to email any of the users whose passwords are expiring on a given day, the EPN tool does not save a list of those users.

Prerequisites

Procedure

  1. Open the epn.conf configuration file. 

    # vi /etc/ipa/epn.conf
    Copy to Clipboard Toggle word wrap

  2. Update the notify_ttls option as required. The default is to notify users whose passwords are expiring in 28, 14, 7, 3, and 1 day(s). 

    notify_ttls = 28, 14, 7, 3, 1
    Copy to Clipboard Toggle word wrap
    Note

    You must also activate the ipa-epn.timer tool to ensure that emails are sent.

  3. Configure your SMTP server and port: 

    smtp_server = localhost
smtp_port = 25
    Copy to Clipboard Toggle word wrap

  4. Specify the email address from which the email expiration notification is sent. Any unsuccessfully delivered emails are returned to this address. 

    mail_from = admin-email@example.com
    Copy to Clipboard Toggle word wrap

  5. Optional: If you want to use an encrypted channel of communication, specify the credentials to be used:

    • Specify the path to a single file in PEM format containing the certificate to be used by EPN to authenticate with the SMTP server: 

      smtp_client_cert = /etc/pki/tls/certs/client.pem
      Copy to Clipboard Toggle word wrap
      Note

      EPN is an SMTP client. The purpose of the certificate is client authentication, not secure SMTP delivery.

    • You can specify the path to a file that contains the private key. If not specified, the private key is taken from the certificate file. 

      smtp_client_key = /etc/pki/tls/certs/client.key
      Copy to Clipboard Toggle word wrap

    • If the private key is encrypted, specify the password for decrypting it. 

      smtp_client_key_pass = Secret123!
      Copy to Clipboard Toggle word wrap
  6. Save the /etc/ipa/epn.conf file.

  7. Run the EPN tool in dry-run mode to generate a list of the users to whom the password expiration email notification would be sent if you run the tool without the --dry-run option. 

    ipa-epn --dry-run
[
    {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-04-17 15:51:53",
     "mail": "['user5@ipa.test']"
    }
]
[
    {
     "uid": "user6",
     "cn": "user 6",
     "krbpasswordexpiration": "2020-12-17 15:51:53",
     "mail": "['user5@ipa.test']"
     }
]
The IPA-EPN command was successful
    Copy to Clipboard Toggle word wrap
    Note

    If the list of users returned is very large and you run the tool without the --dry-run option, this might cause an issue with your email server.

  8. Run the EPN tool without the --dry-run option to send expiration emails to the list of all the users returned when you ran the EPN tool in dry-run mode: 

    ipa-epn
[
  {
     "uid": "user5",
     "cn": "user 5",
     "krbpasswordexpiration": "2020-10-01 15:51:53",
     "mail": "['user5@ipa.test']"
  }
]
[
  {
    "uid": "user6",
    "cn": "user 6",
    "krbpasswordexpiration": "2020-12-17 15:51:53",
    "mail": "['user5@ipa.test']"
  }
]
The IPA-EPN command was successful
    Copy to Clipboard Toggle word wrap

  9. You can add EPN to any monitoring system and invoke it with the --from-nbdays and --to-nbdays options to determine how many users passwords are going to expire within a specific time frame: 

    # ipa-epn --from-nbdays 8 --to-nbdays 12
    Copy to Clipboard Toggle word wrap
    Note

    If you invoke the EPN tool with the --from-nbdays and --to-nbdays options, it is automatically executed in dry-run mode.

Verification

  • Run the EPN tool and verify an email notification is sent.

Follow this procedure to use ipa-epn.timer to run the Expiring Password Notification (EPN) tool to send emails to users whose passwords are expiring. The ipa-epn.timer parses the epn.conf file and sends an email to users whose passwords are expiring within the defined future date ranges configured in that file.

Prerequisites

Procedure

  • Start the ipa-epn.timer: 

    systemctl start ipa-epn.timer
    Copy to Clipboard Toggle word wrap

Once you start the timer, by default, the EPN tool is run every day at 1 a.m.

Follow this procedure to customize the Expiring Password Notification (EPN) email message template.

Prerequisites

  • The ipa-client-epn package is installed.

Procedure

  1. Open the EPN message template: 

    # vi /etc/ipa/epn/expire_msg.template
    Copy to Clipboard Toggle word wrap

  2. Update the template text as required. 

    Hi {{ fullname }},

Your password will expire on {{ expiration }}.

Please change it as soon as possible.
    Copy to Clipboard Toggle word wrap

    You can use the following variables in the template.

    • User ID: uid
    • Full name: fullname
    • First name: first
    • Last name: last
    • Password expiration date: expiration
  3. Save the message template file.

Verification

  • Run the EPN tool and verify the email notification contains the updated text.

If an Identity Management (IdM) user want to override some of their user or group attributes stored in the IdM LDAP server, for example the login name, home directory, certificate used for authentication, or SSH keys, you as IdM administrator can redefine these values on specific IdM clients by using IdM ID views. For example, you can specify a different home directory for a user on the IdM client that the user most commonly uses for logging in to IdM.

Learn how to redefine a POSIX attribute value associated with an IdM user on a host enrolled into IdM as a client.

36.1. ID views
Copy link

An ID view in Identity Management (IdM) is an IdM client-side view specifying the following information:

  • New values for centrally defined POSIX user or group attributes
  • The client host or hosts on which the new values apply.

An ID view contains one or more overrides. An override is a specific replacement of a centrally defined POSIX attribute value.

You can only define an ID view for an IdM client centrally on IdM servers. You cannot configure client-side overrides for an IdM client locally.

For example, you can use ID views to achieve the following goals:

  • Define different attribute values for different environments. For example, you can allow the IdM administrator or another IdM user to have different home directories on different IdM clients: you can configure /home/encrypted/username to be this user’s home directory on one IdM client and /dropbox/username on another client. Using ID views in this situation is convenient as alternatively, for example, changing fallback_homedir, override_homedir or other home directory variables in the client’s /etc/sssd/sssd.conf file would affect all users. See Adding an ID view to override an IdM user home directory on an IdM client for an example procedure.
  • Replace a previously generated attribute value with a different value, such as overriding a user’s UID. This ability can be useful when you want to achieve a system-wide change that would otherwise be difficult to do on the LDAP side, for example make 1009 the UID of an IdM user. IdM ID ranges, which are used to generate an IdM user UID, never start as low as 1000 or even 10000. If a reason exists for an IdM user to impersonate a local user with UID 1009 on all IdM clients, you can use ID views to override the UID of this IdM user that was generated when the user was created in IdM.
Important

You can only apply ID views to IdM clients, not to IdM servers.

When you define an ID view, IdM places the desired override value in the IdM server’s System Security Services Daemon (SSSD) cache. The SSSD running on an IdM client then retrieves the override value from the server cache.

Applying an ID view can have a negative impact on System Security Services Daemon (SSSD) performance, because certain optimizations and ID views cannot run at the same time. For example, ID views prevent SSSD from optimizing the process of looking up groups on the server:

  • With ID views, SSSD must check every member on the returned list of group member names if the group name is overridden.
  • Without ID views, SSSD can only collect the user names from the member attribute of the group object.

This negative effect becomes most apparent when the SSSD cache is empty or after you clear the cache, which makes all entries invalid.

36.3. Attributes an ID view can override
Copy link

ID views consist of user and group ID overrides. The overrides define the new POSIX attribute values.

User and group ID overrides can define new values for the following POSIX attributes:

User attributes
  • Login name (uid)
  • GECOS entry (gecos)
  • UID number (uidNumber)
  • GID number (gidNumber)
  • Login shell (loginShell)
  • Home directory (homeDirectory)
  • SSH public keys (ipaSshPubkey)
  • Certificate (userCertificate)
Group attributes
  • Group name (cn)
  • Group GID number (gidNumber)

36.4. Getting help for ID view commands
Copy link

You can get help for commands involving Identity Management (IdM) ID views on the IdM command-line interface (CLI).

Prerequisites

  • You have obtained a Kerberos ticket for an IdM user.

Procedure

  • To display all commands used to manage ID views and overrides: 

    $ ipa help idviews
ID Views

Manage ID Views

IPA allows to override certain properties of users and groups[...]
[...]
Topic commands:
  idoverridegroup-add          Add a new Group ID override
  idoverridegroup-del          Delete a Group ID override
[...]
    Copy to Clipboard Toggle word wrap

  • To display detailed help for a particular command, add the --help option to the command: 

    $ ipa idview-add --help
Usage: ipa [global-options] idview-add NAME [options]

Add a new ID View.
Options:
  -h, --help      show this help message and exit
  --desc=STR      Description
[...]
    Copy to Clipboard Toggle word wrap

Follow this procedure to create an ID view for a specific IdM client that overrides a POSIX attribute value associated with a specific IdM user. The procedure uses the example of an ID view that enables an IdM user named idm_user to log in to an IdM client named host1 using the user_1234 login name.

Prerequisites

  • You are logged in as IdM administrator.

Procedure

  1. Create a new ID view. For example, to create an ID view named example_for_host1: 

    $ ipa idview-add example_for_host1
---------------------------
Added ID View "example_for_host1"
---------------------------
  ID View Name: example_for_host1
    Copy to Clipboard Toggle word wrap

  2. Add a user override to the example_for_host1 ID view. To override the user login:

    • Enter the ipa idoverrideuser-add command
    • Add the name of the ID view
    • Add the user name, also called the anchor

    • Add the --login option: 

      $ ipa idoverrideuser-add example_for_host1 idm_user --login=user_1234
-----------------------------
Added User ID override "idm_user"
-----------------------------
  Anchor to override: idm_user
  User login: user_1234
      Copy to Clipboard Toggle word wrap

      For a list of the available options, run ipa idoverrideuser-add --help.

      Note

      The ipa idoverrideuser-add --certificate command replaces all existing certificates for the account in the specified ID view. To append an additional certificate, use the ipa idoverrideuser-add-cert command instead: 

      $ ipa idoverrideuser-add-cert example_for_host1 user --certificate="MIIEATCC..."
      Copy to Clipboard Toggle word wrap
  3. Optional: Using the ipa idoverrideuser-mod command, you can specify new attribute values for an existing user override.

  4. Apply example_for_host1 to the host1.idm.example.com host: 

    $ ipa idview-apply example_for_host1 --hosts=host1.idm.example.com
-----------------------------
Applied ID View "example_for_host1"
-----------------------------
hosts: host1.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
    Copy to Clipboard Toggle word wrap
    Note

    The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

    This means that if a host is added to the host group in the future, the ID view does not apply to the new host.

  5. To apply the new configuration to the host1.idm.example.com system immediately:

    1. SSH to the system as root: 

      $ ssh root@host1
Password:
      Copy to Clipboard Toggle word wrap

    2. Clear the SSSD cache: 

      root@host1 ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap
    3. Restart the SSSD daemon: 
    root@host1 ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • If you have the credentials of user_1234, you can use them to log in to IdM on host1:

    1. SSH to host1 using user_1234 as the login name: 

      [root@r8server ~]# ssh user_1234@host1.idm.example.com
Password:

Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
[user_1234@host1 ~]$
      Copy to Clipboard Toggle word wrap

    2. Display the working directory: 

      [user_1234@host1 ~]$ pwd
/home/idm_user/
      Copy to Clipboard Toggle word wrap

  • Alternatively, if you have root credentials on host1, you can use them to check the output of the id command for idm_user and user_1234: 

    [root@host1 ~]# id idm_user
uid=779800003(user_1234) gid=779800003(idm_user) groups=779800003(idm_user)
[root@host1 ~]# user_1234
uid=779800003(user_1234) gid=779800003(idm_user) groups=779800003(idm_user)
    Copy to Clipboard Toggle word wrap

36.6. Modifying an IdM ID view
Copy link

An ID view in Identity Management (IdM) overrides a POSIX attribute value associated with a specific IdM user. Follow this procedure to modify an existing ID view. Specifically, it describes how to modify an ID view to enable the user named idm_user to use the /home/user_1234/ directory as the user home directory instead of /home/idm_user/ on the host1.idm.example.com IdM client.

Prerequisites

  • You have root access to host1.idm.example.com.
  • You are logged in as a user with the required privileges, for example admin.
  • You have an ID view configured for idm_user that applies to the host1 IdM client.

Procedure

  1. As root, create the directory that you want idm_user to use on host1.idm.example.com as the user home directory: 

    [root@host1 /]# mkdir /home/user_1234/
    Copy to Clipboard Toggle word wrap

  2. Change the ownership of the directory: 

    [root@host1 /]# chown idm_user:idm_user /home/user_1234/
    Copy to Clipboard Toggle word wrap

  3. Display the ID view, including the hosts to which the ID view is currently applied. To display the ID view named example_for_host1: 

    $ ipa idview-show example_for_host1 --all
  dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
  ID View Name: example_for_host1
  User object override: idm_user
  Hosts the view applies to: host1.idm.example.com
  objectclass: ipaIDView, top, nsContainer
    Copy to Clipboard Toggle word wrap

    The output shows that the ID view currently applies to host1.idm.example.com.

  4. Modify the user override of the example_for_host1 ID view. To override the user home directory:

    • Enter the ipa idoverrideuser-add command
    • Add the name of the ID view
    • Add the user name, also called the anchor

    • Add the --homedir option: 

      $ ipa idoverrideuser-mod example_for_host1 idm_user --homedir=/home/user_1234
-----------------------------
Modified a User ID override "idm_user"
-----------------------------
  Anchor to override: idm_user
  User login: user_1234
  Home directory: /home/user_1234/
      Copy to Clipboard Toggle word wrap

    For a list of the available options, run ipa idoverrideuser-mod --help.

  5. To apply the new configuration to the host1.idm.example.com system immediately:

    1. SSH to the system as root: 

      $ ssh root@host1
Password:
      Copy to Clipboard Toggle word wrap

    2. Clear the SSSD cache: 

      root@host1 ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap
    3. Restart the SSSD daemon: 
    root@host1 ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  1. SSH to host1 as idm_user: 

    [root@r8server ~]# ssh idm_user@host1.idm.example.com
Password:

Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
[user_1234@host1 ~]$
    Copy to Clipboard Toggle word wrap

  2. Print the working directory: 

    [user_1234@host1 ~]$ pwd
/home/user_1234/
    Copy to Clipboard Toggle word wrap

An ID view in Identity Management (IdM) overrides a POSIX attribute value associated with a specific IdM user. Follow this procedure to create an ID view that applies to idm_user on an IdM client named host1 to enable the user to use the /home/user_1234/ directory as the user home directory instead of /home/idm_user/.

Prerequisites

  • You have root access to host1.idm.example.com.
  • You are logged in as a user with the required privileges, for example admin.

Procedure

  1. As root, create the directory that you want idm_user to use on host1.idm.example.com as the user home directory: 

    [root@host1 /]# mkdir /home/user_1234/
    Copy to Clipboard Toggle word wrap

  2. Change the ownership of the directory: 

    [root@host1 /]# chown idm_user:idm_user /home/user_1234/
    Copy to Clipboard Toggle word wrap

  3. Create an ID view. For example, to create an ID view named example_for_host1: 

    $ ipa idview-add example_for_host1
---------------------------
Added ID View "example_for_host1"
---------------------------
  ID View Name: example_for_host1
    Copy to Clipboard Toggle word wrap

  4. Add a user override to the example_for_host1 ID view. To override the user home directory:

    • Enter the ipa idoverrideuser-add command
    • Add the name of the ID view
    • Add the user name, also called the anchor
    • Add the --homedir option: 
    $ ipa idoverrideuser-add example_for_host1 idm_user --homedir=/home/user_1234
-----------------------------
Added User ID override "idm_user"
-----------------------------
  Anchor to override: idm_user
  Home directory: /home/user_1234/
    Copy to Clipboard Toggle word wrap

  5. Apply example_for_host1 to the host1.idm.example.com host: 

    $ ipa idview-apply example_for_host1 --hosts=host1.idm.example.com
-----------------------------
Applied ID View "example_for_host1"
-----------------------------
hosts: host1.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
    Copy to Clipboard Toggle word wrap
    Note

    The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

    This means that if a host is added to the host group in the future, the ID view does not apply to the new host.

  6. To apply the new configuration to the host1.idm.example.com system immediately:

    1. SSH to the system as root: 

      $ ssh root@host1
Password:
      Copy to Clipboard Toggle word wrap

    2. Clear the SSSD cache: 

      root@host1 ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap
    3. Restart the SSSD daemon: 
    root@host1 ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  1. SSH to host1 as idm_user: 

    [root@r8server ~]# ssh idm_user@host1.idm.example.com
Password:
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
[idm_user@host1 /]$
    Copy to Clipboard Toggle word wrap

  2. Print the working directory: 

    [idm_user@host1 /]$ pwd
/home/user_1234/
    Copy to Clipboard Toggle word wrap

36.8. Applying an ID view to an IdM host group
Copy link

The ipa idview-apply command accepts the --hostgroups option. However, the option acts as a one-time operation that applies the ID view to hosts that currently belong to the specified host group, but does not dynamically associate the ID view with the host group itself. The --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

If you add a new host to the host group later, you must apply the ID view to the new host manually, using the ipa idview-apply command with the --hosts option.

Similarly, if you remove a host from a host group, the ID view is still assigned to the host after the removal. To unapply the ID view from the removed host, you must run the ipa idview-unapply id_view_name --hosts=name_of_the_removed_host command.

Follow this procedure to achieve the following goals:

  1. How to create a host group and add hosts to it.
  2. How to apply an ID view to the host group.
  3. How to add a new host to the host group and apply the ID view to the new host.

Prerequisites

Procedure

  1. Create a host group and add hosts to it:

    1. Create a host group. For example, to create a host group named baltimore: 

      [root@server ~]# ipa hostgroup-add --desc="Baltimore hosts" baltimore
---------------------------
Added hostgroup "baltimore"
---------------------------
Host-group: baltimore
Description: Baltimore hosts
      Copy to Clipboard Toggle word wrap

    2. Add hosts to the host group. For example, to add the host102 and host103 to the baltimore host group: 

      [root@server ~]# ipa hostgroup-add-member --hosts={host102,host103} baltimore
Host-group: baltimore
Description: Baltimore hosts
Member hosts: host102.idm.example.com, host103.idm.example.com
-------------------------
Number of members added 2
-------------------------
      Copy to Clipboard Toggle word wrap

  2. Apply an ID view to the hosts in the host group. For example, to apply the example_for_host1 ID view to the baltimore host group: 

    [root@server ~]# ipa idview-apply --hostgroups=baltimore
ID View Name: example_for_host1
-----------------------------------------
Applied ID View "example_for_host1"
-----------------------------------------
  hosts: host102.idm.example.com, host103.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 2
---------------------------------------------
    Copy to Clipboard Toggle word wrap

  3. Add a new host to the host group and apply the ID view to the new host:

    1. Add a new host to the host group. For example, to add the somehost.idm.example.com host to the baltimore host group: 

      [root@server ~]# ipa hostgroup-add-member --hosts=somehost.idm.example.com baltimore
  Host-group: baltimore
  Description: Baltimore hosts
  Member hosts:  host102.idm.example.com, host103.idm.example.com,somehost.idm.example.com
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    2. Optional: Display the ID view information. For example, to display the details about the example_for_host1 ID view: 

      [root@server ~]# ipa idview-show example_for_host1 --all
  dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
  ID View Name: example_for_host1
[...]
  Hosts the view applies to: host102.idm.example.com, host103.idm.example.com
  objectclass: ipaIDView, top, nsContainer
      Copy to Clipboard Toggle word wrap

      The output shows that the ID view is not applied to somehost.idm.example.com, the newly-added host in the baltimore host group.

    3. Apply the ID view to the new host. For example, to apply the example_for_host1 ID view to somehost.idm.example.com: 

      [root@server ~]# ipa idview-apply --host=somehost.idm.example.com
ID View Name: example_for_host1
-----------------------------------------
Applied ID View "example_for_host1"
-----------------------------------------
  hosts: somehost.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
      Copy to Clipboard Toggle word wrap

Verification

  • Display the ID view information again: 

    [root@server ~]# ipa idview-show example_for_host1 --all
  dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
  ID View Name: example_for_host1
[...]
  Hosts the view applies to: host102.idm.example.com, host103.idm.example.com, somehost.idm.example.com
  objectclass: ipaIDView, top, nsContainer
    Copy to Clipboard Toggle word wrap

    The output shows that ID view is now applied to somehost.idm.example.com, the newly-added host in the baltimore host group.

Complete this procedure to use the idoverrideuser ansible-freeipa module to create an ID view for a specific Identity Management (IdM) client that overrides a POSIX attribute value associated with a specific IdM user. The procedure uses the example of an ID view that enables an IdM user named idm_user to log in to an IdM client named host1.idm.example.com by using the user_1234 login name. Additionally, the ID view modifies the home directory of idm_user so that after logging in to host1, the user home directory is /home/user_1234/.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You are using RHEL 8.10 or later.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create your Ansible playbook file add-idoverrideuser-with-name-and-homedir.yml with the following content: 

    ---
- name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  gather_facts: false
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Ensure idview_for_host1 is present
    idview:
      ipaadmin_password: ”{{ ipaadmin_password }}"
      name: idview_for_host1
  - name: Ensure idview_for_host1 is applied to host1.idm.example.com
    idview:
      ipaadmin_password: ”{{ ipaadmin_password }}"
      name: idview_for_host1
      host: host1.idm.example.com
      action: member
  - name: Ensure idm_user is present in idview_for_host1 with homedir /home/user_1234 and name user_1234
    ipaidoverrideuser:
      ipaadmin_password: ”{{ ipaadmin_password }}"
      idview: idview_for_host1
      anchor: idm_user
      name: user_1234
      homedir: /home/user_1234
    Copy to Clipboard Toggle word wrap

  2. Run the playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/inventory <path_to_playbooks_directory>/add-idoverrideuser-with-name-and-homedir.yml
    Copy to Clipboard Toggle word wrap

  3. Optional: If you have root credentials, you can apply the new configuration to the host1.idm.example.com system immediately:

    1. SSH to the system as root: 

      $ ssh root@host1
Password:
      Copy to Clipboard Toggle word wrap

    2. Clear the SSSD cache: 

      root@host1 ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap

    3. Restart the SSSD daemon: 

      root@host1 ~]# systemctl restart sssd
      Copy to Clipboard Toggle word wrap

Verification

  1. SSH to host1 as idm_user: 

    [root@r8server ~]# ssh idm_user@host1.idm.example.com
Password:

Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229
[user_1234@host1 ~]$
    Copy to Clipboard Toggle word wrap

  2. Print the working directory: 

    [user_1234@host1 ~]$ pwd
/home/user_1234/
    Copy to Clipboard Toggle word wrap

Complete this procedure to use the idoverrideuser ansible-freeipa module to ensure that an IdM user can use a specific SSH key to log in to a specific IdM client. The procedure uses the example of an ID view that enables an IdM user named idm_user to log in to an IdM client named host1.idm.example.com with an SSH key.

Note

This ID view can be used to enhance a specific HBAC rule.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You are using RHEL 8.10 or later.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • You have access to the idm_user’s SSH public key.
  • The idview_for_host1 ID view exists.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create your Ansible playbook file ensure-idoverrideuser-can-login-with-sshkey.yml with the following content: 

    ---
- name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false
  gather_facts: false
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Ensure test user idm_user is present in idview idview_for_host1 with sshpubkey
    ipaidoverrideuser:
      ipaadmin_password: ”{{ ipaadmin_password }}"
      idview: idview_for_host1
      anchor: idm_user
      sshpubkey:
      - ssh-rsa AAAAB3NzaC1yc2EAAADAQABAAABgQCqmVDpEX5gnSjKuv97Ay ...
  - name: Ensure idview_for_host1 is applied to host1.idm.example.com
    ipaidview:
      ipaadmin_password:  ”{{ ipaadmin_password }}"
      name: idview_for_host1
      host: host1.idm.example.com
      action: member
    Copy to Clipboard Toggle word wrap

  2. Run the playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/inventory <path_to_playbooks_directory>/ensure-idoverrideuser-can-login-with-sshkey.yml
    Copy to Clipboard Toggle word wrap

  3. Optional: If you have root credentials, you can apply the new configuration to the host1.idm.example.com system immediately:

    1. SSH to the system as root: 

      $ ssh root@host1
Password:
      Copy to Clipboard Toggle word wrap

    2. Clear the SSSD cache: 

      root@host1 ~]# sss_cache -E
      Copy to Clipboard Toggle word wrap

    3. Restart the SSSD daemon: 

      root@host1 ~]# systemctl restart sssd
      Copy to Clipboard Toggle word wrap

Verification

  • Use the public key to SSH to host1: 

    [root@r8server ~]# ssh -i ~/.ssh/id_rsa.pub idm_user@host1.idm.example.com

Last login: Sun Jun 21 22:34:25 2023 from 192.168.122.229
[idm_user@host1 ~]$
    Copy to Clipboard Toggle word wrap

The output confirms that you have logged in successfully.

You can use the ansible-freeipa group and idoverrideuser modules to make Identity Management (IdM) or Active Directory (AD) users members of the local audio group on an IdM client. This grants the IdM or AD users privileged access to the sound card on the host.

The procedure uses the example of the Default Trust View ID view to which the aduser@addomain.com ID override is added in the first playbook task. In the next playbook task, an audio group is created in IdM with the GID of 63, which corresponds to the GID of local audio groups on RHEL hosts. At the same time, the aduser@addomain.com ID override is added to the IdM audio group as a member.

Prerequisites

  • You have root access to the IdM client on which you want to perform the first part of the procedure. In the example, this is client.idm.example.com.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You are using RHEL 8.10 or later.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The AD forest is in trust with IdM. In the example, the name of the AD domain is addomain.com and the fully-qualified domain name (FQDN) of the AD user whose presence in the local audio group is being ensured is aduser@addomain.com.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. On client.idm.example.com, add [SUCCESS=merge] to the /etc/nsswitch.conf file: 

    [...]
# Allow initgroups to default to the setting for group.
initgroups: sss [SUCCESS=merge] files
    Copy to Clipboard Toggle word wrap

  2. Identify the GID of the local audio group: 

    $ getent group audio
---------------------
audio:x:63
    Copy to Clipboard Toggle word wrap

  3. On your Ansible control node, create an add-aduser-to-audio-group.yml playbook with a task to add the aduser@addomain.com user override to the Default Trust View: 

    ---
- name: Playbook to manage idoverrideuser
  hosts: ipaserver
  become: false

  tasks:
  - name: Add aduser@addomain.com user to the Default Trust View
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: "Default Trust View"
      anchor: aduser@addomain.com
    Copy to Clipboard Toggle word wrap

  4. Use another playbook task in the same playbook to add the group audio to IdM with the GID of 63. Add the aduser idoverrideuser to the group: 

      - name: Add the audio group with the aduser member and GID of 63
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: audio
      idoverrideuser:
      - aduser@addomain.com
      gidnumber: 63
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory add-aduser-to-audio-group.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in to the IdM client as the AD user: 

    $ ssh aduser@addomain.com@client.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Verify the group membership of the AD user: 

    $ id aduser@addomain.com
uid=702801456(aduser@addomain.com) gid=63(audio) groups=63(audio)
    Copy to Clipboard Toggle word wrap

If you are working in a lab where you have our own computer but your /home/ directory is in a shared drive exported by a server, you can have two users:

  • One that is system-wide user, stored centrally in Identity Management (IdM).
  • One whose account is local, that is stored on the system in question.

If you need to have full access to your files whether you are logged in as an IdM user or as a local user, you can do so by giving both users the same UID.

Complete this procedure to use the ansible-freeipa idoverrideuser module to:

  • Apply an ID view to host01 named idview_for_host01.
  • Ensure, in idview_for_host01, the presence of a user ID override for idm_user with the UID of 20001.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You are using RHEL 8.10 or later.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The idview_for_host1 ID view exists.

Procedure

  1. On your Ansible control node, create an ensure-idmuser-and-local-user-have-access-to-same-files.yml playbook with the following content: 

    ---
- name: Ensure both local user and IdM user have access to same files
  hosts: ipaserver
  become: false
  gather_facts: false

  tasks:
  - name: Ensure idview_for_host1 is applied to host1.idm.example.com
    ipaidview:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: idview_for_host01
      host: host1.idm.example.com
  - name: Ensure idmuser is present in idview_for_host01 with the UID of 20001
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: idview_for_host01
      anchor: idm_user
      UID: 20001
    Copy to Clipboard Toggle word wrap
  2. Save the file.

  3. Run the playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory ensure-idmuser-and-local-user-have-access-to-same-files.yml
    Copy to Clipboard Toggle word wrap

If you want an Identity Management (IdM) user that normally logs in to IdM with a password to authenticate to a specific IdM client by using a smart card only, you can create an ID view that requires certification for the user on that client.

Complete this procedure to use the ansible-freeipa idoverrideuser module to:

  • Apply an ID view to host01 named idview_for_host01.
  • Ensure, in idview_for_host01, the presence of a user ID override for idm_user with two certificates.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You are using RHEL 8.10 or later.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
    • The example assumes that cert1.b64 and cert2.b64 certificates are located in the same directory in which you are executing the playbook.
  • The idview_for_host01 ID view exists.

Procedure

  1. On your Ansible control node, create an ensure-idmuser-present-in-idview-with-certificates.yml playbook with the following content: 

    ---
- name: Ensure both local user and IdM user have access to same files
  hosts: ipaserver
  become: false
  gather_facts: false

  tasks:
  - name: Ensure idview_for_host1 is applied to host01.idm.example.com
    ipaidview:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: idview_for_host01
      host: host01.idm.example.com

  - name: Ensure an IdM user is present in ID view with two certificates
    ipaidoverrideuser:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: idview_for_host01
      anchor: idm_user
      certificate:
      - "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
      - "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
    Copy to Clipboard Toggle word wrap

    The rstrip=False directive causes the white space not to be removed from the end of the looked-up file.

  2. Save the file.

  3. Run the playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory ensure-idmuser-present-in-idview-with-certificates.yml
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa idview and idoverridegroup modules to make Identity Management (IdM) or Active Directory (AD) users members of the local audio group on an IdM client. This grants the IdM or AD users privileged access to the sound card on the host.

The procedure uses the example of the idview_for_host01 ID view to which the audio group ID override is added with the GID` of 63, which corresponds to the GID of local audio groups on RHEL hosts. The idview_for_host01 ID view is applied to an IdM client named host01.idm.example.com.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package on the Ansible controller.
    • You are using RHEL 8.10 or later.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.

Procedure

  1. Optional: Identify the GID of the local audio group on a RHEL host: 

    $ getent group audio
---------------------
audio:x:63
    Copy to Clipboard Toggle word wrap

  2. On your Ansible control node, create an give-idm-group-access-to-sound-card-on-idm-client.yml playbook with the following tasks: 

    ---
- name: Playbook to give IdM group access to sound card on IdM client
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure the audio group exists in IdM
    ipagroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: audio

  - name: Ensure idview_for_host01 exists and is applied to host01.idm.example.com
    ipaidview:
      ipaadmin_password:  ”{{ ipaadmin_password }}"
      name: idview_for_host01
      host: host01.idm.example.com

  - name: Add an override for the IdM audio group with GID 63 to idview_for_host01
    ipaidoverridegroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      idview: idview_for_host01
      anchor: audio
      GID: 63
    Copy to Clipboard Toggle word wrap
  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory give-idm-group-access-to-sound-card-on-idm-client.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. On an IdM client, obtain IdM administrator’s credentials: 

    $ kinit admin
Password:
    Copy to Clipboard Toggle word wrap

  2. Create a test IdM user: 

    $ ipa user-add testuser --first test --last user --password
User login [tuser]:
Password:
Enter Password again to verify:
------------------
Added user "tuser"
------------------
    Copy to Clipboard Toggle word wrap

  3. Add the user to the IdM audio group: 

    $ ipa group-add-member --tuser audio
    Copy to Clipboard Toggle word wrap

  4. Log in to host01.idm.example.com as tuser: 

    $ ssh tuser@host01.idm.example.com
    Copy to Clipboard Toggle word wrap

  5. Verify the group membership of the user: 

    $ id tuser
uid=702801456(tuser) gid=63(audio) groups=63(audio)
    Copy to Clipboard Toggle word wrap

You can use ID views to set host specific UIDs and GIDs for existing hosts to prevent changing permissions for files and directories when migrating NIS domains into IdM.

Prerequisites

  • You authenticated yourself as an admin using the kinit admin command.

Procedure

  1. Add users and groups in the IdM domain.

    1. Create users using the ipa user-add command. For more information see: Adding users to IdM.
    2. Create groups using the ipa group-add command. For more information see: Adding groups to IdM.

  2. Override IDs IdM generated during the user creation:

    1. Create a new ID view using ipa idview-add command. For more information see: Getting help for ID view commands.
    2. Add ID overrides for the users and groups to the ID view using ipa idoverrideuser-add and idoverridegroup-add respectively.
  3. Assign the ID view to the specific hosts using ipa idview-apply command.
  4. Decommission the NIS domains.

Verification

  1. To check if all users and groups were added to the ID view correctly, use the ipa idview-show command. 

    $ ipa idview-show example-view
  ID View Name: example-view
  User object overrides: example-user1
  Group object overrides: example-group
    Copy to Clipboard Toggle word wrap

You can use ID views to specify new values for the POSIX attributes of your Active Directory (AD) users in an IdM-AD Trust environment.

By default, IdM applies the Default Trust View to all AD users. You can configure additional ID views on individual IdM clients to further adjust which POSIX attributes specific users receive.

37.1. How the Default Trust View works
Copy link

The Default Trust View is the default ID view that is always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using the ipa-adtrust-install command and cannot be deleted.

Note

The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups.

Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.

Expand
Table 37.1. Applying the Default Trust View
 Values in ADDefault Trust ViewResult

Login

ad_user

ad_user

ad_user

UID

111

222

222

GID

111

(no value)

111

You can also configure additional ID Views to override the Default Trust View on IdM clients. IdM applies the values from the host-specific ID view on top of the Default Trust View:

  • If an attribute is defined in the host-specific ID view, IdM applies the value from this ID view.
  • If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
Expand
Table 37.2. Applying a host-specific ID view on top of the Default Trust View
 Values in ADDefault Trust ViewHost-specific ID viewResult

Login

ad_user

ad_user

(no value)

ad_user

UID

111

222

333

333

GID

111

(no value)

333

333

Note

You can only apply host-specific ID views to override the Default Trust View on IdM clients. IdM servers and replicas always apply the values from the Default Trust View.

If you want to override a POSIX attribute for an Active Directory (AD) user throughout your entire IdM deployment, modify the entry for that user in the Default Trust View. This procedure sets the GID for the AD user ad_user@ad.example.com to 732000006.

Prerequisites

  • You have authenticated as an IdM administrator.
  • A group must exist with the GID or you must set the GID in an ID override for a group.

Procedure

  1. As an IdM administrator, create an ID override for the AD user in the Default Trust View that changes the GID number to 732000006: 

    # ipa idoverrideuser-add 'Default Trust View' ad_user@ad.example.com --gidnumber=732000006
    Copy to Clipboard Toggle word wrap

  2. Clear the entry for the ad_user@ad.example.com user from the SSSD cache on all IdM servers and clients. This removes stale data and allows the new override value to apply. 

    # sssctl cache-expire -u ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap

Verification

  • Retrieve information for the ad_user@ad.example.com user to verify the GID reflects the updated value. 

    # id ad_user@ad.example.com
uid=702801456(ad_user@ad.example.com) gid=732000006(ad_admins)
groups=732000006(ad_admins),702800513(domain users@ad.example.com)
    Copy to Clipboard Toggle word wrap

You might want to override some POSIX attributes from the Default Trust View for an Active Directory (AD) user. For example, you might need to give an AD user a different GID on one particular IdM client. You can use an ID view to override a value from the Default Trust View for an AD user and apply it to a single host. This procedure explains how to set the GID for the ad_user@ad.example.com AD user on the host1.idm.example.com IdM client to 732001337.

Prerequisites

  • You have root access to the host1.idm.example.com IdM client.
  • You are logged in as a user with the required privileges, for example the admin user.

Procedure

  1. Create an ID view. For example, to create an ID view named example_for_host1: 

    $ ipa idview-add example_for_host1
---------------------------
Added ID View "example_for_host1"
---------------------------
  ID View Name: example_for_host1
    Copy to Clipboard Toggle word wrap

  2. Add a user override to the example_for_host1 ID view. To override the user’s GID:

    • Enter the ipa idoverrideuser-add command
    • Add the name of the ID view
    • Add the user name, also called the anchor
    • Add the --gidnumber= option: 
    $ ipa idoverrideuser-add example_for_host1 ad_user@ad.example.com --gidnumber=732001337
-----------------------------
Added User ID override "ad_user@ad.example.com"
-----------------------------
  Anchor to override: ad_user@ad.example.com
  GID: 732001337
    Copy to Clipboard Toggle word wrap

  3. Apply example_for_host1 to the host1.idm.example.com IdM client: 

    $ ipa idview-apply example_for_host1 --hosts=host1.idm.example.com
-----------------------------
Applied ID View "example_for_host1"
-----------------------------
hosts: host1.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
    Copy to Clipboard Toggle word wrap
    Note

    The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

    This means that if a host is added to the host group in the future, the ID view does not apply to the new host.

  4. Clear the entry for the ad_user@ad.example.com user from the SSSD cache on the host1.idm.example.com IdM client. This removes stale data and allows the new override value to apply. 

    [root@host1 ~]# sssctl cache-expire -u ad_user@ad.example.com
    Copy to Clipboard Toggle word wrap

Verification

  1. SSH to host1 as ad_user@ad.example.com: 

    [root@r8server ~]# ssh ad_user@ad.example.com@host1.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Retrieve information for the ad_user@ad.example.com user to verify the GID reflects the updated value. 

    [ad_user@ad.example.com@host1 ~]$ id ad_user@ad.example.com
uid=702801456(ad_user@ad.example.com) gid=732001337(admins2)
groups=732001337(admins2),702800513(domain users@ad.example.com)
    Copy to Clipboard Toggle word wrap

37.4. Applying an ID view to an IdM host group
Copy link

The ipa idview-apply command accepts the --hostgroups option. However, the option acts as a one-time operation that applies the ID view to hosts that currently belong to the specified host group, but does not dynamically associate the ID view with the host group itself. The --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.

If you add a new host to the host group later, you must apply the ID view to the new host manually, using the ipa idview-apply command with the --hosts option.

Similarly, if you remove a host from a host group, the ID view is still assigned to the host after the removal. To unapply the ID view from the removed host, you must run the ipa idview-unapply id_view_name --hosts=name_of_the_removed_host command.

Follow this procedure to achieve the following goals:

  1. How to create a host group and add hosts to it.
  2. How to apply an ID view to the host group.
  3. How to add a new host to the host group and apply the ID view to the new host.

Prerequisites

Procedure

  1. Create a host group and add hosts to it:

    1. Create a host group. For example, to create a host group named baltimore: 

      [root@server ~]# ipa hostgroup-add --desc="Baltimore hosts" baltimore
---------------------------
Added hostgroup "baltimore"
---------------------------
Host-group: baltimore
Description: Baltimore hosts
      Copy to Clipboard Toggle word wrap

    2. Add hosts to the host group. For example, to add the host102 and host103 to the baltimore host group: 

      [root@server ~]# ipa hostgroup-add-member --hosts={host102,host103} baltimore
Host-group: baltimore
Description: Baltimore hosts
Member hosts: host102.idm.example.com, host103.idm.example.com
-------------------------
Number of members added 2
-------------------------
      Copy to Clipboard Toggle word wrap

  2. Apply an ID view to the hosts in the host group. For example, to apply the example_for_host1 ID view to the baltimore host group: 

    [root@server ~]# ipa idview-apply --hostgroups=baltimore
ID View Name: example_for_host1
-----------------------------------------
Applied ID View "example_for_host1"
-----------------------------------------
  hosts: host102.idm.example.com, host103.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 2
---------------------------------------------
    Copy to Clipboard Toggle word wrap

  3. Add a new host to the host group and apply the ID view to the new host:

    1. Add a new host to the host group. For example, to add the somehost.idm.example.com host to the baltimore host group: 

      [root@server ~]# ipa hostgroup-add-member --hosts=somehost.idm.example.com baltimore
  Host-group: baltimore
  Description: Baltimore hosts
  Member hosts:  host102.idm.example.com, host103.idm.example.com,somehost.idm.example.com
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    2. Optional: Display the ID view information. For example, to display the details about the example_for_host1 ID view: 

      [root@server ~]# ipa idview-show example_for_host1 --all
  dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
  ID View Name: example_for_host1
[...]
  Hosts the view applies to: host102.idm.example.com, host103.idm.example.com
  objectclass: ipaIDView, top, nsContainer
      Copy to Clipboard Toggle word wrap

      The output shows that the ID view is not applied to somehost.idm.example.com, the newly-added host in the baltimore host group.

    3. Apply the ID view to the new host. For example, to apply the example_for_host1 ID view to somehost.idm.example.com: 

      [root@server ~]# ipa idview-apply --host=somehost.idm.example.com
ID View Name: example_for_host1
-----------------------------------------
Applied ID View "example_for_host1"
-----------------------------------------
  hosts: somehost.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
      Copy to Clipboard Toggle word wrap

Verification

  • Display the ID view information again: 

    [root@server ~]# ipa idview-show example_for_host1 --all
  dn: cn=example_for_host1,cn=views,cn=accounts,dc=idm,dc=example,dc=com
  ID View Name: example_for_host1
[...]
  Hosts the view applies to: host102.idm.example.com, host103.idm.example.com, somehost.idm.example.com
  objectclass: ipaIDView, top, nsContainer
    Copy to Clipboard Toggle word wrap

    The output shows that ID view is now applied to somehost.idm.example.com, the newly-added host in the baltimore host group.

Chapter 38. Adjusting ID ranges manually
Copy link

An IdM server generates unique user ID (UID) and group ID (GID) numbers. By creating and assigning different ID ranges to replicas, it also ensures that they never generate the same ID numbers. By default, this process is automatic. However, you can manually adjust the IdM ID range during the IdM server installation, or manually define a replica’s DNA ID range.

38.1. ID ranges
Copy link

ID numbers are divided into ID ranges. Keeping separate numeric ranges for individual servers and replicas eliminates the chance that an ID number issued for an entry is already used by another entry on another server or replica.

Note that there are two distinct types of ID ranges:

  • The IdM ID range, which is assigned during the installation of the first server. This range cannot be modified after it is created. However, you can create a new IdM ID range in addition to the original one. For more information, see Automatic ID ranges assignment and Adding a new IdM ID range.

  • The Distributed Numeric Assignment (DNA) ID ranges, which can be modified by the user. These have to fit within an existing IdM ID range. For more information, see Assigning DNA ID ranges manually.

    Replicas can also have a next DNA ID range assigned. A replica uses its next range when it runs out of IDs in its current range. Next ranges are not assigned automatically when a replica is deleted and you must assign them manually.

The ranges are updated and shared between the server and replicas by the DNA plug-in, as part of the back end 389 Directory Server instance for the domain.

The DNA range definition is set by two attributes:

  • The server’s next available number: the low end of the DNA range
  • The range size: the number of ID’s in the DNA range

The initial bottom range is set during the plug-in instance configuration. After that, the plug-in updates the bottom value. Breaking the available numbers into ranges allows the servers to continually assign numbers without overlapping with each other.

38.2. Automatic ID ranges assignment
Copy link

IdM ID ranges

By default, a local domain IdM ID range (ipa-local) is automatically assigned during the IdM server installation. The ipa-server-install command randomly selects and assigns a range of 200,000 IDs from a total of 10,000 possible ranges. Selecting a random range in this way significantly reduces the probability of conflicting IDs in case you decide to merge two separate IdM domains in the future.

Note

Avoid modifying this IdM ID range after it is created. You can manually adjust the Distributed Numeric Assignment (DNA) ID ranges, using the commands described in Assigning DNA ID ranges manually. A DNA range matching the IdM ID range is automatically created during installation.

DNA ID ranges

If you have a single IdM server installed, it controls the whole DNA ID range. When you install a new replica and the replica requests its own DNA ID range, the initial ID range for the server splits and is distributed between the server and replica: the replica receives half of the remaining DNA ID range that is available on the initial server. The server and replica then use their respective portions of the original ID range for new user or group entries. Also, if the replica is close to depleting its allocated ID range and fewer than 100 IDs remain, the replica contacts the other available servers to request a new DNA ID range.

Important

When you install a replica, it does not immediately receive an ID range. A replica receives an ID range the first time the DNA plug-in is used, for example when you first add a user.

If the initial server stops functioning before the replica requests a DNA ID range from it, the replica is unable to contact the server to request the ID range. Attempting to add a new user on the replica then fails. In such situations, you can find out what ID range is assigned to the disabled server, and assign an ID range to the replica manually.

You can override the default behavior and set an IdM ID range manually instead of having it assigned randomly.

Important

Do not set ID ranges that include UID values of 1000 and lower; these values are reserved for system use. Also, do not set an ID range that would include the 0 value; the SSSD service does not handle the 0 ID value.

Procedure

  • You can define the IdM ID range manually during server installation by using the following two options with ipa-server-install:

    • --idstart gives the starting value for UID and GID numbers.
    • --idmax gives the maximum UID and GID number; by default, the value is the --idstart starting value plus 199,999.

Verification

  • To check if the ID range was assigned correctly, you can display the assigned IdM ID range by using the ipa idrange-find command: 

    # ipa idrange-find
---------------
1 range matched
---------------
  Range name: IDM.EXAMPLE.COM_id_range
  First Posix ID of the range: 882200000
  Number of IDs in the range: 200000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

38.4. Adding a new IdM ID range
Copy link

In some cases, you may want to create a new IdM ID range in addition to the original one; for example, when a replica has run out of IDs and the original IdM ID range is depleted.

Important

Adding a new IdM ID range does not create new DNA ID ranges automatically. You must assign new DNA ID ranges to replicas manually as needed. For more information about how to do this, see assigning DNA ID ranges manually.

Procedure

  1. To create a new IdM ID range, use the ipa idrange-add command. You must specify the new range name, the first ID number of the range, the range size, and the first RID number of the primary and secondary RID range: 

    # ipa idrange-add IDM.EXAMPLE.COM_new_range --base-id 5000 --range-size 1000 --rid-base 300000 --secondary-rid-base 1300000

ipa: WARNING: Service dirsrv@IDM-EXAMPLE-COM.service requires restart on IPA server <all IPA servers> to apply configuration changes.
------------------------------------------
Added ID range "IDM.EXAMPLE.COM_new_range"
------------------------------------------
  Range name: IDM.EXAMPLE.COM_new_range
  First Posix ID of the range: 5000
  Number of IDs in the range: 1000
  First RID of the corresponding RID range: 300000
  First RID of the secondary RID range: 1300000
  Range type: local domain range
    Copy to Clipboard Toggle word wrap

  2. Restart the Directory Server service on all IdM servers in the deployment: 

    # systemctl restart dirsrv@IDM-EXAMPLE-COM.service
    Copy to Clipboard Toggle word wrap

    This ensures that when you create users with UIDs from the new range, they have security identifiers (SIDs) assigned.

  3. Optional: Update the ID range immediately:

    1. Clear the System Security Services Daemon (SSSD) cache: 

      # sss_cache -E
      Copy to Clipboard Toggle word wrap

    2. Restart the SSSD daemon: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap
      Note

      If you do not clear the SSSD cache and restart the service, SSSD only detects the new ID range when it updates the domain list and other configuration data stored on the IdM server.

Verification

  • You can check if the new range is set correctly by using the ipa idrange-find command: 

    # ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: IDM.EXAMPLE.COM_id_range
  First Posix ID of the range: 882200000
  Number of IDs in the range: 200000
  Range type: local domain range

  Range name: IDM.EXAMPLE.COM_new_range
  First Posix ID of the range: 5000
  Number of IDs in the range: 1000
  First RID of the corresponding RID range: 300000
  First RID of the secondary RID range: 1300000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
    Copy to Clipboard Toggle word wrap

An Identity Management (IdM) ID range is defined by several parameters:

  • The range name
  • The first POSIX ID of the range
  • The range size: the number of IDs in the range
  • The first relative identifier (RID) of the corresponding RID range
  • The first RID of the secondary RID range

You can view these values by using the ipa idrange-show command: 

$ ipa idrange-show IDM.EXAMPLE.COM_id_range
  Range name: IDM.EXAMPLE.COM_id_range
  First Posix ID of the range: 196600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1000000
  Range type: local domain range
Copy to Clipboard Toggle word wrap

Security identifiers

The data from the ID ranges of the local domain are used by the IdM server internally to assign unique security identifiers (SIDs) to IdM users and groups. The SIDs are stored in the user and group objects. A user’s SID consists of the following:

  • The domain SID
  • The user’s relative identifier (RID), which is a four-digit 32-bit value appended to the domain SID

For example, if the domain SID is S-1-5-21-123-456-789 and the RID of a user from this domain is 1008, then the user has the SID of S-1-5-21-123-456-789-1008.

Relative identifiers

The RID itself is computed in the following way:

Subtract the first POSIX ID of the range from the user’s POSIX UID, and add the first RID of the corresponding RID range to the result. For example, if the UID of idmuser is 196600008, the first POSIX ID is 196600000, and the first RID is 1000, then idmuser's RID is 1008.

Note

The algorithm computing the user’s RID checks if a given POSIX ID falls into the ID range allocated before it computes a corresponding RID. For example, if the first ID is 196600000 and the range size is 200000, then the POSIX ID of 1600000 is outside of the ID range and the algorithm does not compute a RID for it.

Secondary relative identifiers

In IdM, a POSIX UID can be identical to a POSIX GID. This means that if idmuser already exists with the UID of 196600008, you can still create a new idmgroup group with the GID of 196600008.

However, a SID can define only one object, a user or a group. The SID of S-1-5-21-123-456-789-1008 that has already been created for idmuser cannot be shared with idmgroup. An alternative SID must be generated for idmgroup.

IdM uses a secondary relative identifier, or secondary RID, to avoid conflicting SIDs. This secondary RID consists of the following:

  • The secondary RID base
  • A range size; by default identical with the base range size

In the example above, the secondary RID base is set to 1000000. To compute the RID for the newly created idmgroup: subtract the first POSIX ID of the range from the user’s POSIX UID, and add the first RID of the secondary RID range to the result. idmgroup is therefore assigned the RID of 1000008. Consequently, the SID of idmgroup is S-1-5-21-123-456-789-1000008.

IdM uses the secondary RID to compute a SID only if a user or a group object was previously created with a manually set POSIX ID. Otherwise, automatic assignment prevents assigning the same ID twice.

Kerberos in Identity Management (IdM) uses the Privilege Attribute Certificate (PAC) for authorization. For this to function correctly, users and groups must have a Security Identifier (SID) assigned. SIDs can only be generated for entities that are within a valid ipa-local ID range.

If users or groups are created outside of a defined ipa-local range, or if an existing range is misconfigured, the SID generation task can fail. This can prevent users from authenticating and obtaining Kerberos tickets.

You can use the ipa-idrange-fix command-line tool to analyze and repair these inconsistencies. The tool identifies users and groups outside of valid ranges, proposes the creation of new ranges to cover them, and applies the changes upon confirmation.

Prerequisites

  • You have root access to the IdM server where you will run the tool.

    Important

    Red Hat strongly recommends creating a full backup of the system before you apply any changes suggested by the ipa-idrange-fix tool.

  • The server is running RHEL 8.10 or newer.

Procedure

  1. Run ipa-idrange-fix to analyze the current ID ranges. You can customize this by using various options, such as: 

    # ipa-idrange-fix --rangegap 300000 --minrange 20 --ridoffset 200000
    Copy to Clipboard Toggle word wrap
    • --rangegap <value>: Specifies the maximum gap between IDs to be included in a single proposed range. The default is 200000.
    • --minrange <value>: Sets the minimum number of IDs required to form a valid new range. Any group of IDs smaller than this will be listed as outliers for manual resolution. The default is 10.

    • --ridoffset <value>: Sets an offset for new RID bases to allow for future expansion of existing ranges. The default is 100000.

      Note

      By default, the ipa-idrange-fix tool ignores users and groups with IDs below 1000, as these are typically reserved for system accounts. To include these entities in the analysis, which is not recommended, use the --allowunder1000 option.

  2. The tool displays proposed changes, such as creating new ID ranges. Review the proposed changes carefully.

    Note

    ipa-idrange-fix does not create new SIDs for users and groups who do not have them. To create missing SIDs, see Enabling Security Identifiers (SIDs) in IdM.

  3. Enter yes to apply the changes.

    Important

    Do not run ipa-idrange-fix with the --unattended option unless you are certain you want to automatically apply all proposed changes.

Verification

  1. Review the log file to see the applied changes: 

    # cat /var/log/ipa/ipa-idrange-fix.log
    Copy to Clipboard Toggle word wrap

  2. Use the ipa idrange-find --all command to verify that the new ID ranges have been created correctly: 

    # ipa idrange-find --all

----------------
2 ranges matched
----------------
dn: cn=IDM.EXAMPLE.COM_id_range,cn=ranges,cn=accounts,dc=example,dc=com
Range name: IDM.EXAMPLE.COM_id_range
First Posix ID of the range: 882200000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1000000
Range type: local domain range
ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085
objectclass: ipaIdRange, top

dn: cn=IDM.EXAMPLE.COM_new_id_range,cn=ranges,cn=accounts,dc=example,dc=com
Range name: IDM.EXAMPLE.COM_new_id_range
First Posix ID of the range: 12000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 10000
First RID of the secondary RID range: 20000000
Range type: local domain range
ipaUniqueID: 7a2b3c4d-e5f6-7890-a1b2-c3d4e5f67890
objectclass: ipaIdRange, top
----------------------------
Number of entries returned 2
----------------------------
    Copy to Clipboard Toggle word wrap

In some cases, you may want to create a new Identity Management (IdM) ID range in addition to the original one; for example, when a replica has run out of IDs and the original IdM ID range is depleted. The following example describes how to create a new IdM ID range by using an Ansible playbook.

Note

Adding a new IdM ID range does not create new DNA ID ranges automatically. You need to assign new DNA ID ranges manually as needed. For more information about how to do this, see Assigning DNA ID ranges manually.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Create the idrange-present.yml playbook with the following content: 

    ---
- name: Playbook to manage idrange
  hosts: ipaserver
  become: no

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure local idrange is present
    ipaidrange:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: new_id_range
      base_id: 12000000
      range_size: 200000
      rid_base: 1000000
      secondary_rid_base: 200000000
    Copy to Clipboard Toggle word wrap
  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory idrange-present.yml
    Copy to Clipboard Toggle word wrap

  5. SSH to ipaserver and restart the Directory Server: 

    # systemctl restart dirsrv@IDM.EXAMPLE.COM.service
    Copy to Clipboard Toggle word wrap

    This ensures that when you create users with UIDs from the new range, they have security identifiers (SIDs) assigned.

  6. Optional: Update the ID range immediately:

    1. On ipaserver, clear the System Security Services Daemon (SSSD) cache: 

      # sss_cache -E
      Copy to Clipboard Toggle word wrap

    2. On ipaserver, restart the SSSD daemon: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap
      Note

      If you do not clear the SSSD cache and restart the service, SSSD only detects the new ID range when it updates the domain list and other configuration data stored on the IdM server.

Verification

  • You can check if the new range is set correctly by using the ipa idrange-find command: 
# ipa idrange-find
----------------
2 ranges matched
----------------
  Range name: IDM.EXAMPLE.COM_id_range
  First Posix ID of the range: 882200000
  Number of IDs in the range: 200000
  Range type: local domain range

  Range name: IDM.EXAMPLE.COM_new_id_range
  First Posix ID of the range: 12000000
  Number of IDs in the range: 200000
  Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
Copy to Clipboard Toggle word wrap

If you have removed a trust between your IdM and Active Directory (AD) environments, you might want to remove the ID range associated with it.

Warning

IDs allocated to ID ranges associated with trusted domains might still be used for ownership of files and directories on systems enrolled into IdM.

If you remove the ID range that corresponds to an AD trust that you have removed, you will not be able to resolve the ownership of any files and directories owned by AD users.

Prerequisites

  • You have removed a trust to an AD environment.

Procedure

  1. Display all the ID ranges that are currently in use: 

    [root@server ~]# ipa idrange-find
    Copy to Clipboard Toggle word wrap
  2. Identify the name of the ID range associated with the trust you have removed. The first part of the name of the ID range is the name of the trust, for example AD.EXAMPLE.COM_id_range.

  3. Remove the range: 

    [root@server ~]# ipa idrange-del AD.EXAMPLE.COM_id_range
    Copy to Clipboard Toggle word wrap

  4. Restart the SSSD service to remove references to the ID range you have removed. 

    [root@server ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

38.9. Displaying currently assigned DNA ID ranges
Copy link

You can display both the currently active Distributed Numeric Assignment (DNA) ID range on a server, as well as its next DNA range if it has one assigned.

Procedure

  • To display which DNA ID ranges are configured for the servers in the topology, use the following commands:

    • ipa-replica-manage dnarange-show displays the current DNA ID range that is set on all servers or, if you specify a server, only on the specified server, for example: 

      # ipa-replica-manage dnarange-show
serverA.example.com: 1001-1500
serverB.example.com: 1501-2000
serverC.example.com: No range set

# ipa-replica-manage dnarange-show serverA.example.com
serverA.example.com: 1001-1500
      Copy to Clipboard Toggle word wrap

    • ipa-replica-manage dnanextrange-show displays the next DNA ID range currently set on all servers or, if you specify a server, only on the specified server, for example: 

      # ipa-replica-manage dnanextrange-show
serverA.example.com: 2001-2500
serverB.example.com: No on-deck range set
serverC.example.com: No on-deck range set

# ipa-replica-manage dnanextrange-show serverA.example.com
serverA.example.com: 2001-2500
      Copy to Clipboard Toggle word wrap

38.10. Manual ID range assignment
Copy link

In certain situations, it is necessary to manually assign a Distributed Numeric Assignment (DNA) ID range, for example when:

  • A replica has run out of IDs and the IdM ID range is depleted

    A replica has exhausted the DNA ID range that was assigned to it, and requesting additional IDs failed because no more free IDs are available in the IdM range.

    To solve this situation, extend the DNA ID range assigned to the replica. You can do this in two ways:

    • Shorten the DNA ID range assigned to a different replica, then assign the newly available values to the depleted replica.

    • Create a new IdM ID range, then set a new DNA ID range for the replica within this created IdM range.

      For information about how to create a new IdM ID range, see Adding a new IdM ID range.

  • A replica stopped functioning

    A replica’s DNA ID range is not automatically retrieved when the replica stops functioning and must be deleted, which means the DNA ID range previously assigned to the replica becomes unavailable. You want to recover the DNA ID range and make it available for other replicas.

    To do this, find out what the ID range values are, before manually assigning that range to a different server. Also, to avoid duplicate UIDs or GIDs, make sure that no ID value from the recovered range was previously assigned to a user or group; you can do this by examining the UIDs and GIDs of existing users and groups.

You can manually assign a DNA ID range to a replica using the commands in Assigning DNA ID ranges manually.

Note

If you assign a new DNA ID range, the UIDs of the already existing entries on the server or replica stay the same. This does not pose a problem because even if you change the current DNA ID range, IdM keeps a record of what ranges were assigned in the past.

38.11. Assigning DNA ID ranges manually
Copy link

In some cases, you may need to manually assign Distributed Numeric Assignment (DNA) ID ranges to existing replicas, for example to reassign a DNA ID range assigned to a non-functioning replica. For more information, see Manual ID range assignment.

When adjusting a DNA ID range manually, make sure that the newly adjusted range is included in the IdM ID range; you can check this using the ipa idrange-find command. Otherwise, the command fails.

Important

Be careful not to create overlapping ID ranges. If any of the ID ranges you assign to servers or replicas overlap, it could result in two different servers assigning the same ID value to different entries.

Prerequisites

Procedure

  • To define the current DNA ID range for a specified server, use ipa-replica-manage dnarange-set: 

    # ipa-replica-manage dnarange-set serverA.example.com 1250-1499
    Copy to Clipboard Toggle word wrap

  • To define the next DNA ID range for a specified server, use ipa-replica-manage dnanextrange-set: 

    # ipa-replica-manage dnanextrange-set serverB.example.com 1500-5000
    Copy to Clipboard Toggle word wrap

Verification

Chapter 39. Managing subID ranges manually
Copy link

In a containerized environment, sometimes an IdM user needs to assign subID ranges manually. The following instructions describe how to manage the subID ranges.

39.1. Generating subID ranges using IdM CLI
Copy link

As an Identity Management (IdM) administrator, you can generate a subID range and assign it to IdM users.

Prerequisites

  • The IdM users exist.
  • You have obtained an IdM admin ticket-granting ticket (TGT). See Using kinit to log in to IdM manually for more details.
  • You have root access to the IdM host where you are executing the procedure.

Procedure

  1. Optional: Check for existing subID ranges: 

    # ipa subid-find
    Copy to Clipboard Toggle word wrap

  2. If a subID range does not exist, select one of the following options:

    • Generate and assign a subID range to an IdM user: 

      # ipa subid-generate --owner=idmuser

Added subordinate id "359dfcef-6b76-4911-bd37-bb5b66b8c418"

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Description: auto-assigned subid
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536
      Copy to Clipboard Toggle word wrap

    • Generate and assign subID ranges to all IdM users: 

      # /usr/libexec/ipa/ipa-subids --all-users

Found 2 user(s) without subordinate ids
  Processing user 'user4' (1/2)
  Processing user 'user5' (2/2)
Updated 2 user(s)
The ipa-subids command was successful
      Copy to Clipboard Toggle word wrap

  3. Optional: Assign subID ranges to new IdM users by default: 

    # ipa config-mod --user-default-subid=True
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the user has a subID range assigned: 

    # ipa subid-find --owner=idmuser

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1
    Copy to Clipboard Toggle word wrap

As an Identity Management (IdM) administrator, you can generate a subID range and assign it to a user in the IdM WebUI interface.

Prerequisites

Procedure

  1. In the IdM WebUI interface expand the Subordinate IDs tab and choose the Subordinate IDs option.
  2. When the Subordinate IDs interface appears, click the Add button in the upper-right corner of the interface. The Add subid window appears.
  3. In the Add subid window choose an owner, that is the user to whom you want to assign a subID range.
  4. Click the Add button.

Verification

  • View the table under the Subordinate IDs tab. A new record shows in the table. The owner is the user to whom you assigned the subID range.

As an Identity Management (IdM) user, you can search for IdM user subID ranges and view the related information.

Prerequisites

Procedure

  • To view the details about a subID range:

    • If you know the unique ID hash of the Identity Management (IdM) user that is the owner of the range: 

      $ ipa subid-show 359dfcef-6b76-4911-bd37-bb5b66b8c418

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536
      Copy to Clipboard Toggle word wrap

    • If you know a specific subID from that range: 

      $ ipa subid-match --subuid=2147483670

1 subordinate id matched

  Unique ID: 359dfcef-6b76-4911-bd37-bb5b66b8c418
  Owner: uid=idmuser
  SubUID range start: 2147483648
  SubUID range size: 65536
  SubGID range start: 2147483648
  SubGID range size: 65536

Number of entries returned 1
      Copy to Clipboard Toggle word wrap

As a system administrator, you can use the command line to list the subID ranges of Identity Management (IdM) or local users.

Prerequisites

  • The idmuser user exists in IdM.
  • The shadow-utils-subid package is installed.
  • You can edit the /etc/nsswitch.conf file.

Procedure

  1. Open the /etc/nsswitch.conf file and configure the shadow-utils utility to use IdM subID ranges by setting the subid variable to the sss value: 

    [...]
subid: sss
    Copy to Clipboard Toggle word wrap
    Note

    You can provide only one value for the subid field. Setting the subid field to the file value or no value instead of sss configures the shadow-utils utility to use the subID ranges from the /etc/subuid and /etc/subgid files.

  2. List the subID range for an IdM user: 

    $ getsubids idmuser
0: idmuser 2147483648 65536
    Copy to Clipboard Toggle word wrap

    The first value, 2147483648, indicates the subID range start. The second value, 65536, indicates the size of the range.

You can maintain multiple Identity Management (IdM) servers and let them replicate each other for redundancy purposes to mitigate or prevent server loss. For example, if one server fails, the other servers keep providing services to the domain. You can also recover the lost server by creating a new replica based on one of the remaining servers.

Data stored on an IdM server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data. The data that is replicated is stored in the topology suffixes. When two replicas have a replication agreement between their suffixes, the suffixes form a topology segment.

This chapter describes how to use Ansible to manage IdM replication agreements, topology segments, and topology suffixes.

Data stored on an Identity Management (IdM) server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data. Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.

Follow this procedure to use an Ansible playbook to ensure that a replication agreement of the domain type exists between server.idm.example.com and replica.idm.example.com.

Prerequisites

  • Ensure that you understand the recommendations for designing your IdM topology listed in Guidelines for connecting IdM replicas in a topology.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the add-topologysegment.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/add-topologysegment.yml add-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the add-topologysegment-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipatopologysegment task section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
    • Set the suffix variable to either domain or ca, depending on what type of segment you want to add.
    • Set the left variable to the name of the IdM server that you want to be the left node of the replication agreement.
    • Set the right variable to the name of the IdM server that you want to be the right node of the replication agreement.
    • Ensure that the state variable is set to present.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to handle topologysegment
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
- name: Add topology segment
    ipatopologysegment:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: domain
      left: server.idm.example.com
      right: replica.idm.example.com
      state: present
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory add-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap

Data stored on an Identity Management (IdM) server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data. Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.

Follow this procedure to ensure replication agreements exist between multiple pairs of replicas in IdM.

Prerequisites

  • Ensure that you understand the recommendations for designing your IdM topology listed in Connecting the replicas in a topology.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the add-topologysegments.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/add-topologysegments.yml add-topologysegments-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the add-topologysegments-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the vars section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.

    • For every topology segment, add a line in the ipatopology_segments section and set the following variables:

      • Set the suffix variable to either domain or ca, depending on what type of segment you want to add.
      • Set the left variable to the name of the IdM server that you want to be the left node of the replication agreement.
      • Set the right variable to the name of the IdM server that you want to be the right node of the replication agreement.

  5. In the tasks section of the add-topologysegments-copy.yml file, ensure that the state variable is set to present.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Add topology segments
  hosts: ipaserver
  gather_facts: false

  vars:
    ipaadmin_password: "{{ ipaadmin_password }}"
    ipatopology_segments:
    - {suffix: domain, left: replica1.idm.example.com , right: replica2.idm.example.com }
    - {suffix: domain, left: replica2.idm.example.com , right: replica3.idm.example.com }
    - {suffix: domain, left: replica3.idm.example.com , right: replica4.idm.example.com }
    - {suffix: domain+ca, left: replica4.idm.example.com , right: replica1.idm.example.com }

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Add topology segment
    ipatopologysegment:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: "{{ item.suffix }}"
      name: "{{ item.name | default(omit) }}"
      left: "{{ item.left }}"
      right: "{{ item.right }}"
      state: present
    loop: "{{ ipatopology_segments | default([]) }}"
    Copy to Clipboard Toggle word wrap
  6. Save the file.

  7. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory add-topologysegments-copy.yml
    Copy to Clipboard Toggle word wrap

Data stored on an Identity Management (IdM) server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data. Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.

Follow this procedure to verify that replication agreements exist between multiple pairs of replicas in IdM. In contrast to Using Ansible to ensure a replication agreement exists in IdM, this procedure does not modify the existing configuration.

Prerequisites

  • Ensure that you understand the recommendations for designing your Identity Management (IdM) topology listed in Connecting the replicas in a topology.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the check-topologysegments.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/check-topologysegments.yml check-topologysegments-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the check-topologysegments-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the vars section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.

    • For every topology segment, add a line in the ipatopology_segments section and set the following variables:

      • Set the suffix variable to either domain or ca, depending on the type of segment you are adding.
      • Set the left variable to the name of the IdM server that you want to be the left node of the replication agreement.
      • Set the right variable to the name of the IdM server that you want to be the right node of the replication agreement.

  5. In the tasks section of the check-topologysegments-copy.yml file, ensure that the state variable is set to present.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Add topology segments
  hosts: ipaserver
  gather_facts: false

  vars:
    ipaadmin_password: "{{ ipaadmin_password }}"
    ipatopology_segments:
    - {suffix: domain, left: replica1.idm.example.com, right: replica2.idm.example.com }
    - {suffix: domain, left: replica2.idm.example.com , right: replica3.idm.example.com }
    - {suffix: domain, left: replica3.idm.example.com , right: replica4.idm.example.com }
    - {suffix: domain+ca, left: replica4.idm.example.com , right: replica1.idm.example.com }

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Check topology segment
    ipatopologysegment:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: "{{ item.suffix }}"
      name: "{{ item.name | default(omit) }}"
      left: "{{ item.left }}"
      right: "{{ item.right }}"
      state: checked
    loop: "{{ ipatopology_segments | default([]) }}"
    Copy to Clipboard Toggle word wrap
  6. Save the file.

  7. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory check-topologysegments-copy.yml
    Copy to Clipboard Toggle word wrap

In the context of replication agreements in Identity Management (IdM), topology suffixes store the data that is replicated. IdM supports two types of topology suffixes: domain and ca. Each suffix represents a separate back end, a separate replication topology. When a replication agreement is configured, it joins two topology suffixes of the same type on two different servers.

The domain suffix contains all domain-related data, such as data about users, groups, and policies. The ca suffix contains data for the Certificate System component. It is only present on servers with a certificate authority (CA) installed.

Follow this procedure to use an Ansible playbook to ensure that a topology suffix exists in IdM. The example describes how to ensure that the domain suffix exists in IdM.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the verify-topologysuffix.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/ verify-topologysuffix.yml verify-topologysuffix-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the verify-topologysuffix-copy.yml Ansible playbook file for editing.

  4. Adapt the file by setting the following variables in the ipatopologysuffix section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
    • Set the suffix variable to domain. If you are verifying the presence of the ca suffix, set the variable to ca.
    • Ensure that the state variable is set to verified. No other option is possible.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to handle topologysuffix
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Verify topology suffix
    ipatopologysuffix:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: domain
      state: verified
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory verify-topologysuffix-copy.yml
    Copy to Clipboard Toggle word wrap

40.5. Using Ansible to reinitialize an IdM replica
Copy link

If a replica has been offline for a long period of time or its database has been corrupted, you can reinitialize it. Reinitialization refreshes the replica with an updated set of data. Reinitialization can, for example, be used if an authoritative restore from backup is required.

Note

In contrast to replication updates, during which replicas only send changed entries to each other, reinitialization refreshes the whole database.

The local host on which you run the command is the reinitialized replica. To specify the replica from which the data is obtained, use the direction option.

Follow this procedure to use an Ansible playbook to reinitialize the domain data on replica.idm.example.com from server.idm.example.com.

Prerequisites

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the reinitialize-topologysegment.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/reinitialize-topologysegment.yml reinitialize-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the reinitialize-topologysegment-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipatopologysegment section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
    • Set the suffix variable to domain. If you are reinitializing the ca data, set the variable to ca.
    • Set the left variable to the left node of the replication agreement.
    • Set the right variable to the right node of the replication agreement.
    • Set the direction variable to the direction of the reinitializing data. The left-to-right direction means that data flows from the left node to the right node.

    • Ensure that the state variable is set to reinitialized.

      This is the modified Ansible playbook file for the current example: 

      ---
- name: Playbook to handle topologysegment
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Reinitialize topology segment
    ipatopologysegment:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: domain
      left: server.idm.example.com
      right: replica.idm.example.com
      direction: left-to-right
      state: reinitialized
      Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory reinitialize-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap

Data stored on an Identity Management (IdM) server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data. Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.

Follow this procedure to ensure a replication agreement between two replicas does not exist in IdM. The example describes how to ensure a replication agreement of the domain type does not exist between the replica01.idm.example.com and replica02.idm.example.com IdM servers.

Prerequisites

  • You understand the recommendations for designing your IdM topology listed in Connecting the replicas in a topology.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Copy the delete-topologysegment.yml Ansible playbook file provided by the ansible-freeipa package: 

    $ cp /usr/share/doc/ansible-freeipa/playbooks/topology/delete-topologysegment.yml delete-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap
  3. Open the delete-topologysegment-copy.yml file for editing.

  4. Adapt the file by setting the following variables in the ipatopologysegment task section:

    • Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
    • Set the suffix variable to domain. Alternatively, if you are ensuring that the ca data are not replicated between the left and right nodes, set the variable to ca.
    • Set the left variable to the name of the IdM server that is the left node of the replication agreement.
    • Set the right variable to the name of the IdM server that is the right node of the replication agreement.
    • Ensure that the state variable is set to absent.

    This is the modified Ansible playbook file for the current example: 

    ---
- name: Playbook to handle topologysegment
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
- name: Delete topology segment
    ipatopologysegment:
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: domain
      left: replica01.idm.example.com
      right: replica02.idm.example.com:
      state: absent
    Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory delete-topologysegment-copy.yml
    Copy to Clipboard Toggle word wrap

As a system administrator, you can configure Identity Management (IdM) to support the provisioning of users by an external solution for managing identities.

Rather than use the ipa utility, the administrator of the external provisioning system can access the IdM LDAP using the ldapmodify utility. The administrator can add individual stage users from the CLI using ldapmodify or using an LDIF file.

The assumption is that you, as an IdM administrator, fully trust your external provisioning system to only add validated users. However, at the same time you do not want to assign the administrators of the external provisioning system the IdM role of User Administrator to enable them to add new active users directly.

You can configure a script to automatically move the staged users created by the external provisioning system to active users automatically.

This procedure shows how to configure two IdM user accounts to be used by an external provisioning system. By adding the accounts to a group with an appropriate password policy, you enable the external provisioning system to manage user provisioning in IdM. In the following, the user account to be used by the external system to add stage users is named provisionator. The user account to be used to automatically activate the stage users is named activator.

Prerequisites

  • The host on which you perform the procedure is enrolled into IdM.

Procedure

  1. Log in as IdM administrator: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Create a user named provisionator with the privileges to add stage users.

    1. Add the provisionator user account: 

      $ ipa user-add provisionator --first=provisioning --last=account --password
      Copy to Clipboard Toggle word wrap

    2. Grant the provisionator user the required privileges.

      1. Create a custom role, System Provisioning, to manage adding stage users: 

        $ ipa role-add --desc "Responsible for provisioning stage users" "System Provisioning"
        Copy to Clipboard Toggle word wrap

      2. Add the Stage User Provisioning privilege to the role. This privilege provides the ability to add stage users: 

        $ ipa role-add-privilege "System Provisioning" --privileges="Stage User Provisioning"
        Copy to Clipboard Toggle word wrap

      3. Add the provisionator user to the role: 

        $ ipa role-add-member --users=provisionator "System Provisioning"
        Copy to Clipboard Toggle word wrap

      4. Verify that the provisionator exists in IdM: 

        $ ipa user-find provisionator --all --raw
--------------
1 user matched
--------------
  dn: uid=provisionator,cn=users,cn=accounts,dc=idm,dc=example,dc=com
  uid: provisionator
  [...]
        Copy to Clipboard Toggle word wrap

  3. Create a user, activator, with the privileges to manage user accounts.

    1. Add the activator user account: 

      $ ipa user-add activator --first=activation --last=account --password
      Copy to Clipboard Toggle word wrap

    2. Grant the activator user the required privileges by adding the user to the default User Administrator role: 

      $ ipa role-add-member --users=activator "User Administrator"
      Copy to Clipboard Toggle word wrap

  4. Create a user group for application accounts: 

    $ ipa group-add application-accounts
    Copy to Clipboard Toggle word wrap

  5. Update the password policy for the group. The following policy prevents password expiration and lockout for the account but compensates the potential risks by requiring complex passwords: 

    $ ipa pwpolicy-add application-accounts --maxlife=10000 --minlife=0 --history=0 --minclasses=4 --minlength=8 --priority=1 --maxfail=0 --failinterval=1 --lockouttime=0
    Copy to Clipboard Toggle word wrap

  6. Optional: Verify that the password policy exists in IdM: 

    $ ipa pwpolicy-show application-accounts
  Group: application-accounts
  Max lifetime (days): 10000
  Min lifetime (hours): 0
  History size: 0
[...]
    Copy to Clipboard Toggle word wrap

  7. Add the provisioning and activation accounts to the group for application accounts: 

    $ ipa group-add-member application-accounts --users={provisionator,activator}
    Copy to Clipboard Toggle word wrap

  8. Change the passwords for the user accounts: 

    $ kpasswd provisionator
$ kpasswd activator
    Copy to Clipboard Toggle word wrap

    Changing the passwords is necessary because new IdM users passwords expire immediately.

You can create a script to activate stage users. The system runs the script automatically at specified time intervals. This ensures that new user accounts are automatically activated and available for use shortly after they are created.

Important

It is assumed that the owner of the external provisioning system has already validated the users and that they do not require additional validation on the IdM side before the script adds them to IdM.

It is sufficient to enable the activation process on only one of your IdM servers.

Prerequisites

Procedure

  1. Generate a keytab file for the activation account: 

    # ipa-getkeytab -s server.idm.example.com -p "activator" -k /etc/krb5.ipa-activation.keytab
    Copy to Clipboard Toggle word wrap

    If you want to enable the activation process on more than one IdM server, generate the keytab file on one server only. Then copy the keytab file to the other servers.

  2. Create a script, /usr/local/sbin/ipa-activate-all, with the following contents to activate all users: 

    #!/bin/bash

kinit -k -i activator

ipa stageuser-find --all --raw | grep "  uid:" | cut -d ":" -f 2 | while read uid; do ipa stageuser-activate ${uid}; done
    Copy to Clipboard Toggle word wrap

  3. Edit the permissions and ownership of the ipa-activate-all script to make it executable: 

    # chmod 755 /usr/local/sbin/ipa-activate-all
# chown root:root /usr/local/sbin/ipa-activate-all
    Copy to Clipboard Toggle word wrap

  4. Create a systemd unit file, /etc/systemd/system/ipa-activate-all.service, with the following contents: 

    [Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Service]
Environment=KRB5_CLIENT_KTNAME=/etc/krb5.ipa-activation.keytab
Environment=KRB5CCNAME=FILE:/tmp/krb5cc_ipa-activate-all
ExecStart=/usr/local/sbin/ipa-activate-all
    Copy to Clipboard Toggle word wrap

  5. Create a systemd timer, /etc/systemd/system/ipa-activate-all.timer, with the following contents: 

    [Unit]
Description=Scan IdM every minute for any stage users that must be activated

[Timer]
OnBootSec=15min
OnUnitActiveSec=1min

[Install]
WantedBy=multi-user.target
    Copy to Clipboard Toggle word wrap

  6. Reload the new configuration: 

    # systemctl daemon-reload
    Copy to Clipboard Toggle word wrap

  7. Enable ipa-activate-all.timer: 

    # systemctl enable ipa-activate-all.timer
    Copy to Clipboard Toggle word wrap

  8. Start ipa-activate-all.timer: 

    # systemctl start ipa-activate-all.timer
    Copy to Clipboard Toggle word wrap

  9. Optional: Verify that the ipa-activate-all.timer daemon is running: 

    # systemctl status ipa-activate-all.timer
● ipa-activate-all.timer - Scan IdM every minute for any stage users that must be activated
   Loaded: loaded (/etc/systemd/system/ipa-activate-all.timer; enabled; vendor preset: disabled)
   Active: active (waiting) since Wed 2020-06-10 16:34:55 CEST; 15s ago
  Trigger: Wed 2020-06-10 16:35:55 CEST; 44s left

Jun 10 16:34:55 server.idm.example.com systemd[1]: Started Scan IdM every minute for any stage users that must be activated.
    Copy to Clipboard Toggle word wrap

Follow this procedure to access IdM LDAP and use an LDIF file to add stage users. While the example below shows adding one single user, multiple users can be added in one file in bulk mode.

Prerequisites

  • IdM administrator has created the provisionator account and a password for it. For details, see Preparing IdM accounts for automatic activation of stage user accounts.
  • You as the external administrator know the password of the provisionator account.
  • You can SSH to the IdM server from your LDAP server.

  • You are able to supply the minimal set of attributes that an IdM stage user must have to allow the correct processing of the user life cycle, namely:

    • The distinguished name (dn)
    • The common name (cn)
    • The last name (sn)
    • The uid

Procedure

  1. On the external server, create an LDIF file that contains information about the new user: 

    dn: uid=stageidmuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: inetorgperson
uid: stageidmuser
sn: surname
givenName: first_name
cn: full_name
    Copy to Clipboard Toggle word wrap

  2. Transfer the LDIF file from the external server to the IdM server: 

    $ scp add-stageidmuser.ldif provisionator@server.idm.example.com:/provisionator/
Password:
add-stageidmuser.ldif                                                                                          100%  364   217.6KB/s   00:00
    Copy to Clipboard Toggle word wrap

  3. Use the SSH protocol to connect to the IdM server as provisionator: 

    $ ssh provisionator@server.idm.example.com
Password:
[provisionator@server ~]$
    Copy to Clipboard Toggle word wrap

  4. On the IdM server, obtain the Kerberos ticket-granting ticket (TGT) for the provisionator account: 

    [provisionator@server ~]$ kinit provisionator
    Copy to Clipboard Toggle word wrap

  5. Enter the ldapadd command with the -f option and the name of the LDIF file. Specify the name of the IdM server and the port number: 

    ~]$ ldapadd -h server.idm.example.com -p 389 -f  add-stageidmuser.ldif
SASL/GSSAPI authentication started
SASL username: provisionator@IDM.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
adding the entry "uid=stageidmuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap

Follow this procedure to access access Identity Management (IdM) LDAP and use the ldapmodify utility to add a stage user.

Prerequisites

  • The IdM administrator has created the provisionator account and a password for it. For details, see Preparing IdM accounts for automatic activation of stage user accounts.
  • You as the external administrator know the password of the provisionator account.
  • You can SSH to the IdM server from your LDAP server.

  • You are able to supply the minimal set of attributes that an IdM stage user must have to allow the correct processing of the user life cycle, namely:

    • The distinguished name (dn)
    • The common name (cn)
    • The last name (sn)
    • The uid

Procedure

  1. Use the SSH protocol to connect to the IdM server using your IdM identity and credentials: 

    $ ssh provisionator@server.idm.example.com
Password:
[provisionator@server ~]$
    Copy to Clipboard Toggle word wrap

  2. Obtain the TGT of the provisionator account, an IdM user with a role to add new stage users: 

    $ kinit provisionator
    Copy to Clipboard Toggle word wrap

  3. Enter the ldapmodify command and specify Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to use for authentication. Specify the name of the IdM server and the port: 

    # ldapmodify -h server.idm.example.com -p 389 -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: provisionator@IDM.EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
    Copy to Clipboard Toggle word wrap

  4. Enter the dn of the user you are adding: 

    dn: uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

  5. Enter add as the type of change you are performing: 

    changetype: add
    Copy to Clipboard Toggle word wrap

  6. Specify the LDAP object class categories required to allow the correct processing of the user life cycle: 

    objectClass: top
objectClass: inetorgperson
    Copy to Clipboard Toggle word wrap

    You can specify additional object classes.

  7. Enter the uid of the user: 

    uid: stageuser
    Copy to Clipboard Toggle word wrap

  8. Enter the cn of the user: 

    cn: Babs Jensen
    Copy to Clipboard Toggle word wrap

  9. Enter the last name of the user: 

    sn: Jensen
    Copy to Clipboard Toggle word wrap

  10. Press Enter again to confirm that this is the end of the entry: 

    [Enter]

adding new entry "uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap
  11. Exit the connection using Ctrl + C.

Verification

Verify the contents of the stage entry to make sure your provisioning system added all required POSIX attributes and the stage entry is ready to be activated.

  • To display the new stage user’s LDAP attributes, enter the ipa stageuser-show --all --raw command: 

    $ ipa stageuser-show stageuser --all --raw
  dn: uid=stageuser,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
  uid: stageuser
  sn: Jensen
  cn: Babs Jensen
  has_password: FALSE
  has_keytab: FALSE
  nsaccountlock: TRUE
  objectClass: top
  objectClass: inetorgperson
  objectClass: organizationalPerson
  objectClass: person
    Copy to Clipboard Toggle word wrap

    Note that the user is explicitly disabled by the nsaccountlock attribute.

As an IdM administrators you can use the ipa commands to manage your directory content. Alternatively, you can use the ldapmodify command to achieve similar goals. You can use this command interactively and provide all the data directly in the command line. You also can provide data in the file in the LDAP Data Interchange Format (LDIF) to ldapmodify command.

The following templates can be used for various user management operations in IdM. The templates show which attributes you must modify using ldapmodify to achieve the following goals:

  • Adding a new stage user
  • Modifying a user’s attribute
  • Enabling a user
  • Disabling a user
  • Preserving a user

The templates are formatted in the LDAP Data Interchange Format (LDIF). LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM user accounts.

For detailed example procedures, see the following sections:

Templates for adding a new stage user

  • A template for adding a user with UID and GID assigned automatically. The distinguished name (DN) of the created entry must start with uid=user_login: 

    dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: inetorgperson
uid: user_login
sn: surname
givenName: first_name
cn: full_name
    Copy to Clipboard Toggle word wrap

  • A template for adding a user with UID and GID assigned statically: 

    dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: posixaccount
uid: user_login
uidNumber: UID_number
gidNumber: GID_number
sn: surname
givenName: first_name
cn: full_name
homeDirectory: /home/user_login
    Copy to Clipboard Toggle word wrap

    You are not required to specify any IdM object classes when adding stage users. IdM adds these classes automatically after the users are activated.

Templates for modifying existing users

  • Modifying a user’s attribute: 

    dn: distinguished_name
changetype: modify
replace: attribute_to_modify
attribute_to_modify: new_value
    Copy to Clipboard Toggle word wrap

  • Disabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: TRUE
    Copy to Clipboard Toggle word wrap

  • Enabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: FALSE
    Copy to Clipboard Toggle word wrap

    Updating the nssAccountLock attribute has no effect on stage and preserved users. Even though the update operation completes successfully, the attribute value remains nssAccountLock: TRUE.

  • Preserving a user: 

    dn: distinguished_name
changetype: modrdn
newrdn: uid=user_login
deleteoldrdn: 0
newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
Note

Before modifying a user, obtain the user’s distinguished name (DN) by searching using the user’s login. In the following example, the user_allowed_to_modify_user_entries user is a user allowed to modify user and group information, for example activator or IdM administrator. The password in the example is this user’s password: 

[...]
# ldapsearch -LLL -x -D "uid=user_allowed_to_modify_user_entries,cn=users,cn=accounts,dc=idm,dc=example,dc=com" -w "Secret123" -H ldap://r8server.idm.example.com -b "cn=users,cn=accounts,dc=idm,dc=example,dc=com" uid=test_user
dn: uid=test_user,cn=users,cn=accounts,dc=idm,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
Copy to Clipboard Toggle word wrap

The following templates can be used for various user group management operations in IdM. The templates show which attributes you must modify using ldapmodify to achieve the following aims:

  • Creating a new group
  • Deleting an existing group
  • Adding a member to a group
  • Removing a member from a group

The templates are formatted in the LDAP Data Interchange Format (LDIF). LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM group accounts.

Creating a new group

dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaobject
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
objectClass: posixgroup
uid: group_name
cn: group_name
gidNumber: GID_number
Copy to Clipboard Toggle word wrap

Modifying groups

  • Deleting an existing group: 

    dn: group_distinguished_name
changetype: delete
    Copy to Clipboard Toggle word wrap

  • Adding a member to a group: 

    dn: group_distinguished_name
changetype: modify
add: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

    Do not add stage or preserved users to groups. Even though the update operation completes successfully, the users will not be updated as members of the group. Only active users can belong to groups.

  • Removing a member from a group: 

    dn: distinguished_name
changetype: modify
delete: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
Note

Before modifying a group, obtain the group’s distinguished name (DN) by searching using the group’s name. 

# ldapsearch -YGSSAPI -H ldap://server.idm.example.com -b "cn=groups,cn=accounts,dc=idm,dc=example,dc=com" "cn=group_name"
dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1650388524-2605035987-2578146103-11017
cn: testgroup
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085
gidNumber: 1997010017
Copy to Clipboard Toggle word wrap

42.3. Using ldapmodify command interactively
Copy link

You can modify Lightweight Directory Access Protocol (LDAP) entries in the interactive mode.

Procedure

  1. In a command line, enter the LDAP Data Interchange Format (LDIF) statement after the ldapmodify command.

    Example 42.1. Changing the telephone number for a testuser

    # ldapmodify -Y GSSAPI -H ldap://server.example.com
dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephonenumber: 88888888
    Copy to Clipboard Toggle word wrap

    Note that you need to obtain a Kerberos ticket for using -Y option.

  2. Press Ctlr+D to exit the interactive mode.

  3. Alternatively, provide an LDIF file after ldapmodify command:

    Example 42.2. The ldapmodify command reads modification data from an LDIF file

    # ldapmodify -Y GSSAPI -H ldap://server.example.com -f ~/example.ldif
    Copy to Clipboard Toggle word wrap

42.4. Preserving an IdM user with ldapmodify
Copy link

You can use ldapmodify to preserve an IdM user; that is, how to deactivate a user account after the employee has left the company.

Prerequisites

  • You can authenticate as an IdM user with a role to preserve users.

Procedure

  1. Log in as an IdM user with a role to preserve users: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Enter the ldapmodify command and specify the Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to be used for authentication: 

    # ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin@IDM.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
    Copy to Clipboard Toggle word wrap

  3. Enter the dn of the user you want to preserve: 

    dn: uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

  4. Enter modrdn as the type of change you want to perform: 

    changetype: modrdn
    Copy to Clipboard Toggle word wrap

  5. Specify the newrdn for the user: 

    newrdn: uid=user1
    Copy to Clipboard Toggle word wrap

  6. Indicate that you want to preserve the user: 

    deleteoldrdn: 0
    Copy to Clipboard Toggle word wrap

  7. Specify the new superior DN: 

    newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

    Preserving a user moves the entry to a new location in the directory information tree (DIT). For this reason, you must specify the DN of the new parent entry as the new superior DN.

  8. Press Enter again to confirm that this is the end of the entry: 

    [Enter]

modifying rdn of entry "uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap
  9. Exit the connection using Ctrl + C.

Verification

  • Verify that the user has been preserved by listing all preserved users: 

    $ ipa user-find --preserved=true
--------------
1 user matched
--------------
  User login: user1
  First name: First 1
  Last name: Last 1
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1@IDM.EXAMPLE.COM
  Principal alias: user1@IDM.EXAMPLE.COM
  Email address: user1@idm.example.com
  UID: 1997010003
  GID: 1997010003
  Account disabled: True
  Preserved user: True
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

Chapter 43. Managing Hosts in IdM CLI
Copy link

Learn about hosts and host entries in Identity Management (IdM), and the operations performed when managing hosts and host entries in IdM CLI.

43.1. Hosts in IdM
Copy link

Identity Management (IdM) manages these identities:

  • Users
  • Services
  • Hosts

A host represents a machine. As an IdM identity, a host has an entry in the IdM LDAP, that is the 389 Directory Server instance of the IdM server.

The host entry in IdM LDAP is used to establish relationships between other hosts and even services within the domain. These relationships are part of delegating authorization and control to hosts within the domain. Any host can be used in host-based access control (HBAC) rules.

IdM domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine that belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. IdM domain provides three main services specifically for machines:

  • DNS
  • Kerberos
  • Certificate management

Hosts in IdM are closely connected with the services running on them:

  • Service entries are associated with a host.
  • A host stores both the host and the service Kerberos principals.

43.2. Host enrollment
Copy link

This section describes enrolling hosts as IdM clients and what happens during and after the enrollment. The section compares the enrollment of IdM hosts and IdM users. The section also outlines alternative types of authentication available to hosts.

Enrolling a host consists of:

  • Creating a host entry in IdM LDAP: possibly using the ipa host-add command in IdM CLI, or the equivalent IdM Web UI operation.
  • Configuring IdM services on the host, for example the System Security Services Daemon (SSSD), Kerberos, and certmonger, and joining the host to the IdM domain.

The two actions can be performed separately or together.

If performed separately, they allow for dividing the two tasks between two users with different levels of privilege. This is useful for bulk deployments.

The ipa-client-install command can perform the two actions together. The command creates a host entry in IdM LDAP if that entry does not exist yet, and configures both the Kerberos and SSSD services for the host. The command brings the host within the IdM domain and allows it to identify the IdM server it will connect to. If the host belongs to a DNS zone managed by IdM, ipa-client-install adds DNS records for the host too. The command must be run on the client.

43.3. User privileges required for host enrollment
Copy link

The host enrollment operation requires authentication to prevent an unprivileged user from adding unwanted machines to the IdM domain. The privileges required depend on several factors, for example:

  • If a host entry is created separately from running ipa-client-install
  • If a one-time password (OTP) is used for enrollment

User privileges for optionally manually creating a host entry in IdM LDAP

The user privilege required for creating a host entry in IdM LDAP using the ipa host-add CLI command or the IdM Web UI is Host Administrators. The Host Administrators privilege can be obtained through the IT Specialist role.

User privileges for joining the client to the IdM domain

Hosts are configured as IdM clients during the execution of the ipa-client-install command. The level of credentials required for executing the ipa-client-install command depends on which of the following enrolling scenarios you find yourself in:

  • The host entry in IdM LDAP does not exist. For this scenario, you need a full administrator’s credentials or the Host Administrators role. A full administrator is a member of the admins group. The Host Administrators role provides privileges to add hosts and enroll hosts. For details about this scenario, see Installing a client using user credentials: interactive installation.
  • The host entry in IdM LDAP exists. For this scenario, you need a limited administrator’s credentials to execute ipa-client-install successfully. The limited administrator in this case has the Enrollment Administrator role, which provides the Host Enrollment privilege. For details, Installing a client using user credentials: interactive installation.
  • The host entry in IdM LDAP exists, and an OTP has been generated for the host by a full or limited administrator. For this scenario, you can install an IdM client as an ordinary user if you run the ipa-client-install command with the --password option, supplying the correct OTP. For details, see Installing a client by using a one-time password: Interactive installation.

After enrollment, IdM hosts authenticate every new session to be able to access IdM resources. Machine authentication is required for the IdM server to trust the machine and to accept IdM connections from the client software installed on that machine. After authenticating the client, the IdM server can respond to its requests.

There are many similarities between users and hosts in IdM, some of which can be observed during the enrollment stage as well as those that concern authentication during the deployment stage.

  • The enrollment stage (User and host enrollment):

    • An administrator can create an LDAP entry for both a user and a host before the user or host actually join IdM: for the stage user, the command is ipa stageuser-add; for the host, the command is ipa host-add.
  • A file containing a key table or, abbreviated, keytab, a symmetric key resembling to some extent a user password, is created during the execution of the ipa-client-install command on the host, resulting in the host joining the IdM realm. Analogically, a user is asked to create a password when they activate their account, therefore joining the IdM realm.

  • While the user password is the default authentication method for a user, the keytab is the default authentication method for a host. The keytab is stored in a file on the host.

    Expand
    Table 43.1. User and host enrollment

    Action

    User

    Host

    Pre-enrollment

    $ ipa stageuser-add user_name [--password]

    $ ipa host-add host_name [--random]

    Activating the account

    $ ipa stageuser-activate user_name

    $ ipa-client install [--password] (must be run on the host itself)

  • When a user starts a new session, the user authenticates using a password; similarly, every time it is switched on, the host authenticates by presenting its keytab file. The System Security Services Daemon (SSSD) manages this process in the background.
  • If the authentication is successful, the user or host obtains a Kerberos ticket granting ticket (TGT).

  • The TGT is then used to obtain specific tickets for specific services.

    Expand
    Table 43.2. User and host session authentication
     

    User

    Host

    Default means of authentication

    Password

    Keytabs

    Starting a session (ordinary user)

    $ kinit user_name

    [switch on the host]

    The result of successful authentication

    TGT to be used to obtain access to specific services

    TGT to be used to obtain access to specific services

TGTs and other Kerberos tickets are generated as part of the Kerberos services and policies defined by the server. The initial granting of a Kerberos ticket, the renewing of the Kerberos credentials, and even the destroying of the Kerberos session are all handled automatically by the IdM services.

Alternative authentication options for IdM hosts

Apart from keytabs, IdM supports two other types of machine authentication:

  • SSH keys. The SSH public key for the host is created and uploaded to the host entry. From there, the System Security Services Daemon (SSSD) uses IdM as an identity provider and can work in conjunction with OpenSSH and other services to reference the public keys located centrally in IdM.
  • Machine certificates. In this case, the machine uses an SSL certificate that is issued by the IdM server’s certificate authority and then stored in IdM’s Directory Server. The certificate is then sent to the machine to present when it authenticates to the server. On the client, certificates are managed by a service called certmonger.

43.5. Host Operations
Copy link

The most common operations related to host enrollment and enablement, and the prerequisites, the context, and the consequences of performing those operations are outlined in the following sections.

Expand
Table 43.3. Host operations part 1
ActionWhat are the prerequisites of the action?When does it make sense to run the command?How is the action performed by a system administrator? What command(s) does he run?

Enrolling a client

see Preparing the system for Identity Management client installation in Installing Identity Management

When you want the host to join the IdM realm.

Enrolling machines as clients in the IdM domain is a two-part process. A host entry is created for the client (and stored in the 389 Directory Server instance) when the ipa host-add command is run, and then a keytab is created to provision the client. Both parts are performed automatically by the ipa-client-install command. It is also possible to perform those steps separately; this allows for administrators to prepare machines and IdM in advance of actually configuring the clients. This allows more flexible setup scenarios, including bulk deployments.

Disabling a client

The host must have an entry in IdM. The host needs to have an active keytab.

When you want to remove the host from the IdM realm temporarily, perhaps for maintenance purposes.

ipa host-disable host_name

Enabling a client

The host must have an entry in IdM.

When you want the temporarily disabled host to become active again.

ipa-getkeytab

Re-enrolling a client

The host must have en entry in IdM.

When the original host has been lost but you have installed a host with the same host name.

ipa-client-install --keytab or ipa-client-install --force-join

Un-enrolling a client

The host must have an entry in IdM.

When you want to remove the host from the IdM realm permanently.

ipa-client-install --uninstall

Expand
Table 43.4. Host operations part 2
ActionOn which machine can the administrator run the command(s)?What happens when the action is performed? What are the consequences for the host’s functioning in IdM? What limitations are introduced/removed?

Enrolling a client

In the case of a two-step enrollment: ipa host-add can be run on any IdM client; the second step of ipa-client-install must be run on the client itself

By default this configures SSSD to connect to an IdM server for authentication and authorization. Optionally one can instead configure the Pluggable Authentication Module (PAM) and the Name Switching Service (NSS) to work with an IdM server over Kerberos and LDAP.

Disabling a client

Any machine in IdM, even the host itself

The host’s Kerberos key and SSL certificate are invalidated, and all services running on the host are disabled.

Enabling a client

Any machine in IdM. If run on the disabled host, LDAP credentials need to be supplied.

The host’s Kerberos key and the SSL certificate are made valid again, and all IdM services running on the host are re-enabled.

Re-enrolling a client

The host to be re-enrolled. LDAP credentials need to be supplied.

A new Kerberos key is generated for the host, replacing the previous one.

Un-enrolling a client

The host to be un-enrolled.

The command unconfigures IdM and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IdM server. Unenrollment consists of disabling the principal key on the IdM server. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IdM server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host-disable <fqdn>).

43.6. Host entry in IdM LDAP
Copy link

An Identity Management (IdM) host entry contains information about the host and what attributes it can contain.

An LDAP host entry contains all relevant information about the client within IdM:

  • Service entries associated with the host
  • The host and service principal
  • Access control rules
  • Machine information, such as its physical location and operating system
Note

Note that the IdM Web UI IdentityHosts tab does not show all the information about a particular host stored in the IdM LDAP.

Host entry configuration properties

A host entry can contain information about the host that is outside its system configuration, such as its physical location, MAC address, keys, and certificates.

This information can be set when the host entry is created if it is created manually. Alternatively, most of this information can be added to the host entry after the host is enrolled in the domain.

Expand
Table 43.5. Host Configuration Properties
UI FieldCommand-Line OptionDescription

Description

--desc=description

A description of the host.

Locality

--locality=locality

The geographic location of the host.

Location

--location=location

The physical location of the host, such as its data center rack.

Platform

--platform=string

The host hardware or architecture.

Operating system

--os=string

The operating system and version for the host.

MAC address

--macaddress=address

The MAC address for the host. This is a multi-valued attribute. The MAC address is used by the NIS plug-in to create a NIS ethers map for the host.

SSH public keys

--sshpubkey=string

The full SSH public key for the host. This is a multi-valued attribute, so multiple keys can be set.

Principal name (not editable)

--principalname=principal

The Kerberos principal name for the host. This defaults to the host name during the client installation, unless a different principal is explicitly set in the -p. This can be changed using the command-line tools, but cannot be changed in the UI.

Set One-Time Password

--password=string

This option sets a password for the host which can be used in bulk enrollment.

-

--random

This option generates a random password to be used in bulk enrollment.

-

--certificate=string

A certificate blob for the host.

-

--updatedns

This sets whether the host can dynamically update its DNS entries if its IP address changes.

43.7. Adding IdM host entries from IdM CLI
Copy link

Follow this procedure to add host entries in Identity Management (IdM) using the command line (CLI).

Host entries are created using the host-add command. This commands adds the host entry to the IdM Directory Server. Consult the ipa host manpage by typing ipa help host in your CLI to get the full list of options available with host-add.

There are a few different scenarios when adding a host to IdM:

  • At its most basic, specify only the client host name to add the client to the Kerberos realm and to create an entry in the IdM LDAP server: 

    $ ipa host-add client1.example.com
    Copy to Clipboard Toggle word wrap

  • If the IdM server is configured to manage DNS, add the host to the DNS resource records using the --ip-address option to create a host entry with static IP address. 

    $ ipa host-add --ip-address=192.168.166.31 client1.example.com
    Copy to Clipboard Toggle word wrap

  • If the host to be added does not have a static IP address or if the IP address is not known at the time the client is configured, use the --force option with the ipa host-add command to create a host entry with DHCP. 

    $ ipa host-add --force client1.example.com
    Copy to Clipboard Toggle word wrap

    For example, laptops may be preconfigured as IdM clients, but they do not have IP addresses at the time they are configured. Using --force essentially creates a placeholder entry in the IdM DNS service. When the DNS service dynamically updates its records, the host’s current IP address is detected and its DNS record is updated.

43.8. Deleting host entries from IdM CLI
Copy link

Use the host-del command to delete host records. If your IdM domain has integrated DNS, use the --updatedns option to remove the associated records of any kind for the host from the DNS: 

$ ipa host-del --updatedns client1.example.com
Copy to Clipboard Toggle word wrap

43.9. Disabling and Re-enabling Host Entries
Copy link

This section describes how to disable and re-enable hosts in Identity Management (IdM).

43.9.1. Disabling Hosts
Copy link

Complete this procedure to disable a host entry in IdM.

Domain services, hosts, and users can access an active host. There can be situations when it is necessary to remove an active host temporarily, for maintenance reasons, for example. Deleting the host in such situations is not desired as it removes the host entry and all the associated configuration permanently. Instead, choose the option of disabling the host.

Disabling a host prevents domain users from accessing it without permanently removing it from the domain.

Procedure

  • Disable a host using the host-disable command. Disabling a host kills the host’s current, active keytabs. For example: 

    $ kinit admin
$ ipa host-disable client.example.com
    Copy to Clipboard Toggle word wrap

As a result of disabling a host, the host becomes unavailable to all IdM users, hosts and services.

Important

Disabling a host entry not only disables that host. It disables every configured service on that host as well.

43.9.2. Re-enabling Hosts
Copy link

Follow this procedure to re-enable a disabled IdM host.

Disabling a host killed its active keytabs, which removed the host from the IdM domain without otherwise touching its configuration entry.

Procedure

  • To re-enable a host, use the ipa-getkeytab command, adding:

    • the -s option to specify which IdM server to request the keytab from
    • the -p option to specify the principal name
    • the -k option to specify the file to which to save the keytab.

For example, to request a new host keytab from server.example.com for client.example.com, and store the keytab in the /etc/krb5.keytab file: 

$  ipa-getkeytab -s server.example.com -p host/client.example.com -k /etc/krb5.keytab -D "cn=directory manager" -w password
Copy to Clipboard Toggle word wrap
Note

You can also use the administrator’s credentials, specifying -D "uid=admin,cn=users,cn=accounts,dc=example,dc=com". It is important that the credentials correspond to a user allowed to create the keytab for the host.

If the ipa-getkeytab command is run on an active IdM client or server, then it can be run without any LDAP credentials (-D and -w) if the user has a TGT obtained using, for example, kinit admin. To run the command directly on the disabled host, supply LDAP credentials to authenticate to the IdM server.

43.10. Delegating access to hosts and services
Copy link

By delegating access to hosts and services within an IdM domain, you can retrieve keytabs and certificates for another host or service.

Each host and service has a managedby entry that lists what hosts and services can manage it. By default, a host can manage itself and all of its services. You can configure a host to manage other hosts, or services on other hosts within the IdM domain.

Note

When you delegate authority of a host to another host through a managedby entry, it does not automatically grant management rights for all services on that host. You must perform each delegation independently.

Host and service delegation

Diagram illustrates an IdM domain with three hosts: Host 1

43.10.1. Delegating service management
Copy link

You can delegate permissions to a host to manage a service on another host within the domain.

When you delegate permissions to a host to manage another host, it does not automatically include permissions to manage its services. You must delegate service management independently.

Procedure

  1. Delegate the management of a service to a specific host by using the service-add-host command: 

    ipa service-add-host principal --hosts=<hostname>
    Copy to Clipboard Toggle word wrap

    You must specify the service principal using the principal argument and the hosts with control using the --hosts option.

    For example: 

    [root@server ~]# ipa service-add HTTP/web.example.com
[root@server ~]# ipa service-add-host HTTP/web.example.com --hosts=client1.example.com
    Copy to Clipboard Toggle word wrap

  2. Once the host is delegated authority, the host principal can be used to manage the service: 

    [root@client1 ~]# kinit -kt /etc/krb5.keytab host/client1.example.com
[root@client1 ~]# ipa-getkeytab -s server.example.com -k /tmp/test.keytab -p HTTP/web.example.com
Keytab successfully retrieved and stored in: /tmp/test.keytab
    Copy to Clipboard Toggle word wrap

  3. To generate a certificate for the delegated service, create a certificate request on the host with the delegated authority: 

    [root@client1]# kinit -kt /etc/krb5.keytab host/client1.example.com
[root@client1]# openssl req -newkey rsa:2048 -subj '/CN=web.example.com/O=EXAMPLE.COM' -keyout /etc/pki/tls/web.key -out /tmp/web.csr -nodes
Generating a 2048 bit RSA private key
.............................................................+++
............................................................................................+++
Writing new private key to '/etc/pki/tls/private/web.key'
    Copy to Clipboard Toggle word wrap

  4. Use the cert-request utility to submit the certificate request and load the certification information: 

    [root@client1]# ipa cert-request --principal=HTTP/web.example.com web.csr
Certificate: MIICETCCAXqgA...[snip]
Subject: CN=web.example.com,O=EXAMPLE.COM
Issuer: CN=EXAMPLE.COM Certificate Authority
Not Before: Tue Feb 08 18:51:51 2011 UTC
Not After: Mon Feb 08 18:51:51 2016 UTC
Serial number: 1005
    Copy to Clipboard Toggle word wrap

43.10.2. Delegating host management
Copy link

You can delegate authority for a host to manage another host by using the host-add-managedby utility. This creates a managedby entry. After the managedby entry is created, the managing host can retrieve a keytab for the host it manages.

Procedure

  1. Log in as the admin user: 

    [root@server ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add the managedby entry. For example, this delegates authority over client2 to client1: 

    [root@server ~]# ipa host-add-managedby client2.example.com --hosts=client1.example.com
    Copy to Clipboard Toggle word wrap

  3. Obtain a ticket as the host client1: 

    [root@client1 ~]# kinit -kt /etc/krb5.keytab host/client1.example.com
    Copy to Clipboard Toggle word wrap

  4. Retrieve a keytab for client2: 

    [root@client1 ~]# ipa-getkeytab -s server.example.com -k /tmp/client2.keytab -p host/client2.example.com
Keytab successfully retrieved and stored in: /tmp/client2.keytab
    Copy to Clipboard Toggle word wrap

43.10.3. Accessing delegated services
Copy link

When a client has delegated authority, it can obtain a keytab for the principal on the local machine for both services and hosts.

With the kinit command, use the -k option to load a keytab and the -t option to specify the keytab. The principal format is <principal>/hostname@REALM. For a service, replace <principal> with the service name, for example HTTP. For a host, use host as the principal.

Procedure

  • To access a host: 

    [root@server ~]# kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  • To access a service: 

    [root@server ~]# kinit -kt /etc/httpd/conf/krb5.keytab HTTP/ipa.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

43.11. Additional resources
Copy link

Chapter 44. Adding host entries from IdM Web UI
Copy link

This chapter introduces hosts in Identity Management (IdM) and the operation of adding a host entry in the IdM Web UI.

44.1. Hosts in IdM
Copy link

Identity Management (IdM) manages these identities:

  • Users
  • Services
  • Hosts

A host represents a machine. As an IdM identity, a host has an entry in the IdM LDAP, that is the 389 Directory Server instance of the IdM server.

The host entry in IdM LDAP is used to establish relationships between other hosts and even services within the domain. These relationships are part of delegating authorization and control to hosts within the domain. Any host can be used in host-based access control (HBAC) rules.

IdM domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine that belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. IdM domain provides three main services specifically for machines:

  • DNS
  • Kerberos
  • Certificate management

Hosts in IdM are closely connected with the services running on them:

  • Service entries are associated with a host.
  • A host stores both the host and the service Kerberos principals.

44.2. Host enrollment
Copy link

This section describes enrolling hosts as IdM clients and what happens during and after the enrollment. The section compares the enrollment of IdM hosts and IdM users. The section also outlines alternative types of authentication available to hosts.

Enrolling a host consists of:

  • Creating a host entry in IdM LDAP: possibly using the ipa host-add command in IdM CLI, or the equivalent IdM Web UI operation.
  • Configuring IdM services on the host, for example the System Security Services Daemon (SSSD), Kerberos, and certmonger, and joining the host to the IdM domain.

The two actions can be performed separately or together.

If performed separately, they allow for dividing the two tasks between two users with different levels of privilege. This is useful for bulk deployments.

The ipa-client-install command can perform the two actions together. The command creates a host entry in IdM LDAP if that entry does not exist yet, and configures both the Kerberos and SSSD services for the host. The command brings the host within the IdM domain and allows it to identify the IdM server it will connect to. If the host belongs to a DNS zone managed by IdM, ipa-client-install adds DNS records for the host too. The command must be run on the client.

44.3. User privileges required for host enrollment
Copy link

The host enrollment operation requires authentication to prevent an unprivileged user from adding unwanted machines to the IdM domain. The privileges required depend on several factors, for example:

  • If a host entry is created separately from running ipa-client-install
  • If a one-time password (OTP) is used for enrollment

User privileges for optionally manually creating a host entry in IdM LDAP

The user privilege required for creating a host entry in IdM LDAP using the ipa host-add CLI command or the IdM Web UI is Host Administrators. The Host Administrators privilege can be obtained through the IT Specialist role.

User privileges for joining the client to the IdM domain

Hosts are configured as IdM clients during the execution of the ipa-client-install command. The level of credentials required for executing the ipa-client-install command depends on which of the following enrolling scenarios you find yourself in:

  • The host entry in IdM LDAP does not exist. For this scenario, you need a full administrator’s credentials or the Host Administrators role. A full administrator is a member of the admins group. The Host Administrators role provides privileges to add hosts and enroll hosts. For details about this scenario, see Installing a client using user credentials: interactive installation.
  • The host entry in IdM LDAP exists. For this scenario, you need a limited administrator’s credentials to execute ipa-client-install successfully. The limited administrator in this case has the Enrollment Administrator role, which provides the Host Enrollment privilege. For details, Installing a client using user credentials: interactive installation.
  • The host entry in IdM LDAP exists, and an OTP has been generated for the host by a full or limited administrator. For this scenario, you can install an IdM client as an ordinary user if you run the ipa-client-install command with the --password option, supplying the correct OTP. For details, see Installing a client by using a one-time password: Interactive installation.

After enrollment, IdM hosts authenticate every new session to be able to access IdM resources. Machine authentication is required for the IdM server to trust the machine and to accept IdM connections from the client software installed on that machine. After authenticating the client, the IdM server can respond to its requests.

There are many similarities between users and hosts in IdM, some of which can be observed during the enrollment stage as well as those that concern authentication during the deployment stage.

  • The enrollment stage (User and host enrollment):

    • An administrator can create an LDAP entry for both a user and a host before the user or host actually join IdM: for the stage user, the command is ipa stageuser-add; for the host, the command is ipa host-add.
  • A file containing a key table or, abbreviated, keytab, a symmetric key resembling to some extent a user password, is created during the execution of the ipa-client-install command on the host, resulting in the host joining the IdM realm. Analogically, a user is asked to create a password when they activate their account, therefore joining the IdM realm.

  • While the user password is the default authentication method for a user, the keytab is the default authentication method for a host. The keytab is stored in a file on the host.

    Expand
    Table 44.1. User and host enrollment

    Action

    User

    Host

    Pre-enrollment

    $ ipa stageuser-add user_name [--password]

    $ ipa host-add host_name [--random]

    Activating the account

    $ ipa stageuser-activate user_name

    $ ipa-client install [--password] (must be run on the host itself)

  • When a user starts a new session, the user authenticates using a password; similarly, every time it is switched on, the host authenticates by presenting its keytab file. The System Security Services Daemon (SSSD) manages this process in the background.
  • If the authentication is successful, the user or host obtains a Kerberos ticket granting ticket (TGT).

  • The TGT is then used to obtain specific tickets for specific services.

    Expand
    Table 44.2. User and host session authentication
     

    User

    Host

    Default means of authentication

    Password

    Keytabs

    Starting a session (ordinary user)

    $ kinit user_name

    [switch on the host]

    The result of successful authentication

    TGT to be used to obtain access to specific services

    TGT to be used to obtain access to specific services

TGTs and other Kerberos tickets are generated as part of the Kerberos services and policies defined by the server. The initial granting of a Kerberos ticket, the renewing of the Kerberos credentials, and even the destroying of the Kerberos session are all handled automatically by the IdM services.

Alternative authentication options for IdM hosts

Apart from keytabs, IdM supports two other types of machine authentication:

  • SSH keys. The SSH public key for the host is created and uploaded to the host entry. From there, the System Security Services Daemon (SSSD) uses IdM as an identity provider and can work in conjunction with OpenSSH and other services to reference the public keys located centrally in IdM.
  • Machine certificates. In this case, the machine uses an SSL certificate that is issued by the IdM server’s certificate authority and then stored in IdM’s Directory Server. The certificate is then sent to the machine to present when it authenticates to the server. On the client, certificates are managed by a service called certmonger.

44.5. Host entry in IdM LDAP
Copy link

An Identity Management (IdM) host entry contains information about the host and what attributes it can contain.

An LDAP host entry contains all relevant information about the client within IdM:

  • Service entries associated with the host
  • The host and service principal
  • Access control rules
  • Machine information, such as its physical location and operating system
Note

Note that the IdM Web UI IdentityHosts tab does not show all the information about a particular host stored in the IdM LDAP.

Host entry configuration properties

A host entry can contain information about the host that is outside its system configuration, such as its physical location, MAC address, keys, and certificates.

This information can be set when the host entry is created if it is created manually. Alternatively, most of this information can be added to the host entry after the host is enrolled in the domain.

Expand
Table 44.3. Host Configuration Properties
UI FieldCommand-Line OptionDescription

Description

--desc=description

A description of the host.

Locality

--locality=locality

The geographic location of the host.

Location

--location=location

The physical location of the host, such as its data center rack.

Platform

--platform=string

The host hardware or architecture.

Operating system

--os=string

The operating system and version for the host.

MAC address

--macaddress=address

The MAC address for the host. This is a multi-valued attribute. The MAC address is used by the NIS plug-in to create a NIS ethers map for the host.

SSH public keys

--sshpubkey=string

The full SSH public key for the host. This is a multi-valued attribute, so multiple keys can be set.

Principal name (not editable)

--principalname=principal

The Kerberos principal name for the host. This defaults to the host name during the client installation, unless a different principal is explicitly set in the -p. This can be changed using the command-line tools, but cannot be changed in the UI.

Set One-Time Password

--password=string

This option sets a password for the host which can be used in bulk enrollment.

-

--random

This option generates a random password to be used in bulk enrollment.

-

--certificate=string

A certificate blob for the host.

-

--updatedns

This sets whether the host can dynamically update its DNS entries if its IP address changes.

44.6. Adding host entries from the Web UI
Copy link

  1. Open the Identity tab, and select the Hosts subtab.
  2. Click Add at the top of the hosts list.

  3. Enter the machine name and select the domain from the configured zones in the drop-down list. If the host has already been assigned a static IP address, then include that with the host entry so that the DNS entry is fully created.

    The Class field has no specific purpose at the moment.

    Figure 44.1. Add Host Wizard

    Screenshot of the Add Host Wizard with the following fields populated: Host name - DNS Zone - IP Address
    View larger image
    Screenshot of the Add Host Wizard with the following fields populated: Host name - DNS Zone - IP Address

    DNS zones can be created in IdM. If the IdM server does not manage the DNS server, the zone can be entered manually in the menu area, like a regular text field.

    Note

    Select the Force checkbox if you want to skip checking whether the host is resolvable via DNS.

  4. Click the Add and Edit button to go directly to the expanded entry page and enter more attribute information. Information about the host hardware and physical location can be included with the host entry.

Ansible is an automation tool used to configure systems, deploy software, and perform rolling updates. Ansible includes support for Identity Management (IdM), and you can use Ansible modules to automate host management.

Follow this procedure to ensure the presence of host entries in Identity Management (IdM) using Ansible playbooks. The host entries are only defined by their fully-qualified domain names (FQDNs).

Specifying the FQDN name of the host is enough if at least one of the following conditions applies:

  • The IdM server is not configured to manage DNS.
  • The host does not have a static IP address or the IP address is not known at the time the host is configured. Adding a host defined only by an FQDN essentially creates a placeholder entry in the IdM DNS service. For example, laptops may be preconfigured as IdM clients, but they do not have IP addresses at the time they are configured. When the DNS service dynamically updates its records, the host’s current IP address is detected and its DNS record is updated.
Note

Without Ansible, host entries are created in IdM using the ipa host-add command. The result of adding a host to IdM is the state of the host being present in IdM. Because of the Ansible reliance on idempotence, to add a host to IdM using Ansible, you must create a playbook in which you define the state of the host as present: state: present.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the FQDN of the host whose presence in IdM you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/host/add-host.yml file: 

    ---
- name: Host present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Host host01.idm.example.com present
    ipahost:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: host01.idm.example.com
      state: present
      force: true
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-host-is-present.yml
    Copy to Clipboard Toggle word wrap
Note

The procedure results in a host entry in the IdM LDAP server being created but not in enrolling the host into the IdM Kerberos realm. For that, you must deploy the host as an IdM client. For details, see Installing an Identity Management client using an Ansible playbook.

Verification

  1. Log in to your IdM server as admin: 

    $ ssh admin@server.idm.example.com
Password:
    Copy to Clipboard Toggle word wrap

  2. Enter the ipa host-show command and specify the name of the host: 

    $ ipa host-show host01.idm.example.com
  Host name: host01.idm.example.com
  Principal name: host/host01.idm.example.com@IDM.EXAMPLE.COM
  Principal alias: host/host01.idm.example.com@IDM.EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: host01.idm.example.com
    Copy to Clipboard Toggle word wrap

The output confirms that host01.idm.example.com exists in IdM.

Follow this procedure to ensure the presence of host entries in Identity Management (IdM) using Ansible playbooks. The host entries are defined by their fully-qualified domain names (FQDNs) and their IP addresses.

Note

Without Ansible, host entries are created in IdM using the ipa host-add command. The result of adding a host to IdM is the state of the host being present in IdM. Because of the Ansible reliance on idempotence, to add a host to IdM using Ansible, you must create a playbook in which you define the state of the host as present: state: present.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the fully-qualified domain name (FQDN) of the host whose presence in IdM you want to ensure. In addition, if the IdM server is configured to manage DNS and you know the IP address of the host, specify a value for the ip_address parameter. The IP address is necessary for the host to exist in the DNS resource records. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/host/host-present.yml file. You can also include other, additional information: 

    ---
- name: Host present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure host01.idm.example.com is present
    ipahost:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: host01.idm.example.com
      description: Example host
      ip_address: 192.168.0.123
      locality: Lab
      ns_host_location: Lab
      ns_os_version: RHEL 7
      ns_hardware_platform: Lenovo T61
      mac_address:
      - "08:00:27:E3:B1:2D"
      - "52:54:00:BD:97:1E"
      state: present
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-host-is-present.yml
    Copy to Clipboard Toggle word wrap
Note

The procedure results in a host entry in the IdM LDAP server being created but not in enrolling the host into the IdM Kerberos realm. For that, you must deploy the host as an IdM client. For details, see Installing an Identity Management client using an Ansible playbook.

Verification

  1. Log in to your IdM server as admin: 

    $ ssh admin@server.idm.example.com
Password:
    Copy to Clipboard Toggle word wrap

  2. Enter the ipa host-show command and specify the name of the host: 

    $ ipa host-show host01.idm.example.com
  Host name: host01.idm.example.com
  Description: Example host
  Locality: Lab
  Location: Lab
  Platform: Lenovo T61
  Operating system: RHEL 7
  Principal name: host/host01.idm.example.com@IDM.EXAMPLE.COM
  Principal alias: host/host01.idm.example.com@IDM.EXAMPLE.COM
  MAC address: 08:00:27:E3:B1:2D, 52:54:00:BD:97:1E
  Password: False
  Keytab: False
  Managed by: host01.idm.example.com
    Copy to Clipboard Toggle word wrap

The output confirms host01.idm.example.com exists in IdM.

The ipahost module allows the system administrator to ensure the presence or absence of multiple host entries in IdM using just one Ansible task. Follow this procedure to ensure the presence of multiple host entries that are only defined by their fully-qualified domain names (FQDNs). Running the Ansible playbook generates random passwords for the hosts.

Note

Without Ansible, host entries are created in IdM using the ipa host-add command. The result of adding a host to IdM is the state of the host being present in IdM. Because of the Ansible reliance on idempotence, to add a host to IdM using Ansible, you must create a playbook in which you define the state of the host as present: state: present.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the fully-qualified domain name (FQDN) of the hosts whose presence in IdM you want to ensure. To make the Ansible playbook generate a random password for each host even when the host already exists in IdM and update_password is limited to on_create, add the random: true and force: true options. To simplify this step, you can copy and modify the example from the /usr/share/doc/ansible-freeipa/README-host.md Markdown file: 

    ---
- name: Ensure hosts with random password
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Hosts host01.idm.example.com and host02.idm.example.com present with random passwords
    ipahost:
      ipaadmin_password: "{{ ipaadmin_password }}"
      hosts:
      - name: host01.idm.example.com
        random: true
        force: true
      - name: host02.idm.example.com
        random: true
        force: true
    register: ipahost
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hosts-are-present.yml
[...]
TASK [Hosts host01.idm.example.com and host02.idm.example.com present with random passwords]
changed: [r8server.idm.example.com] => {"changed": true, "host": {"host01.idm.example.com": {"randompassword": "0HoIRvjUdH0Ycbf6uYdWTxH"}, "host02.idm.example.com": {"randompassword": "5VdLgrf3wvojmACdHC3uA3s"}}}
    Copy to Clipboard Toggle word wrap
Note

Verification

  1. Log in to your IdM server as admin: 

    $ ssh admin@server.idm.example.com
Password:
    Copy to Clipboard Toggle word wrap

  2. Enter the ipa host-show command and specify the name of one of the hosts: 

    $ ipa host-show host01.idm.example.com
  Host name: host01.idm.example.com
  Password: True
  Keytab: False
  Managed by: host01.idm.example.com
    Copy to Clipboard Toggle word wrap

The output confirms host01.idm.example.com exists in IdM with a random password.

Follow this procedure to ensure the presence of a host entry in Identity Management (IdM) using Ansible playbooks. The host entry is defined by its fully-qualified domain name (FQDN) and its multiple IP addresses.

Note

In contrast to the ipa host utility, the Ansible ipahost module can ensure the presence or absence of several IPv4 and IPv6 addresses for a host. The ipa host-mod command cannot handle IP addresses.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file. Specify, as the name of the ipahost variable, the fully-qualified domain name (FQDN) of the host whose presence in IdM you want to ensure. Specify each of the multiple IPv4 and IPv6 ip_address values on a separate line by using the ip_address syntax. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/host/host-member-ipaddresses-present.yml file. You can also include additional information: 

    ---
- name: Host member IP addresses present
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure host101.example.com IP addresses present
    ipahost:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: host01.idm.example.com
      ip_address:
      - 192.168.0.123
      - fe80::20c:29ff:fe02:a1b3
      - 192.168.0.124
      - fe80::20c:29ff:fe02:a1b4
      force: true
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-host-with-multiple-IP-addreses-is-present.yml
    Copy to Clipboard Toggle word wrap
Note

The procedure creates a host entry in the IdM LDAP server but does not enroll the host into the IdM Kerberos realm. For that, you must deploy the host as an IdM client. For details, see Installing an Identity Management client using an Ansible playbook.

Verification

  1. Log in to your IdM server as admin: 

    $ ssh admin@server.idm.example.com
Password:
    Copy to Clipboard Toggle word wrap

  2. Enter the ipa host-show command and specify the name of the host: 

    $ ipa host-show host01.idm.example.com
  Principal name: host/host01.idm.example.com@IDM.EXAMPLE.COM
  Principal alias: host/host01.idm.example.com@IDM.EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: host01.idm.example.com
    Copy to Clipboard Toggle word wrap

    The output confirms that host01.idm.example.com exists in IdM.

  3. To verify that the multiple IP addresses of the host exist in the IdM DNS records, enter the ipa dnsrecord-show command and specify the following information:

    • The name of the IdM domain

    • The name of the host 

      $ ipa dnsrecord-show idm.example.com host01
[...]
  Record name: host01
  A record: 192.168.0.123, 192.168.0.124
  AAAA record: fe80::20c:29ff:fe02:a1b3, fe80::20c:29ff:fe02:a1b4
      Copy to Clipboard Toggle word wrap

      The output confirms that all the IPv4 and IPv6 addresses specified in the playbook are correctly associated with the host01.idm.example.com host entry.

Follow this procedure to ensure the absence of host entries in Identity Management (IdM) using Ansible playbooks.

Prerequisites

  • IdM administrator credentials

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the fully-qualified domain name (FQDN) of the host whose absence from IdM you want to ensure. If your IdM domain has integrated DNS, use the updatedns: true option to remove the associated records of any kind for the host from the DNS.

    To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/host/delete-host.yml file: 

    ---
- name: Host absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Host host01.idm.example.com absent
    ipahost:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: host01.idm.example.com
      updatedns: true
      state: absent
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-host-absent.yml
    Copy to Clipboard Toggle word wrap
Note

The procedure results in:

  • The host not being present in the IdM Kerberos realm.
  • The host entry not being present in the IdM LDAP server.

To remove the specific IdM configuration of system services, such as System Security Services Daemon (SSSD), from the client host itself, you must run the ipa-client-install --uninstall command on the client. For details, see Uninstalling an IdM client.

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about host01.idm.example.com: 

    $ ipa host-show host01.idm.example.com
ipa: ERROR: host01.idm.example.com: host not found
    Copy to Clipboard Toggle word wrap

    The output confirms that the host does not exist in IdM.

Learn more about how to manage host groups and their members on the command line (CLI) by using the following operations:

  • Viewing host groups and their members
  • Creating host groups
  • Deleting host groups
  • Adding host group members
  • Removing host group members
  • Adding host group member managers
  • Removing host group member managers

46.1. Host groups in IdM
Copy link

IdM host groups can be used to centralize control over important management tasks, particularly access control.

Definition of host groups

A host group is an entity that contains a set of IdM hosts with common access control rules and other characteristics. For example, you can define host groups based on company departments, physical locations, or access control requirements.

A host group in IdM can include:

  • IdM servers and clients
  • Other IdM host groups

Host groups created by default

By default, the IdM server creates the host group ipaservers for all IdM server hosts.

Direct and indirect group members

Group attributes in IdM apply to both direct and indirect members: when host group B is a member of host group A, all members of host group B are considered indirect members of host group A.

46.2. Viewing IdM host groups using the CLI
Copy link

Follow this procedure to view IdM host groups using the command line (CLI).

Prerequisites

Procedure

  1. Find all host groups using the ipa hostgroup-find command. 

    $ ipa hostgroup-find
-------------------
1 hostgroup matched
-------------------
  Host-group: ipaservers
  Description: IPA server hosts
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

  2. To display all attributes of a host group, add the --all option. For example: 

    $ ipa hostgroup-find --all
-------------------
1 hostgroup matched
-------------------
  dn: cn=ipaservers,cn=hostgroups,cn=accounts,dc=idm,dc=local
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: xxx.xxx.xxx.xxx
  ipauniqueid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  objectclass: top, groupOfNames, nestedGroup, ipaobject, ipahostgroup
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

46.3. Creating IdM host groups using the CLI
Copy link

Follow this procedure to create IdM host groups using the command line (CLI).

Prerequisites

Procedure

  • Add a host group using the ipa hostgroup-add command.

    For example, to create an IdM host group named group_name and give it a description: 

    $ ipa hostgroup-add --desc 'My new host group' group_name
---------------------
Added hostgroup "group_name"
---------------------
  Host-group: group_name
  Description: My new host group
---------------------
    Copy to Clipboard Toggle word wrap

46.4. Deleting IdM host groups using the CLI
Copy link

Follow this procedure to delete IdM host groups using the command line (CLI).

Prerequisites

Procedure

  • Delete a host group using the ipa hostgroup-del command.

    For example, to delete the IdM host group named group_name: 

    $ ipa hostgroup-del group_name
--------------------------
Deleted hostgroup "group_name"
--------------------------
    Copy to Clipboard Toggle word wrap
Note

Removing a group does not delete the group members from IdM.

46.5. Adding IdM host group members using the CLI
Copy link

You can add hosts as well as host groups as members to an IdM host group using a single command.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • Optional: Use the ipa hostgroup-find command to find hosts and host groups.

Procedure

  • To add a member to a host group, use the ipa hostgroup-add-member command and provide the relevant information. You can specify the type of member to add using these options:

    • Use the --hosts option to add one or more hosts to an IdM host group.

      For example, to add the host named example_member to the group named group_name: 

      $ ipa hostgroup-add-member group_name --hosts example_member
Host-group: group_name
Description: My host group
Member hosts: example_member
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • Use the --hostgroups option to add one or more host groups to an IdM host group.

      For example, to add the host group named nested_group to the group named group_name: 

      $ ipa hostgroup-add-member group_name --hostgroups nested_group
Host-group: group_name
Description: My host group
Member host-groups: nested_group
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • You can add multiple hosts and multiple host groups to an IdM host group in one single command using the following syntax: 

      $ ipa hostgroup-add-member group_name --hosts={host1,host2} --hostgroups={group1,group2}
      Copy to Clipboard Toggle word wrap
Important

When adding a host group as a member of another host group, do not create recursive groups. For example, if Group A is a member of Group B, do not add Group B as a member of Group A. Recursive groups can cause unpredictable behavior.

You can remove hosts as well as host groups from an IdM host group using a single command.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • Optional. Use the ipa hostgroup-find command to confirm that the group includes the member you want to remove.

Procedure

  • To remove a host group member, use the ipa hostgroup-remove-member command and provide the relevant information. You can specify the type of member to remove using these options:

    • Use the --hosts option to remove one or more hosts from an IdM host group.

      For example, to remove the host named example_member from the group named group_name: 

      $ ipa hostgroup-remove-member group_name --hosts example_member
Host-group: group_name
Description: My host group
-------------------------
Number of members removed 1
-------------------------
      Copy to Clipboard Toggle word wrap

    • Use the --hostgroups option to remove one or more host groups from an IdM host group.

      For example, to remove the host group named nested_group from the group named group_name: 

      $ ipa hostgroup-remove-member group_name --hostgroups example_member
Host-group: group_name
Description: My host group
-------------------------
Number of members removed 1
-------------------------
      Copy to Clipboard Toggle word wrap
      Note

      Removing a group does not delete the group members from IdM.

    • You can remove multiple hosts and multiple host groups from an IdM host group in one single command using the following syntax:

      $ ipa hostgroup-remove-member group_name --hosts={host1,host2} --hostgroups={group1,group2}
      Copy to Clipboard Toggle word wrap

You can add hosts as well as host groups as member managers to an IdM host group using a single command. Member managers can add hosts or host groups to IdM host groups but cannot change the attributes of a host group.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the host or host group you are adding as member managers and the name of the host group you want them to manage.

Procedure

  1. Optional: Use the ipa hostgroup-find command to find hosts and host groups.

  2. To add a member manager to a host group, use the ipa hostgroup-add-member-manager.

    For example, to add the user named example_member as a member manager to the group named group_name: 

    $ ipa hostgroup-add-member-manager group_name --user example_member
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by users: example_member
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  3. Use the --groups option to add one or more host groups as a member manager to an IdM host group.

    For example, to add the host group named admin_group as a member manager to the group named group_name: 

    $ ipa hostgroup-add-member-manager group_name --groups admin_group
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by groups: admin_group
Membership managed by users: example_member
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap
Note

After you add a member manager to a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Using the ipa group-show command to verify the host user and host group were added as member managers. 

    $ ipa hostgroup-show group_name
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Membership managed by groups: admin_group
Membership managed by users: example_member
    Copy to Clipboard Toggle word wrap

You can remove hosts as well as host groups as member managers from an IdM host group using a single command. Member managers can remove hosts group member managers from IdM host groups but cannot change the attributes of a host group.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • An active Kerberos ticket. For details, see Using kinit to log in to IdM manually.
  • You must have the name of the existing member manager host group you are removing and the name of the host group they are managing.

Procedure

  1. Optional: Use the ipa hostgroup-find command to find hosts and host groups.

  2. To remove a member manager from a host group, use the ipa hostgroup-remove-member-manager command.

    For example, to remove the user named example_member as a member manager from the group named group_name: 

    $ ipa hostgroup-remove-member-manager group_name --user example_member
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
Membership managed by groups: nested_group
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap

  3. Use the --groups option to remove one or more host groups as a member manager from an IdM host group.

    For example, to remove the host group named nested_group as a member manager from the group named group_name: 

    $ ipa hostgroup-remove-member-manager group_name --groups nested_group
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
Member of netgroups: group_name
---------------------------
Number of members removed 1
---------------------------
    Copy to Clipboard Toggle word wrap
Note

After you remove a member manager from a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • Use the ipa group-show command to verify that the host user and host group were removed as member managers. 

    $ ipa hostgroup-show group_name
Host-group: group_name
Member hosts: server.idm.example.com
Member host-groups: project_admins
    Copy to Clipboard Toggle word wrap

Learn more about how to manage host groups and their members in the Web interface (Web UI) by using the following operations:

  • Viewing host groups and their members
  • Creating host groups
  • Deleting host groups
  • Adding host group members
  • Removing host group members
  • Adding host group member managers
  • Removing host group member managers

47.1. Host groups in IdM
Copy link

IdM host groups can be used to centralize control over important management tasks, particularly access control.

Definition of host groups

A host group is an entity that contains a set of IdM hosts with common access control rules and other characteristics. For example, you can define host groups based on company departments, physical locations, or access control requirements.

A host group in IdM can include:

  • IdM servers and clients
  • Other IdM host groups

Host groups created by default

By default, the IdM server creates the host group ipaservers for all IdM server hosts.

Direct and indirect group members

Group attributes in IdM apply to both direct and indirect members: when host group B is a member of host group A, all members of host group B are considered indirect members of host group A.

47.2. Viewing host groups in the IdM Web UI
Copy link

Follow this procedure to view IdM host groups using the Web interface (Web UI).

Prerequisites

Procedure

  1. Click Identity>Groups, and select the Host Groups tab. The Host Groups page lists the existing host groups and their descriptions. You can also search for a specific host group.
  2. Click on a group in the list to display the hosts that belong to this group. You can limit results to direct or indirect members.
  3. Select the Host Groups tab to display the host groups that belong to this group (nested host groups). You can limit results to direct or indirect members.

47.3. Creating host groups in the IdM Web UI
Copy link

Follow this procedure to create IdM host groups using the Web interface (Web UI).

Prerequisites

Procedure

  1. Click Identity → Groups, and select the Host Groups tab.
  2. Click Add. The Add host group dialog appears.
  3. Provide the information about the group: name (required) and description (optional).
  4. Click Add to confirm.

47.4. Deleting host groups in the IdM Web UI
Copy link

Follow this procedure to delete IdM host groups using the Web interface (Web UI).

Prerequisites

Procedure

  1. Click Identity>Groups and select the Host Groups tab.
  2. Select the IdM host group to remove, and click Delete. A confirmation dialog appears.
  3. Click Delete to confirm
Note

Removing a host group does not delete the group members from IdM.

47.5. Adding host group members in the IdM Web UI
Copy link

Follow this procedure to add host group members in IdM using the web interface (Web UI).

Prerequisites

Procedure

  1. Click Identity → Groups and select the Host Groups tab.
  2. Click the name of the group to which you want to add members.
  3. Click the tab Hosts or Host groups depending on the type of members you want to add. The corresponding dialog appears.
  4. Select the hosts or host groups to add, and click the > arrow button to move them to the Prospective column.
  5. Click Add to confirm.

Follow this procedure to remove host group members in IdM using the web interface (Web UI).

Prerequisites

Procedure

  1. Click Identity → Groups and select the Host Groups tab.
  2. Click the name of the group from which you want to remove members.
  3. Click the tab Hosts or Host groups depending on the type of members you want to remove.
  4. Select the checkbox next to the member you want to remove.
  5. Click Delete. A confirmation dialog appears.
  6. Click Delete to confirm. The selected members are deleted.

Follow this procedure to add users or user groups as host group member managers in IdM using the web interface (Web UI). Member managers can add hosts group member managers to IdM host groups but cannot change the attributes of a host group.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • You are logged-in to the IdM Web UI. For details, see Accessing the IdM Web UI in a web browser.
  • You must have the name of the host group you are adding as member managers and the name of the host group you want them to manage.

Procedure

  1. Click Identity>Groups and select the Host Groups tab.
  2. Click the name of the group to which you want to add member managers.
  3. Click the member managers tab User Groups or Users depending on the type of member managers you want to add. The corresponding dialog appears.
  4. Click Add.
  5. Select the users or user groups to add, and click the > arrow button to move them to the Prospective column.
  6. Click Add to confirm.
Note

After you add a member manager to a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • On the Host Group dialog, verify the user group or user has been added to the member managers list of groups or users.

    membermanager added
    View larger image
    membermanager added

Follow this procedure to remove users or user groups as host group member managers in IdM using the web interface (Web UI). Member managers can remove hosts group member managers from IdM host groups but cannot change the attributes of a host group.

Prerequisites

  • Administrator privileges for managing IdM or User Administrator role.
  • You are logged-in to the IdM Web UI. For details, see Accessing the IdM Web UI in a web browser.
  • You must have the name of the existing member manager host group you are removing and the name of the host group they are managing.

Procedure

  1. Click Identity>Groups and select the Host Groups tab.
  2. Click the name of the group from which you want to remove member managers.
  3. Click the member managers tab User Groups or Users depending on the type of member managers you want to remove. The corresponding dialog appears.
  4. Select the user or user groups to remove and click Delete.
  5. Click Delete to confirm.
Note

After you remove a member manager from a host group, the update may take some time to spread to all clients in your Identity Management environment.

Verification

  • On the Host Group dialog, verify the user group or user has been removed from the member managers list of groups or users.

    remove membermanager verification
    View larger image
    remove membermanager verification

Learn more about host groups in Identity Management (IdM) and using Ansible to perform operations involving host groups in Identity Management (IdM).

48.1. Host groups in IdM
Copy link

IdM host groups can be used to centralize control over important management tasks, particularly access control.

Definition of host groups

A host group is an entity that contains a set of IdM hosts with common access control rules and other characteristics. For example, you can define host groups based on company departments, physical locations, or access control requirements.

A host group in IdM can include:

  • IdM servers and clients
  • Other IdM host groups

Host groups created by default

By default, the IdM server creates the host group ipaservers for all IdM server hosts.

Direct and indirect group members

Group attributes in IdM apply to both direct and indirect members: when host group B is a member of host group A, all members of host group B are considered indirect members of host group A.

Follow this procedure to ensure the presence of host groups in Identity Management (IdM) using Ansible playbooks.

Note

Without Ansible, host group entries are created in IdM using the ipa hostgroup-add command. The result of adding a host group to IdM is the state of the host group being present in IdM. Because of the Ansible reliance on idempotence, to add a host group to IdM using Ansible, you must create a playbook in which you define the state of the host group as present: state: present.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host group information. For example, to ensure the presence of a host group named databases, specify name: databases in the - ipahostgroup task. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-hostgroup-is-present.yml file. 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure host-group databases is present
  - ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      state: present
    Copy to Clipboard Toggle word wrap

    In the playbook, state: present signifies a request to add the host group to IdM unless it already exists there.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hostgroup-is-present.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about the host group whose presence in IdM you wanted to ensure: 

    $ ipa hostgroup-show databases
  Host-group: databases
    Copy to Clipboard Toggle word wrap

    The databases host group exists in IdM.

Follow this procedure to ensure the presence of hosts in host groups in Identity Management (IdM) using Ansible playbooks.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The hosts you want to reference in your Ansible playbook exist in IdM. For details, see Ensuring the presence of an IdM host entry using Ansible playbooks.
  • The host groups you reference from the Ansible playbook file have been added to IdM. For details, see Ensuring the presence of IdM host groups using Ansible playbooks.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host information. Specify the name of the host group using the name parameter of the ipahostgroup variable. Specify the name of the host with the host parameter of the ipahostgroup variable. To simplify this step, you can copy and modify the examples in the /usr/share/doc/ansible-freeipa/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml file: 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure host-group databases is present
  - ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      host:
      - db.idm.example.com
      action: member
    Copy to Clipboard Toggle word wrap

    This playbook adds the db.idm.example.com host to the databases host group. The action: member line indicates that when the playbook is run, no attempt is made to add the databases group itself. Instead, only an attempt is made to add db.idm.example.com to databases.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hosts-or-hostgroups-are-present-in-hostgroup.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about a host group to see which hosts are present in it: 

    $ ipa hostgroup-show databases
  Host-group: databases
  Member hosts: db.idm.example.com
    Copy to Clipboard Toggle word wrap

    The db.idm.example.com host is present as a member of the databases host group.

Follow this procedure to ensure the presence of nested host groups in Identity Management (IdM) host groups using Ansible playbooks.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The host groups you reference from the Ansible playbook file exist in IdM. For details, see Ensuring the presence of IdM host groups using Ansible playbooks.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host group information. To ensure that a nested host group A exists in a host group B: in the Ansible playbook, specify, among the - ipahostgroup variables, the name of the host group B using the name variable. Specify the name of the nested hostgroup A with the hostgroup variable. To simplify this step, you can copy and modify the examples in the /usr/share/doc/ansible-freeipa/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml file: 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure hosts and hostgroups are present in existing databases hostgroup
  - ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      hostgroup:
      - mysql-server
      - oracle-server
      action: member
    Copy to Clipboard Toggle word wrap

    This Ansible playbook ensures the presence of the myqsl-server and oracle-server host groups in the databases host group. The action: member line indicates that when the playbook is run, no attempt is made to add the databases group itself to IdM.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hosts-or-hostgroups-are-present-in-hostgroup.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about the host group in which nested host groups are present: 

    $ ipa hostgroup-show databases
  Host-group: databases
  Member hosts: db.idm.example.com
  Member host-groups: mysql-server, oracle-server
    Copy to Clipboard Toggle word wrap

    The mysql-server and oracle-server host groups exist in the databases host group.

The following procedure describes ensuring the presence of member managers in IdM hosts and host groups using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You must have the name of the host or host group you are adding as member managers and the name of the host group you want them to manage.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host and host group member management information: 

    ---

- name: Playbook to handle host group membership management
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure member manager user example_member is present for group_name
      ipahostgroup:
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: group_name
        membermanager_user: example_member

  - name: Ensure member manager group project_admins is present for group_name
      ipahostgroup:
        ipaadmin_password: "{{ ipaadmin_password }}"
        name: group_name
        membermanager_group: project_admins
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/add-member-managers-host-groups.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify if the group_name group contains example_member and project_admins as member managers by using the ipa group-show command:

  1. Log into ipaserver as administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about testhostgroup: 

    ipaserver]$ ipa hostgroup-show group_name
  Host-group: group_name
  Member hosts: server.idm.example.com
  Member host-groups: testhostgroup2
  Membership managed by groups: project_admins
  Membership managed by users: example_member
    Copy to Clipboard Toggle word wrap

Follow this procedure to ensure the absence of hosts from host groups in Identity Management (IdM) using Ansible playbooks.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The hosts you want to reference in your Ansible playbook exist in IdM. For details, see Ensuring the presence of an IdM host entry using Ansible playbooks.
  • The host groups you reference from the Ansible playbook file exist in IdM. For details, see Ensuring the presence of IdM host groups using Ansible playbooks.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host and host group information. Specify the name of the host group using the name parameter of the ipahostgroup variable. Specify the name of the host whose absence from the host group you want to ensure using the host parameter of the ipahostgroup variable. To simplify this step, you can copy and modify the examples in the /usr/share/doc/ansible-freeipa/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml file: 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure host-group databases is absent
  - ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      host:
      - db.idm.example.com
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap

    This playbook ensures the absence of the db.idm.example.com host from the databases host group. The action: member line indicates that when the playbook is run, no attempt is made to remove the databases group itself.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hosts-or-hostgroups-are-absent-in-hostgroup.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about the host group and the hosts it contains: 

    $ ipa hostgroup-show databases
  Host-group: databases
  Member host-groups: mysql-server, oracle-server
    Copy to Clipboard Toggle word wrap

    The db.idm.example.com host does not exist in the databases host group.

Follow this procedure to ensure the absence of nested host groups from outer host groups in Identity Management (IdM) using Ansible playbooks.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • The host groups you reference from the Ansible playbook file exist in IdM. For details, see Ensuring the presence of IdM host groups using Ansible playbooks.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host group information. Specify, among the - ipahostgroup variables, the name of the outer host group using the name variable. Specify the name of the nested hostgroup with the hostgroup variable. To simplify this step, you can copy and modify the examples in the /usr/share/doc/ansible-freeipa/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml file: 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure hosts and hostgroups are absent in existing databases hostgroup
  - ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      hostgroup:
      - mysql-server
      - oracle-server
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap

    This playbook makes sure that the mysql-server and oracle-server host groups are absent from the databases host group. The action: member line indicates that when the playbook is run, no attempt is made to ensure the databases group itself is deleted from IdM.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hosts-or-hostgroups-are-absent-in-hostgroup.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about the host group from which nested host groups should be absent: 

    $ ipa hostgroup-show databases
  Host-group: databases
    Copy to Clipboard Toggle word wrap

    The output confirms that the mysql-server and oracle-server nested host groups are absent from the outer databases host group.

Follow this procedure to ensure the absence of host groups in Identity Management (IdM) using Ansible playbooks.

Note

Without Ansible, host group entries are removed from IdM using the ipa hostgroup-del command. The result of removing a host group from IdM is the state of the host group being absent from IdM. Because of the Ansible reliance on idempotence, to remove a host group from IdM using Ansible, you must create a playbook in which you define the state of the host group as absent: state: absent.

Prerequisites

  • You know the IdM administrator password.

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it with the list of IdM servers to target: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host group information. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/user/ensure-hostgroup-is-absent.yml file. 

    ---
- name: Playbook to handle hostgroups
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - Ensure host-group databases is absent
    ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: databases
      state: absent
    Copy to Clipboard Toggle word wrap

    This playbook ensures the absence of the databases host group from IdM. The state: absent means a request to delete the host group from IdM unless it is already deleted.

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-hostgroup-is-absent.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log into ipaserver as admin: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Request a Kerberos ticket for admin: 

    $ kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  3. Display information about the host group whose absence you ensured: 

    $ ipa hostgroup-show databases
ipa: ERROR: databases: host group not found
    Copy to Clipboard Toggle word wrap

    The databases host group does not exist in IdM.

The following procedure describes ensuring the absence of member managers in IdM hosts and host groups using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
  • You must have the name of the user or user group you are removing as member managers and the name of the host group they are managing.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create an Ansible playbook file with the necessary host and host group member management information: 

    ---

- name: Playbook to handle host group membership management
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure member manager host and host group members are absent for group_name
    ipahostgroup:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: group_name
      membermanager_user: example_member
      membermanager_group: project_admins
      action: member
      state: absent
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-member-managers-host-groups-are-absent.yml
    Copy to Clipboard Toggle word wrap

Verification

You can verify if the group_name group does not contain example_member or project_admins as member managers by using the ipa group-show command:

  1. Log into ipaserver as administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$
    Copy to Clipboard Toggle word wrap

  2. Display information about testhostgroup: 

    ipaserver]$ ipa hostgroup-show group_name
  Host-group: group_name
  Member hosts: server.idm.example.com
  Member host-groups: testhostgroup2
    Copy to Clipboard Toggle word wrap

When you create a new user, host, or service, a Kerberos principal in the following format is automatically added:

  • user_name@REALM
  • host/host_name@REALM
  • service_name/host_name@REALM

Administrators can enable users, hosts, or services to authenticate against Kerberos applications using an alias. This is beneficial in the following scenarios:

  • The user name changed and the user wants to log in using both the previous and new user name.
  • The user needs to log in using the email address even if the IdM Kerberos realm differs from the email domain.

Note that if you rename a user, the object keeps the aliases and the previous canonical principal name.

49.1. Adding a Kerberos principal alias
Copy link

You can associate alias names with existing Kerberos principals in an Identity Management (IdM) environment. This enhances security and simplifies authentication processes within the IdM domain.

Procedure

  • To add the alias name useralias to the account user, enter: 

    # ipa user-add-principal <user> <useralias>
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, useralias@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

    To add an alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.

    If you use an alias name to authenticate, use the -C option with the kinit command: 

    # kinit -C <useralias>
Password for <user>@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

49.2. Removing a Kerberos principal alias
Copy link

You can remove alias names associated with Kerberos principals in their Identity Management (IdM) environment.

Procedure

  • To remove the alias useralias from the account user, enter: 

    # ipa user-remove-principal <user> <useralias>
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

    To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.

    Note that you cannot remove the canonical principal name: 

    # ipa user-show <user>
  User login: user
  ...
  Principal name: user@IDM.EXAMPLE.COM
  ...

# ipa user-remove-principal user user
ipa: ERROR: invalid 'krbprincipalname': at least one value equal to the canonical principal name must be present
    Copy to Clipboard Toggle word wrap

49.3. Adding a Kerberos enterprise principal alias
Copy link

You can associate enterprise principal alias names with existing Kerberos enterprise principals in an Identity Management (IdM) environment. Enterprise principal aliases can use any domain suffix except for user principal name (UPN) suffixes, NetBIOS names, or domain names of trusted Active Directory forest domains.

Procedure

  • To add the enterprise principal alias user@example.com to the user account: 

    # ipa user-add-principal <user> <user\\@example.com>
--------------------------------
Added new aliases to user "user"
--------------------------------
         User login: user
    Principal alias: user@IDM.EXAMPLE.COM, user\@example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

    To add an enterprise alias to a host or service, use the ipa host-add-principal or ipa service-add-principal command respectively instead.

    Note

    When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 

    ipa: ERROR: The realm for the principal does not match the realm for this IPA server.
    Copy to Clipboard Toggle word wrap

    If you use an enterprise principal name to authenticate, use the -E option with the kinit command: 

    # kinit -E <user@example.com>
Password for user\@example.com@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

You can remove enterprise principal alias names associated with Kerberos enterprise principals in their Identity Management (IdM) environment.

Procedure

  • To remove the enterprise principal alias user@example.com from the account user, enter: 

    # ipa user-remove-principal <user> <user\\@example.com>
--------------------------------
Removed aliases from user "user"
--------------------------------
  User login: user
  Principal alias: user@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

    To remove an alias from a host or service, use the ipa host-remove-principal or ipa service-remove-principal command respectively instead.

    Note

    When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: 

    ipa: ERROR: The realm for the principal does not match the realm for this IPA server
    Copy to Clipboard Toggle word wrap

Chapter 50. Managing Kerberos flags
Copy link

Kerberos flags are crucial for specifying authentication mechanisms, authorization levels, and security protocols within a Kerberos-enabled network environment. With Kerberos flags, you can ensure secure access control, protect against unauthorized access, and improve interoperability between different Kerberos implementations.

50.1. Kerberos flags for services and hosts
Copy link

You can use various Kerberos flags to define specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.

Principals in Identity Management (IdM) accept the following Kerberos flags:

  • OK_AS_DELEGATE

    Use this flag to specify Kerberos tickets trusted for delegation.

    Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos ticket to determine whether a user credentials can be forwarded or delegated to a specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts with OK_AS_DELEGATE configured. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.

  • REQUIRES_PRE_AUTH

    Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to a principal.

    With the REQUIRES_PRE_AUTH flag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for the principal with REQUIRES_PRE_AUTH only if the TGT has been pre-authenticated.

    You can clear REQUIRES_PRE_AUTH to disable pre-authentication for selected services or hosts. This lowers the load on the KDC, however slightly increases the possibility of a brute-force attack on a long-term key to succeed.

  • OK_TO_AUTH_AS_DELEGATE

    Use the OK_TO_AUTH_AS_DELEGATE flag to specify that the service is allowed to obtain a Kerberos ticket on behalf of a user. Note, that for obtaining other tickets on behalf of the user, the service needs the OK_AS_DELEGATE flag and a corresponding policy decision allowed on the key distribution center side.

50.2. Setting Kerberos flags from the Web UI
Copy link

You can set a Kerberos flags by using the IdM Web UI. The following procedure sets the Kerberos flag to a principal.

Procedure

  1. Select IdentityServices in the menu.

    List of services

  2. Click on the service to which you want to add the flags.

  3. Check the option that you want to set:

    • To set the OK_AS_DELEGATE flag, check Trusted for delegation.
    • To set the REQUIRES_PRE_AUTH flag, check Requires pre-authentication.
    • To set the OK_TO_AUTH_AS_DELEGATE flag, check Trusted to authenticate as user.

You can add or remove a Kerberos flag by using the command line. The ipa service-mod command uses the following command options for the flags:

  • --ok-as-delegate for OK_AS_DELEGATE
  • --requires-pre-auth for REQUIRES_PRE_AUTH
  • --ok-to-auth-as-delegate for OK_TO_AUTH_AS_DELEGATE

By setting an option value to 1, you enable a flag for a principle. By setting an option value to 0, you disable the flag.

The following procedure enables and disables the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principal.

Procedure

  • To add the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1
    Copy to Clipboard Toggle word wrap

  • To remove the OK_AS_DELEGATE flag from the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=0
    Copy to Clipboard Toggle word wrap

You can display Kerberos flag setting by using the command line. The following procedure displays the OK_AS_DELEGATE flag for the demo/ipa.example.com@EXAMPLE.COM principal.

Procedure

To find out if OK_AS_DELEGATE is set for a principal:

  1. Run the kvno utility: 

    $ kvno demo/ipa.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  2. To display the flag setting, run the klist -f command. The 0 character means that the OK_AS_DELEGATE flag is disabled: 

    $ klist -f
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting		Expires			Service principal
02/19/2024 09:59:02	02/20/2024 08:21:33	demo/ipa/example.com@EXAMPLE.COM
    Flags: FATO
    Copy to Clipboard Toggle word wrap

You can use Identity Management (IdM) with Privilege Attribute Certificate (PAC) information by default since RHEL 8.5. You can also enable Security Identifiers (SIDs) in IdM deployments that were installed before RHEL 8.5.

To increase security, RHEL Identity Management (IdM) now issues Kerberos tickets with Privilege Attribute Certificate (PAC) information by default in new deployments. A PAC has rich information about a Kerberos principal, including its Security Identifier (SID), group memberships, and home directory information.

SIDs, which Microsoft Active Directory (AD) uses by default, are globally unique identifiers that are never reused. SIDs express multiple namespaces: each domain has a SID, which is a prefix in the SID of each object.

Starting from RHEL 8.5, when you install an IdM server or replica, the installation script generates SIDs for users and groups by default. This allows IdM to work with PAC data. If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you may not have generated SIDs for your IdM objects. For more information about generating SIDs for your IdM objects, see Enabling Security Identifiers (SIDs) in IdM.

By evaluating PAC information in Kerberos tickets, you can control resource access with much greater detail. For example, the Administrator account in one domain has a uniquely different SID than the Administrator account in any other domain. In an IdM environment with a trust to an AD domain, you can set access controls based on globally unique SIDs rather than simple user names or UIDs that might repeat in different locations, such as every Linux root account having a UID of 0.

51.2. Enabling Security Identifiers (SIDs) in IdM
Copy link

If you installed IdM before RHEL 8.5, and you have not configured a trust with an AD domain, you might not have generated Security Identifiers (SIDs) for your IdM objects. This is because, before, the only way to generate SIDs was to run the ipa-adtrust-install command to add the Trust Controller role to an IdM server.

As of RHEL 8.6, Kerberos in IdM requires that your IdM objects have SIDs, which are necessary for security based on Privilege Access Certificate (PAC) information.

Prerequisites

  • You installed IdM before RHEL 8.5.
  • You have not run the ipa-sidgen task, which is part of configuring a trust with an Active Directory domain.
  • You can authenticate as the IdM admin account.

Procedure

  • Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: 

    [root@server ~]# ipa config-mod --enable-sid --add-sids
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with a SID that ends with -500, the SID reserved for the domain administrator: 

    [root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier
  ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
    Copy to Clipboard Toggle word wrap

Chapter 52. Managing Kerberos ticket policies
Copy link

Kerberos ticket policies in Identity Management (IdM) set restrictions on Kerberos ticket access, duration, and renewal. You can configure Kerberos ticket policies for the Key Distribution Center (KDC) running on your IdM server.

52.1. The role of the IdM KDC
Copy link

Identity Management’s authentication mechanisms use the Kerberos infrastructure established by the Key Distribution Center (KDC). The KDC is the trusted authority that stores credential information and ensures the authenticity of data originating from entities within the IdM network.

Each IdM user, service, and host acts as a Kerberos client and is identified by a unique Kerberos principal:

  • For users: identifier@REALM, such as admin@EXAMPLE.COM
  • For services: service/fully-qualified-hostname@REALM, such as http/server.example.com@EXAMPLE.COM
  • For hosts: host/fully-qualified-hostname@REALM, such as host/client.example.com@EXAMPLE.COM

The following image is a simplification of the communication between a Kerberos client, the KDC, and a Kerberized application that the client wants to communicate with.

Kerberos KDC flow of communication
View larger image
Kerberos KDC flow of communication
  1. A Kerberos client identifies itself to the KDC by authenticating as a Kerberos principal. For example, an IdM user performs kinit username and provides their password.
  2. The KDC checks for the principal in its database, authenticates the client, and evaluates Kerberos ticket policies to determine whether to grant the request.
  3. The KDC issues the client a ticket-granting ticket (TGT) with a lifecycle and authentication indicators according to the appropriate ticket policy.
  4. With the TGT, the client requests a service ticket from the KDC to communicate with a Kerberized service on a target host.
  5. The KDC checks if the client’s TGT is still valid, and evaluates the service ticket request against ticket policies.
  6. The KDC issues the client a service ticket.
  7. With the service ticket, the client can initiate encrypted communication with the service on the target host.

52.2. IdM Kerberos ticket policy types
Copy link

IdM Kerberos ticket policies implement the following ticket policy types:

Connection policy

To protect Kerberized services with different levels of security, you can define connection policies to enforce rules based on which pre-authentication mechanism a client used to retrieve a ticket-granting ticket (TGT).

For example, you can require smart card authentication to connect to client1.example.com, and require two-factor authentication to access the testservice application on client2.example.com.

To enforce connection policies, associate authentication indicators with services. Only clients that have the required authentication indicators in their service ticket requests are able to access those services. For more information, see Kerberos authentication indicators.

Ticket lifecycle policy

Each Kerberos ticket has a lifetime and a potential renewal age: you can renew a ticket before it reaches its maximum lifetime, but not after it exceeds its maximum renewal age.

The default global ticket lifetime is one day (86400 seconds) and the default global maximum renewal age is one week (604800 seconds). To adjust these global values, see Configuring the global ticket lifecycle policy.

You can also define your own ticket lifecycle policies:

52.3. Kerberos authentication indicators
Copy link

The Kerberos Key Distribution Center (KDC) attaches authentication indicators to a ticket-granting ticket (TGT) based on which pre-authentication mechanism the client used to prove its identity:

otp
two-factor authentication (password + One-Time Password)
radius
RADIUS authentication (commonly for 802.1x authentication)
pkinit
PKINIT, smart card, or certificate authentication
hardened
hardened passwords (SPAKE or FAST)[1]

The KDC then attaches the authentication indicators from the TGT to any service ticket requests that stem from it. The KDC enforces policies such as service access control, maximum ticket lifetime, and maximum renewable age based on the authentication indicators.

Authentication indicators and IdM services

If you associate a service or a host with an authentication indicator, only clients that used the corresponding authentication mechanism to obtain a TGT will be able to access it. The KDC, not the application or service, checks for authentication indicators in service ticket requests, and grants or denies requests based on Kerberos connection policies.

If a service or a host has no authentication indicators assigned to it, it will accept tickets authenticated by any mechanism.


[1] A hardened password is protected against brute-force password dictionary attacks by using Single-Party Public-Key Authenticated Key Exchange (SPAKE) pre-authentication and/or Flexible Authentication via Secure Tunneling (FAST) armoring.

The authentication mechanisms supported by Identity Management (IdM) vary in their authentication strength. For example, obtaining the initial Kerberos ticket-granting ticket (TGT) using a one-time password (OTP) in combination with a standard password is considered more secure than authentication using only a standard password.

By associating authentication indicators with a particular IdM service, you can, as an IdM administrator, configure the service so that only users who used those specific pre-authentication mechanisms to obtain their initial ticket-granting ticket (TGT) will be able to access the service.

In this way, you can configure different IdM services so that:

  • Only users who used a stronger authentication method to obtain their initial TGT, such as a one-time password (OTP), can access services critical to security, such as a VPN.
  • Users who used simpler authentication methods to obtain their initial TGT, such as a password, can only access non-critical services, such as local logins.

Figure 52.1. Example of authenticating using different technologies

auth indicators
View larger image
auth indicators

This procedure describes creating an IdM service and configuring it to require particular Kerberos authentication indicators from incoming service ticket requests.

Adding an IdM service entry to IdM for a service running on an IdM host creates a corresponding Kerberos principal, and allows the service to request an SSL certificate, a Kerberos keytab, or both.

The following procedure describes creating an IdM service entry and generating an associated Kerberos keytab for encrypting communication with that service.

Prerequisites

  • Your service can store a Kerberos principal, an SSL certificate, or both.

Procedure

  1. Add an IdM service with the ipa service-add command to create a Kerberos principal associated with it. For example, to create the IdM service entry for the testservice application that runs on host client.example.com: 

    [root@client ~]# ipa service-add testservice/client.example.com
-------------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
-------------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Managed by: client.example.com
    Copy to Clipboard Toggle word wrap

  2. Generate and store a Kerberos keytab for the service on the client. 

    [root@client ~]# ipa-getkeytab -k /etc/testservice.keytab -p testservice/client.example.com
Keytab successfully retrieved and stored in: /etc/testservice.keytab
    Copy to Clipboard Toggle word wrap

Verification

  1. Display information about an IdM service with the ipa service-show command. 

    [root@server ~]# ipa service-show testservice/client.example.com
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Keytab: True
  Managed by: client.example.com
    Copy to Clipboard Toggle word wrap

  2. Display the contents of the service’s Kerberos keytab with the klist command. 

    [root@server etc]# klist -ekt /etc/testservice.keytab
Keytab name: FILE:/etc/testservice.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   2 04/01/2020 17:52:55 testservice/client.example.com@EXAMPLE.COM (camellia256-cts-cmac)
    Copy to Clipboard Toggle word wrap

As an Identity Management (IdM) administrator, you can configure a host or a service to require that a service ticket presented by the client application contains a specific authentication indicator. For example, you can ensure that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos ticket-granting ticket (TGT) will be able to access that host or service.

Follow this procedure to configure a service to require particular Kerberos authentication indicators from incoming service ticket requests.

Prerequisites

Warning

Do not assign authentication indicators to internal IdM services. The following IdM services cannot perform the interactive authentication steps required by PKINIT and multi-factor authentication methods: 

host/server.example.com@EXAMPLE.COM
HTTP/server.example.com@EXAMPLE.COM
ldap/server.example.com@EXAMPLE.COM
DNS/server.example.com@EXAMPLE.COM
cifs/server.example.com@EXAMPLE.COM
Copy to Clipboard Toggle word wrap

Procedure

  • Use the ipa service-mod command to specify one or more required authentication indicators for a service, identified with the --auth-ind argument.

    Expand
    Authentication method--auth-ind value

    Two-factor authentication

    otp

    RADIUS authentication

    radius

    PKINIT, smart card, or certificate authentication

    pkinit

    Hardened passwords (SPAKE or FAST)

    hardened

    For example, to require that a user was authenticated with smart card or OTP authentication to retrieve a service ticket for the testservice principal on host client.example.com: 

    [root@server ~]# ipa service-mod testservice/client.example.com@EXAMPLE.COM --auth-ind otp --auth-ind pkinit
-------------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
-------------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Authentication Indicators: otp, pkinit
  Managed by: client.example.com
    Copy to Clipboard Toggle word wrap

  • To remove all authentication indicators from a service, provide an empty list of indicators: 

    [root@server ~]# ipa service-mod testservice/client.example.com@EXAMPLE.COM --auth-ind ''
------------------------------------------------------
Modified service "testservice/client.example.com@EXAMPLE.COM"
------------------------------------------------------
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Managed by: client.example.com
    Copy to Clipboard Toggle word wrap

Verification

  • Display information about an IdM service, including the authentication indicators it requires, with the ipa service-show command. 

    [root@server ~]# ipa service-show testservice/client.example.com
  Principal name: testservice/client.example.com@EXAMPLE.COM
  Principal alias: testservice/client.example.com@EXAMPLE.COM
  Authentication Indicators: otp, pkinit
  Keytab: True
  Managed by: client.example.com
    Copy to Clipboard Toggle word wrap

As an Identity Management (IdM) administrator, you can configure a host or a service to require a service ticket presented by the client application to contain a specific authentication indicator. For example, you can ensure that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos ticket-granting ticket (TGT) will be able to access that host or service.

Follow this procedure to use the IdM Web UI to configure a host or service to require particular Kerberos authentication indicators from incoming ticket requests.

Prerequisites

  • You have logged in to the IdM Web UI as an administrative user.

Procedure

  1. Select IdentityHosts or IdentityServices.
  2. Click the name of the required host or service.

  3. Under Authentication indicators, select the required authentication method.

    • For example, selecting OTP ensures that only users who used a valid IdM two-factor authentication token with their password when obtaining a Kerberos TGT will be able to access the host or service.
    • If you select both OTP and RADIUS, then both users that used a valid IdM two-factor authentication token with their password when obtaining a Kerberos TGT and users that used the RADIUS server for obtaining their Kerberos TGT will be allowed access.
  4. Click Save at the top of the page.

The following procedure describes retrieving a Kerberos service ticket for an IdM service. You can use this procedure to test Kerberos ticket policies, such as enforcing that certain Kerberos authentication indicators are present in a ticket-granting ticket (TGT).

Prerequisites

Procedure

  • Use the kvno command with the -S option to retrieve a service ticket, and specify the name of the IdM service and the fully-qualified domain name of the host that manages it. 

    [root@server ~]# kvno -S testservice client.example.com
testservice/client.example.com@EXAMPLE.COM: kvno = 1
    Copy to Clipboard Toggle word wrap
Note

If you need to access an IdM service and your current ticket-granting ticket (TGT) does not possess the required Kerberos authentication indicators associated with it, clear your current Kerberos credentials cache with the kdestroy command and retrieve a new TGT: 

[root@server ~]# kdestroy
Copy to Clipboard Toggle word wrap

For example, if you initially retrieved a TGT by authenticating with a password, and you need to access an IdM service that has the pkinit authentication indicator associated with it, destroy your current credentials cache and re-authenticate with a smart card. See Kerberos authentication indicators.

Verification

  • Use the klist command to verify that the service ticket is in the default Kerberos credentials cache. 

    [root@server etc]# klist_
Ticket cache: KCM:1000
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
04/01/2020 12:52:42  04/02/2020 12:52:39  krbtgt/EXAMPLE.COM@EXAMPLE.COM
04/01/2020 12:54:07 04/02/2020 12:52:39 testservice/client.example.com@EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

The global ticket policy applies to all service tickets and to users that do not have any per-user ticket policies defined.

The following procedure describes adjusting the maximum ticket lifetime and maximum ticket renewal age for the global Kerberos ticket policy using the ipa krbtpolicy-mod command.

While using the ipa krbtpolicy-mod command, specify at least one of the following arguments:

  • --maxlife for the maximum ticket lifetime in seconds
  • --maxrenew for the maximum renewable age in seconds

Procedure

  1. To modify the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-mod --maxlife=$((8*60*60)) --maxrenew=$((24*60*60))
  Max life: 28800
  Max renew: 86400
    Copy to Clipboard Toggle word wrap

    In this example, the maximum lifetime is set to eight hours (8 * 60 minutes * 60 seconds) and the maximum renewal age is set to one day (24 * 60 minutes * 60 seconds).

  2. Optional: To reset the global Kerberos ticket policy to the default installation values: 

    [root@server ~]# ipa krbtpolicy-reset
  Max life: 86400
  Max renew: 604800
    Copy to Clipboard Toggle word wrap

Verification

  • Display the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-show
  Max life: 28800
  Max renew: 86640
    Copy to Clipboard Toggle word wrap

Follow this procedure to adjust the global maximum ticket lifetime and maximum renewable age for each authentication indicator. These settings apply to users that do not have per-user ticket policies defined.

Use the ipa krbtpolicy-mod command to specify the global maximum lifetime or maximum renewable age for Kerberos tickets depending on the authentication indicators attached to them.

Procedure

  • For example, to set the global two-factor ticket lifetime and renewal age values to one week, and the global smart card ticket lifetime and renewal age values to two weeks: 

    [root@server ~]# ipa krbtpolicy-mod --otp-maxlife=604800 --otp-maxrenew=604800 --pkinit-maxlife=172800 --pkinit-maxrenew=172800
    Copy to Clipboard Toggle word wrap

Verification

  • Display the global ticket policy: 

    [root@server ~]# ipa krbtpolicy-show
  Max life: 86400
  OTP max life: 604800
  PKINIT max life: 172800
  Max renew: 604800
  OTP max renew: 604800
  PKINIT max renew: 172800
    Copy to Clipboard Toggle word wrap

    Notice that the OTP and PKINIT values are different from the global default Max life and Max renew values.

You can define a unique Kerberos ticket policy that only applies to a single user. These per-user settings override the global ticket policy, for all authentication indicators.

Use the ipa krbtpolicy-mod username command, and specify at least one of the following arguments:

  • --maxlife for the maximum ticket lifetime in seconds
  • --maxrenew for the maximum renewable age in seconds

Procedure

  1. For example, to set the IdM admin user’s maximum ticket lifetime to two days and maximum renewal age to two weeks: 

    [root@server ~]# ipa krbtpolicy-mod admin --maxlife=172800 --maxrenew=1209600
  Max life: 172800
  Max renew: 1209600
    Copy to Clipboard Toggle word wrap

  2. Optional: To reset the ticket policy for a user: 

    [root@server ~]# ipa krbtpolicy-reset admin
    Copy to Clipboard Toggle word wrap

Verification

  • Display the effective Kerberos ticket policy that applies to a user: 

    [root@server ~]# ipa krbtpolicy-show admin
  Max life: 172800
  Max renew: 1209600
    Copy to Clipboard Toggle word wrap

As an administrator, you can define Kerberos ticket policies for a user that differ per authentication indicator. For example, you can configure a policy to allow the IdM admin user to renew a ticket for two days if it was obtained with OTP authentication, and a week if it was obtained with smart card authentication.

These per-authentication indicator settings will override the user’s default ticket policy, the global default ticket policy, and any global authentication indicator ticket policy.

Use the ipa krbtpolicy-mod username command to set custom maximum lifetime and maximum renewable age values for a user’s Kerberos tickets depending on the authentication indicators attached to them.

Procedure

  1. For example, to allow the IdM admin user to renew a Kerberos ticket for two days if it was obtained with One-Time Password authentication, set the --otp-maxrenew option: 

    [root@server ~]# ipa krbtpolicy-mod admin --otp-maxrenew=$((2*24*60*60))
  OTP max renew: 172800
    Copy to Clipboard Toggle word wrap

  2. Optional: To reset the ticket policy for a user: 

    [root@server ~]# ipa krbtpolicy-reset username
    Copy to Clipboard Toggle word wrap

Verification

  • Display the effective Kerberos ticket policy that applies to a user: 

    [root@server ~]# ipa krbtpolicy-show admin
  Max life: 28800
  Max renew: 86640
    Copy to Clipboard Toggle word wrap

Specify values for authentication indicators with the following arguments.

Expand
Table 52.1. Authentication indicator options for the krbtpolicy-mod command
Authentication indicatorArgument for maximum lifetimeArgument for maximum renewal age

otp

--otp-maxlife

--otp-maxrenew

radius

--radius-maxlife

--radius-maxrenew

pkinit

--pkinit-maxlife

--pkinit-maxrenew

hardened

--hardened-maxlife

--hardened-maxrenew

Chapter 53. Kerberos PKINIT authentication in IdM
Copy link

Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) is a preauthentication mechanism for Kerberos. The Identity Management (IdM) server includes a mechanism for Kerberos PKINIT authentication.

53.1. Default PKINIT configuration
Copy link

The default PKINIT configuration on your IdM servers depends on the certificate authority (CA) configuration.

Expand
Table 53.1. Default PKINIT configuration in IdM
CA configurationPKINIT configuration

Without a CA, no external PKINIT certificate provided

Local PKINIT: IdM only uses PKINIT for internal purposes on servers.

Without a CA, external PKINIT certificate provided to IdM

IdM configures PKINIT by using the external Kerberos key distribution center (KDC) certificate and CA certificate.

With an Integrated CA

IdM configures PKINIT by using the certificate signed by the IdM CA.

53.2. Displaying the current PKINIT configuration
Copy link

IdM provides multiple commands you can use to query the PKINIT configuration in your domain.

Procedure

  • To determine the PKINIT status in your domain, use the ipa pkinit-status command: 

    $ ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]
    Copy to Clipboard Toggle word wrap

    The command displays the PKINIT configuration status as enabled or disabled:

    • enabled: PKINIT is configured using a certificate signed by the integrated IdM CA or an external PKINIT certificate.
    • disabled: IdM only uses PKINIT for internal purposes on IdM servers.

  • To list the IdM servers with active Kerberos key distribution centers (KDCs) that support PKINIT for IdM clients, use the ipa config-show command on any server: 

    $ ipa config-show
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  [...output truncated...]
  IPA masters capable of PKINIT: server1.example.com
  [...output truncated...]
    Copy to Clipboard Toggle word wrap

53.3. Configuring PKINIT in IdM
Copy link

If your IdM servers are running with PKINIT disabled, use these steps to enable it. For example, a server is running with PKINIT disabled if you passed the --no-pkinit option with the ipa-server-install or ipa-replica-install utilities.

Prerequisites

  • Ensure that all IdM servers with a certificate authority (CA) installed are running on the same domain level.

Procedure

  1. Check if PKINIT is enabled on the server: 

    # kinit admin

Password for admin@IDM.EXAMPLE.COM:
# ipa pkinit-status --server=server.idm.example.com
1 server matched
----------------
Server name: server.idm.example.com
PKINIT status:enabled
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

    If PKINIT is disabled, you will see the following output: 

    # ipa pkinit-status --server server.idm.example.com
-----------------
0 servers matched
-----------------
----------------------------
Number of entries returned 0
----------------------------
    Copy to Clipboard Toggle word wrap

    You can also use the command to find all the servers where PKINIT is enabled if you omit the --server <server_fqdn> parameter.

  2. If you are using IdM without CA:

    1. On the IdM server, install the CA certificate that signed the Kerberos key distribution center (KDC) certificate: 

      # ipa-cacert-manage install -t CT,C,C ca.pem
      Copy to Clipboard Toggle word wrap

    2. To update all IPA hosts, repeat the ipa-certupdate command on all replicas and clients: 

      # ipa-certupdate
      Copy to Clipboard Toggle word wrap

    3. Check if the CA certificate has already been added using the ipa-cacert-manage list command. For example: 

      # ipa-cacert-manage list
CN=CA,O=Example Organization
The ipa-cacert-manage command was successful
      Copy to Clipboard Toggle word wrap

    4. Use the ipa-server-certinstall utility to install an external KDC certificate. The KDC certificate must meet the following conditions:

      • It is issued with the common name CN=fully_qualified_domain_name,certificate_subject_base.
      • It includes the Kerberos principal krbtgt/REALM_NAME@REALM_NAME.

      • It contains the Object Identifier (OID) for KDC authentication: 1.3.6.1.5.2.3.5. 

        # ipa-server-certinstall --kdc kdc.pem kdc.key

# systemctl restart krb5kdc.service
        Copy to Clipboard Toggle word wrap

    5. See your PKINIT status: 

      # ipa pkinit-status
  Server name: server1.example.com
  PKINIT status: enabled
  [...output truncated...]
  Server name: server2.example.com
  PKINIT status: disabled
  [...output truncated...]
      Copy to Clipboard Toggle word wrap

  3. If you are using IdM with a CA certificate, enable PKINIT as follows: 

    # ipa-pkinit-manage enable
  Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
  Done configuring Kerberos KDC (krb5kdc).
  The ipa-pkinit-manage command was successful
    Copy to Clipboard Toggle word wrap

    If you are using an IdM CA, the command requests a PKINIT KDC certificate from the CA.

Chapter 54. Maintaining IdM Kerberos keytab files
Copy link

Learn more about what Kerberos keytab files are and how Identity Management (IdM) uses them to allow services to authenticate securely with Kerberos.

You can use this information to understand why you should protect these sensitive files, and to troubleshoot communication issues between IdM services.

A Kerberos keytab is a file containing Kerberos principals and their corresponding encryption keys. Hosts, services, users, and scripts can use keytabs to authenticate to the Kerberos Key Distribution Center (KDC) securely, without requiring human interaction.

Every IdM service on an IdM server has a unique Kerberos principal stored in the Kerberos database. For example, if IdM servers east.idm.example.com and west.idm.example.com provide DNS services, IdM creates 2 unique DNS Kerberos principals to identify these services, which follow the naming convention <service>/host.domain.com@REALM.COM:

  • DNS/east.idm.example.com@IDM.EXAMPLE.COM
  • DNS/west.idm.example.com@IDM.EXAMPLE.COM

IdM creates a keytab on the server for each of these services to store a local copy of the Kerberos keys, along with their Key Version Numbers (KVNO). For example, the default keytab file /etc/krb5.keytab stores the host principal, which represents that machine in the Kerberos realm and is used for login authentication. The KDC generates encryption keys for the different encryption algorithms it supports, such as aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.

You can display the contents of a keytab file with the klist command: 

[root@idmserver ~]# klist -ekt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 02/24/2022 20:28:09 host/idmserver.idm.example.com@IDM.EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 02/24/2022 20:28:09 host/idmserver.idm.example.com@IDM.EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 02/24/2022 20:28:09 host/idmserver.idm.example.com@IDM.EXAMPLE.COM (camellia128-cts-cmac)
   2 02/24/2022 20:28:09 host/idmserver.idm.example.com@IDM.EXAMPLE.COM (camellia256-cts-cmac)
Copy to Clipboard Toggle word wrap

When you change a Kerberos password, IdM automatically generates a new corresponding Kerberos key and increments its Key Version Number (KVNO). If a Kerberos keytab is not updated with the new key and KVNO, any services that depend on that keytab to retrieve a valid key might not be able to authenticate to the Kerberos Key Distribution Center (KDC).

If one of your IdM services cannot communicate with another service, use the following procedure to verify that your Kerberos keytab files are in sync with the keys stored in the IdM database. If they are out of sync, retrieve a Kerberos keytab with an updated key and KVNO. This example compares and retrieves an updated DNS principal for an IdM server.

Prerequisites

  • You must authenticate as the IdM admin account to retrieve keytab files
  • You must authenticate as the root account to modify keytab files owned by other users

Procedure

  1. Display the KVNO of the principals in the keytab you are verifying. In the following example, the /etc/named.keytab file has the key for the DNS/server1.idm.example.com@EXAMPLE.COM principal with a KVNO of 2. 

    [root@server1 ~]# klist -ekt /etc/named.keytab
Keytab name: FILE:/etc/named.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 11/26/2021 13:51:11 DNS/server1.idm.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   2 11/26/2021 13:51:11 DNS/server1.idm.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   2 11/26/2021 13:51:11 DNS/server1.idm.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   2 11/26/2021 13:51:11 DNS/server1.idm.example.com@EXAMPLE.COM (camellia256-cts-cmac)
    Copy to Clipboard Toggle word wrap

  2. Display the KVNO of the principal stored in the IdM database. In this example, the KVNO of the key in the IdM database does not match the KVNO in the keytab. 

    [root@server1 ~]# kvno DNS/server1.idm.example.com@EXAMPLE.COM
DNS/server1.idm.example.com@EXAMPLE.COM: kvno = 3
    Copy to Clipboard Toggle word wrap

  3. Authenticate as the IdM admin account. 

    [root@server1 ~]# kinit admin
Password for admin@IDM.EXAMPLE.COM:
    Copy to Clipboard Toggle word wrap

  4. Retrieve an updated Kerberos key for the principal and store it in its keytab. Perform this step as the root user so you can modify the /etc/named.keytab file, which is owned by the named user. 

    [root@server1 ~]# ipa-getkeytab -s server1.idm.example.com -p DNS/server1.idm.example.com -k /etc/named.keytab
    Copy to Clipboard Toggle word wrap

Verification

  1. Display the updated KVNO of the principal in the keytab. 

    [root@server1 ~]# klist -ekt /etc/named.keytab
Keytab name: FILE:/etc/named.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   4 08/17/2022 14:42:11 DNS/server1.idm.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
   4 08/17/2022 14:42:11 DNS/server1.idm.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
   4 08/17/2022 14:42:11 DNS/server1.idm.example.com@EXAMPLE.COM (camellia128-cts-cmac)
   4 08/17/2022 14:42:11 DNS/server1.idm.example.com@EXAMPLE.COM (camellia256-cts-cmac)
    Copy to Clipboard Toggle word wrap

  2. Display the KVNO of the principal stored in the IdM database and ensure it matches the KVNO from the keytab. 

    [root@server1 ~]# kvno DNS/server1.idm.example.com@EXAMPLE.COM
DNS/server1.idm.example.com@EXAMPLE.COM: kvno = 4
    Copy to Clipboard Toggle word wrap

The following table displays the location, contents, and purpose of the IdM Kerberos keytab files.

Expand
Table 54.1. Table
Keytab locationContentsPurpose

/etc/krb5.keytab

host principal

Verifying user credentials when logging in, used by NFS if there is no nfs principal

/etc/dirsrv/ds.keytab

ldap principal

Authenticating users to the IdM database, securely replicating database contents between IdM replicas

/var/lib/ipa/gssproxy/http.keytab

HTTP principal

Authenticating to the Apache server

/etc/named.keytab

DNS principal

Securely updating DNS records

/etc/ipa/dnssec/ipa-dnskeysyncd.keytab

ipa-dnskeysyncd principal

Keeping OpenDNSSEC synchronized with LDAP

/etc/pki/pki-tomcat/dogtag.keytab

dogtag principal

Communicating with the Certificate Authority (CA)

/etc/samba/samba.keytab

cifs and host principals

Communicating with the Samba service

/var/lib/sss/keytabs/ad-domain.com.keytab

Active Directory (AD) domain controller (DCs) principals in the form HOSTNAME$@AD-DOMAIN.COM

Communicating with AD DCs through an IdM-AD Trust

As an Identity Management (IdM) administrator, you can view the encryption type of your IdM master key, which is the key that the IdM Kerberos Distribution Center (KDC) uses to encrypt all other principals when storing them at rest. Knowing the encryption type helps you determine your deployment’s compatibility with FIPS standards.

As of RHEL 8.7, the encryption type is aes256-cts-hmac-sha384-192. This encryption type is compatible with the default RHEL 9 FIPS cryptographic policy aiming to comply with FIPS 140-3.

The encryption types used on previous RHEL versions are not compatible with RHEL 9 systems that adhere to FIPS 140-3 standards. To make RHEL 9 systems compatible with a RHEL 8 FIPS 140-2 deployment, see the AD Domain Users unable to login in to the FIPS-compliant environment KCS solution.

Prerequisites

  • You have root access to any of the RHEL 8 replicas in the IdM deployment.

Procedure

  • On the replica, view the encryption type on the command line: 

    # kadmin.local getprinc K/M | grep -E '^Key:'
Key: vno 1, aes256-cts-hmac-sha1-96
    Copy to Clipboard Toggle word wrap

    The aes256-cts-hmac-sha1-96 key in the output indicates that the IdM deployment was installed on a server that was running RHEL 8.6 or earlier. The presence of a aes256-cts-hmac-sha384-192 key in the output would indicate that the IdM deployment was installed on a server that was running RHEL 8.7 or later.

Chapter 55. Using the KDC Proxy in IdM
Copy link

Some administrators might choose to make the default Kerberos ports inaccessible in their deployment. To allow users, hosts, and services to obtain Kerberos credentials, you can use the HTTPS service as a proxy that communicates with Kerberos via the HTTPS port 443.

In Identity Management (IdM), the Kerberos Key Distribution Center Proxy (KKDCP) provides this functionality.

On an IdM server, KKDCP is enabled by default and available at https://server.idm.example.com/KdcProxy. On an IdM client, you must change its Kerberos configuration to access the KKDCP.

55.1. Configuring an IdM client to use KKDCP
Copy link

As an Identity Management (IdM) system administrator, you can configure an IdM client to use the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server. This is useful if the default Kerberos ports are not accessible on the IdM server and the HTTPS port 443 is the only way of accessing the Kerberos service.

Prerequisites

  • You have root access to the IdM client.

Procedure

  1. Open the /etc/krb5.conf file for editing.

  2. In the [realms] section, enter the URL of the KKDCP for the kdc, admin_server, and kpasswd_server options: 

    [realms]
EXAMPLE.COM = {
  kdc = https://kdc.example.com/KdcProxy
  admin_server = https://kdc.example.com/KdcProxy
  kpasswd_server = https://kdc.example.com/KdcProxy
  default_domain = example.com
}
    Copy to Clipboard Toggle word wrap

    For redundancy, you can add the parameters kdc, admin_server, and kpasswd_server multiple times to indicate different KKDCP servers.

  3. Restart the sssd service to make the changes take effect: 

    ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

On an Identity Management (IdM) server, the Kerberos Key Distribution Center Proxy (KKDCP) is automatically enabled each time the Apache web server starts if the attribute and value pair ipaConfigString=kdcProxyEnabled exists in the directory. In this situation, the symbolic link /etc/httpd/conf.d/ipa-kdc-proxy.conf is created.

You can verify if the KKDCP is enabled on the IdM server, even as an unprivileged user.

Procedure

  • Check that the symbolic link exists: 
$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf
Copy to Clipboard Toggle word wrap

The output confirms that KKDCP is enabled.

55.3. Disabling KKDCP on an IdM server
Copy link

As an Identity Management (IdM) system administrator, you can disable the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server.

Prerequisites

  • You have root access to the IdM server.

Procedure

  1. Remove the ipaConfigString=kdcProxyEnabled attribute and value pair from the directory: 

    # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
Update complete
The ipa-ldap-updater command was successful
    Copy to Clipboard Toggle word wrap

  2. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

KKDCP is now disabled on the current IdM server.

Verification

  • Verify that the symbolic link does not exist: 

    $ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
ls: cannot access '/etc/httpd/conf.d/ipa-kdc-proxy.conf': No such file or directory
    Copy to Clipboard Toggle word wrap

55.4. Re-enabling KKDCP on an IdM server
Copy link

On an IdM server, the Kerberos Key Distribution Center Proxy (KKDCP) is enabled by default and available at https://server.idm.example.com/KdcProxy.

If KKDCP has been disabled on a server, you can re-enable it.

Prerequisites

  • You have root access to the IdM server.

Procedure

  1. Add the ipaConfigString=kdcProxyEnabled attribute and value pair to the directory: 

    # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
Update complete
The ipa-ldap-updater command was successful
    Copy to Clipboard Toggle word wrap

  2. Restart the httpd service: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

KKDCP is now enabled on the current IdM server.

Verification

  • Verify that the symbolic link exists: 

    $ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21  2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf
    Copy to Clipboard Toggle word wrap

55.5. Configuring the KKDCP server I
Copy link

With the following configuration, you can enable TCP to be used as the transport protocol between the IdM KKDCP and the Active Directory (AD) realm, where multiple Kerberos servers are used.

Prerequisites

  • You have root access.

Procedure

  1. Set the use_dns parameter in the [global] section of the /etc/ipa/kdcproxy/kdcproxy.conf file to false. 

    [global]
use_dns = false
    Copy to Clipboard Toggle word wrap

  2. Put the proxied realm information into the /etc/ipa/kdcproxy/kdcproxy.conf file. For example, for the [AD.EXAMPLE.COM] realm with proxy list the realm configuration parameters as follows: 

    [AD.EXAMPLE.COM]
kerberos = kerberos+tcp://1.2.3.4:88 kerberos+tcp://5.6.7.8:88
kpasswd = kpasswd+tcp://1.2.3.4:464 kpasswd+tcp://5.6.7.8:464
    Copy to Clipboard Toggle word wrap
    Important

    The realm configuration parameters must list multiple servers separated by a space, as opposed to /etc/krb5.conf and kdc.conf, in which certain options may be specified multiple times.

  3. Restart Identity Management (IdM) services: 

    # ipactl restart
    Copy to Clipboard Toggle word wrap

55.6. Configuring the KKDCP server II
Copy link

The following server configuration relies on the DNS service records to find Active Directory (AD) servers to communicate with.

Prerequisites

  • You have root access.

Procedure

  1. In the /etc/ipa/kdcproxy/kdcproxy.conf file, the [global] section, set the use_dns parameter to true. 

    [global]
configs = mit
use_dns = true
    Copy to Clipboard Toggle word wrap

    The configs parameter allows you to load other configuration modules. In this case, the configuration is read from the MIT libkrb5 library.

  2. Optional: In case you do not want to use DNS service records, add explicit AD servers to the [realms] section of the /etc/krb5.conf file. If the realm with proxy is, for example, AD.EXAMPLE.COM, you add: 

    [realms]
AD.EXAMPLE.COM = {
    kdc = ad-server.ad.example.com
    kpasswd_server = ad-server.ad.example.com
}
    Copy to Clipboard Toggle word wrap

  3. Restart Identity Management (IdM) services: 

    # ipactl restart
    Copy to Clipboard Toggle word wrap

Learn more about granting sudo access to users in Identity Management.

56.1. Sudo access on an IdM client
Copy link

System administrators can grant sudo access to allow non-root users to execute administrative commands that are normally reserved for the root user. Consequently, when users need to perform an administrative command normally reserved for the root user, they precede that command with sudo. After entering their password, the command is executed as if they were the root user. To execute a sudo command as another user or group, such as a database service account, you can configure a RunAs alias for a sudo rule.

If a Red Hat Enterprise Linux (RHEL) 8 host is enrolled as an Identity Management (IdM) client, you can specify sudo rules defining which IdM users can perform which commands on the host in the following ways:

  • Locally in the /etc/sudoers file
  • Centrally in IdM

You can create a central sudo rule for an IdM client using the command line (CLI) and the IdM Web UI.

In RHEL 8.4 and later, you can also configure password-less authentication for sudo using the Generic Security Service Application Programming Interface (GSSAPI), the native way for UNIX-based operating systems to access and authenticate Kerberos services. You can use the pam_sss_gss.so Pluggable Authentication Module (PAM) to invoke GSSAPI authentication via the SSSD service, allowing users to authenticate to the sudo command with a valid Kerberos ticket.

In Identity Management (IdM), you can grant sudo access for a specific command to an IdM user account on a specific IdM host. First, add a sudo command and then create a sudo rule for one or more commands.

For example, complete this procedure to create the idm_user_reboot sudo rule to grant the idm_user account the permission to run the /usr/sbin/reboot command on the idmclient machine.

Prerequisites

  • You are logged in as IdM administrator.
  • You have created a user account for idm_user in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the CLI, see Adding users using the command line.
  • No local idm_user account is present on the idmclient host. The idm_user user is not listed in the local /etc/passwd file.

Procedure

  1. Retrieve a Kerberos ticket as the IdM admin. 

    [root@idmclient ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add the /usr/sbin/reboot command to the IdM database of sudo commands: 

    [root@idmclient ~]# ipa sudocmd-add /usr/sbin/reboot
-------------------------------------
Added Sudo Command "/usr/sbin/reboot"
-------------------------------------
  Sudo Command: /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

  3. Create a sudo rule named idm_user_reboot: 

    [root@idmclient ~]# ipa sudorule-add idm_user_reboot
---------------------------------
Added Sudo Rule "idm_user_reboot"
---------------------------------
  Rule name: idm_user_reboot
  Enabled: TRUE
    Copy to Clipboard Toggle word wrap

  4. Add the /usr/sbin/reboot command to the idm_user_reboot rule: 

    [root@idmclient ~]# ipa sudorule-add-allow-command idm_user_reboot --sudocmds '/usr/sbin/reboot'
  Rule name: idm_user_reboot
  Enabled: TRUE
  Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  5. Apply the idm_user_reboot rule to the IdM idmclient host: 

    [root@idmclient ~]# ipa sudorule-add-host idm_user_reboot --hosts idmclient.idm.example.com
Rule name: idm_user_reboot
Enabled: TRUE
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  6. Add the idm_user account to the idm_user_reboot rule: 

    [root@idmclient ~]# ipa sudorule-add-user idm_user_reboot --users idm_user
Rule name: idm_user_reboot
Enabled: TRUE
Users: idm_user
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  7. Optional: Define the validity of the idm_user_reboot rule:

    1. To define the time at which a sudo rule starts to be valid, use the ipa sudorule-mod sudo_rule_name command with the --setattr sudonotbefore=DATE option. The DATE value must follow the yyyymmddHHMMSSZ format, with seconds specified explicitly. For example, to set the start of the validity of the idm_user_reboot rule to 31 December 2025 12:34:00, enter: 

      [root@idmclient ~]# ipa sudorule-mod idm_user_reboot --setattr sudonotbefore=20251231123400Z
      Copy to Clipboard Toggle word wrap

    2. To define the time at which a sudo rule stops being valid, use the --setattr sudonotafter=DATE option. For example, to set the end of the idm_user_reboot rule validity to 31 December 2026 12:34:00, enter: 

      [root@idmclient ~]# ipa sudorule-mod idm_user_reboot --setattr sudonotafter=20261231123400Z
      Copy to Clipboard Toggle word wrap
Note

Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to the idmclient host as the idm_user account.

  2. Display which sudo rules the idm_user account is allowed to perform. 

    [idm_user@idmclient ~]$ sudo -l
Matching Defaults entries for idm_user on idmclient:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User idm_user may run the following commands on idmclient:
    (root) /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

  3. Reboot the machine using sudo. Enter the password for idm_user when prompted: 

    [idm_user@idmclient ~]$ sudo /usr/sbin/reboot
[sudo] password for idm_user:
    Copy to Clipboard Toggle word wrap

Identity Management (IdM) system administrators can use IdM user groups to set access permissions, host-based access control, sudo rules, and other controls on IdM users. IdM user groups grant and restrict access to IdM domain resources.

You can add both Active Directory (AD) users and AD groups to IdM user groups. To do that:

  1. Add the AD users or groups to a non-POSIX external IdM group.
  2. Add the non-POSIX external IdM group to an IdM POSIX group.

You can then manage the privileges of the AD users by managing the privileges of the POSIX group. For example, you can grant sudo access for a specific command to an IdM POSIX user group on a specific IdM host.

It is also possible to add AD user groups as members to IdM external groups. This might make it easier to define policies for Windows users, by keeping the user and group management within the single AD realm.

Important

Do not use ID overrides of AD users for SUDO rules in IdM. ID overrides of AD users represent only POSIX attributes of AD users, not AD users themselves.

You can add ID overrides as group members. However, you can only use this functionality to manage IdM resources in the IdM API. The possibility to add ID overrides as group members is not extended to POSIX environments and you therefore cannot use it for membership in sudo or host-based access control (HBAC) rules.

Follow this procedure to create the ad_users_reboot sudo rule to grant the administrator@ad-domain.com AD user the permission to run the /usr/sbin/reboot command on the idmclient IdM host, which is normally reserved for the root user. administrator@ad-domain.com is a member of the ad_users_external non-POSIX group, which is, in turn, a member of the ad_users POSIX group.

Prerequisites

  • You have obtained the IdM admin Kerberos ticket-granting ticket (TGT).
  • A cross-forest trust exists between the IdM domain and the ad-domain.com AD domain.
  • No local administrator account is present on the idmclient host: the administrator user is not listed in the local /etc/passwd file.

Procedure

  1. Create the ad_users group that contains the ad_users_external group with the administrator@ad-domain member:

    1. Optional: Create or select a corresponding group in the AD domain to use to manage AD users in the IdM realm. You can use multiple AD groups and add them to different groups on the IdM side.

    2. Create the ad_users_external group and indicate that it contains members from outside the IdM domain by adding the --external option: 

      [root@ipaserver ~]# ipa group-add --desc='AD users external map' ad_users_external --external
-------------------------------
Added group "ad_users_external"
-------------------------------
  Group name: ad_users_external
  Description: AD users external map
      Copy to Clipboard Toggle word wrap
      Note

      Ensure that the external group that you specify here is an AD security group with a global or universal group scope as defined in the Active Directory security groups document. For example, the Domain users or Domain admins AD security groups cannot be used because their group scope is domain local.

    3. Create the ad_users group: 

      [root@ipaserver ~]# ipa group-add --desc='AD users' ad_users
----------------------
Added group "ad_users"
----------------------
  Group name: ad_users
  Description: AD users
  GID: 129600004
      Copy to Clipboard Toggle word wrap

    4. Add the administrator@ad-domain.com AD user to ad_users_external as an external member: 

      [root@ipaserver ~]# ipa group-add-member ad_users_external --external "administrator@ad-domain.com"
 [member user]:
 [member group]:
  Group name: ad_users_external
  Description: AD users external map
  External member: S-1-5-21-3655990580-1375374850-1633065477-513
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

      The AD user must be identified by a fully-qualified name, such as DOMAIN\user_name or user_name@DOMAIN. The AD identity is then mapped to the AD SID for the user. The same applies to adding AD groups.

    5. Add ad_users_external to ad_users as a member: 

      [root@ipaserver ~]# ipa group-add-member ad_users --groups ad_users_external
  Group name: ad_users
  Description: AD users
  GID: 129600004
  Member groups: ad_users_external
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

  2. Grant the members of ad_users the permission to run /usr/sbin/reboot on the idmclient host:

    1. Add the /usr/sbin/reboot command to the IdM database of sudo commands: 

      [root@idmclient ~]# ipa sudocmd-add /usr/sbin/reboot
-------------------------------------
Added Sudo Command "/usr/sbin/reboot"
-------------------------------------
  Sudo Command: /usr/sbin/reboot
      Copy to Clipboard Toggle word wrap

    2. Create a sudo rule named ad_users_reboot: 

      [root@idmclient ~]# ipa sudorule-add ad_users_reboot
---------------------------------
Added Sudo Rule "ad_users_reboot"
---------------------------------
  Rule name: ad_users_reboot
  Enabled: True
      Copy to Clipboard Toggle word wrap

    3. Add the /usr/sbin/reboot command to the ad_users_reboot rule: 

      [root@idmclient ~]# ipa sudorule-add-allow-command ad_users_reboot --sudocmds '/usr/sbin/reboot'
  Rule name: ad_users_reboot
  Enabled: True
  Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    4. Apply the ad_users_reboot rule to the IdM idmclient host: 

      [root@idmclient ~]# ipa sudorule-add-host ad_users_reboot --hosts idmclient.idm.example.com
Rule name: ad_users_reboot
Enabled: True
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap

    5. Add the ad_users group to the ad_users_reboot rule: 

      [root@idmclient ~]# ipa sudorule-add-user ad_users_reboot --groups ad_users
Rule name: ad_users_reboot
Enabled: TRUE
User Groups: ad_users
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /usr/sbin/reboot
-------------------------
Number of members added 1
-------------------------
      Copy to Clipboard Toggle word wrap
Note

Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to the idmclient host as administrator@ad-domain.com, an indirect member of the ad_users group: 

    $ ssh administrator@ad-domain.com@ipaclient
Password:
    Copy to Clipboard Toggle word wrap

  2. Optional: Display the sudo commands that administrator@ad-domain.com is allowed to execute: 

    [administrator@ad-domain.com@idmclient ~]$ sudo -l
Matching Defaults entries for administrator@ad-domain.com on idmclient:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User administrator@ad-domain.com may run the following commands on idmclient:
    (root) /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

  3. Reboot the machine using sudo. Enter the password for administrator@ad-domain.com when prompted: 

    [administrator@ad-domain.com@idmclient ~]$ sudo /usr/sbin/reboot
[sudo] password for administrator@ad-domain.com:
    Copy to Clipboard Toggle word wrap

In Identity Management (IdM), you can grant sudo access for a specific command to an IdM user account on a specific IdM host. First, add a sudo command and then create a sudo rule for one or more commands.

Complete this procedure to create the idm_user_reboot sudo rule to grant the idm_user account the permission to run the /usr/sbin/reboot command on the idmclient machine.

Prerequisites

  • You are logged in as IdM administrator.
  • You have created a user account for idm_user in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the command line, see Adding users using the command line.
  • No local idm_user account is present on the idmclient host. The idm_user user is not listed in the local /etc/passwd file.

Procedure

  1. Add the /usr/sbin/reboot command to the IdM database of sudo commands:

    1. Navigate to Policy>Sudo>Sudo Commands.
    2. Click Add in the upper right corner to open the Add sudo command dialog box.
    3. Enter the command you want the user to be able to perform using sudo: /usr/sbin/reboot.
    4. Click Add.

  2. Use the new sudo command entry to create a sudo rule to allow idm_user to reboot the idmclient machine:

    1. Navigate to Policy>Sudo>Sudo rules.
    2. Click Add in the upper right corner to open the Add sudo rule dialog box.
    3. Enter the name of the sudo rule: idm_user_reboot.
    4. Click Add and Edit.

    5. Specify the user:

      1. In the Who section, check the Specified Users and Groups radio button.
      2. In the Users section, click Add to open the Add users into sudo rule "idm_user_reboot" dialog box.
      3. In the Available column, check the idm_user checkbox, and click the arrow to move it to the Prospective column.
      4. Click Add.

    6. Specify the host:

      1. In the Access this host section, check the Specified Hosts and Groups radio button.
      2. In the Hosts section, click Add to open the Add hosts into sudo rule "idm_user_reboot" dialog box.
      3. In Available column, check the idmclient.idm.example.com checkbox, and click the arrow to move it to the Prospective column.
      4. Click Add.

    7. Specify the commands:

      1. In the Run Commands section, check the Specified Commands and Groups radio button.
      2. In the Sudo Allow Commands section, click Add to open the Add allow sudo commands into sudo rule "idm_user_reboot" dialog box.
      3. In the Available column, check the /usr/sbin/reboot checkbox, and click the arrow to move it to the Prospective column.
      4. Click Add to return to the idm_sudo_reboot page.
    8. Click Save in the top left corner.

The new rule is enabled by default.

Note

Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to idmclient as idm_user.

  2. Reboot the machine using sudo. Enter the password for idm_user when prompted: 

    $ sudo /usr/sbin/reboot
[sudo] password for idm_user:
    Copy to Clipboard Toggle word wrap

If the sudo rule is configured correctly, the machine reboots.

In IdM, you can configure a sudo rule with a RunAs alias to run a sudo command as another user or group. For example, you might have an IdM client that hosts a database application, and you need to run commands as the local service account that corresponds to that application.

Use this example to create a sudo rule on the command line called run_third-party-app_report to allow the idm_user account to run the /opt/third-party-app/bin/report command as the thirdpartyapp service account on the idmclient host.

Prerequisites

  • You are logged in as IdM administrator.
  • You have created a user account for idm_user in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the CLI, see Adding users using the command line.
  • No local idm_user account is present on the idmclient host. The idm_user user is not listed in the local /etc/passwd file.
  • You have a custom application named third-party-app installed on the idmclient host.
  • The report command for the third-party-app application is installed in the /opt/third-party-app/bin/report directory.
  • You have created a local service account named thirdpartyapp to execute commands for the third-party-app application.

Procedure

  1. Retrieve a Kerberos ticket as the IdM admin. 

    [root@idmclient ~]# kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add the /opt/third-party-app/bin/report command to the IdM database of sudo commands: 

    [root@idmclient ~]# ipa sudocmd-add /opt/third-party-app/bin/report
----------------------------------------------------
Added Sudo Command "/opt/third-party-app/bin/report"
----------------------------------------------------
  Sudo Command: /opt/third-party-app/bin/report
    Copy to Clipboard Toggle word wrap

  3. Create a sudo rule named run_third-party-app_report: 

    [root@idmclient ~]# ipa sudorule-add run_third-party-app_report
--------------------------------------------
Added Sudo Rule "run_third-party-app_report"
--------------------------------------------
  Rule name: run_third-party-app_report
  Enabled: TRUE
    Copy to Clipboard Toggle word wrap

  4. Use the --users=<user> option to specify the RunAs user for the sudorule-add-runasuser command: 

    [root@idmclient ~]# ipa sudorule-add-runasuser run_third-party-app_report --users=thirdpartyapp
  Rule name: run_third-party-app_report
  Enabled: TRUE
  RunAs External User: thirdpartyapp
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

    The user (or group specified with the --groups=* option) can be external to IdM, such as a local service account or an Active Directory user. Do not add a % prefix for group names.

  5. Add the /opt/third-party-app/bin/report command to the run_third-party-app_report rule: 

    [root@idmclient ~]# ipa sudorule-add-allow-command run_third-party-app_report --sudocmds '/opt/third-party-app/bin/report'
Rule name: run_third-party-app_report
Enabled: TRUE
Sudo Allow Commands: /opt/third-party-app/bin/report
RunAs External User: thirdpartyapp
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  6. Apply the run_third-party-app_report rule to the IdM idmclient host: 

    [root@idmclient ~]# ipa sudorule-add-host run_third-party-app_report --hosts idmclient.idm.example.com
Rule name: run_third-party-app_report
Enabled: TRUE
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /opt/third-party-app/bin/report
RunAs External User: thirdpartyapp
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

  7. Add the idm_user account to the run_third-party-app_report rule: 

    [root@idmclient ~]# ipa sudorule-add-user run_third-party-app_report --users idm_user
Rule name: run_third-party-app_report
Enabled: TRUE
Users: idm_user
Hosts: idmclient.idm.example.com
Sudo Allow Commands: /opt/third-party-app/bin/report
RunAs External User: thirdpartyapp
-------------------------
Number of members added 1
    Copy to Clipboard Toggle word wrap
Note

Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to the idmclient host as the idm_user account.

  2. Test the new sudo rule:

    1. Display which sudo rules the idm_user account is allowed to perform. 

      [idm_user@idmclient ~]$ sudo -l
Matching Defaults entries for idm_user@idm.example.com on idmclient:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User idm_user@idm.example.com may run the following commands on idmclient:
    (thirdpartyapp) /opt/third-party-app/bin/report
      Copy to Clipboard Toggle word wrap

    2. Run the report command as the thirdpartyapp service account. 

      [idm_user@idmclient ~]$ sudo -u thirdpartyapp /opt/third-party-app/bin/report
[sudo] password for idm_user@idm.example.com:
Executing report...
Report successful.
      Copy to Clipboard Toggle word wrap

In IdM, you can configure a sudo rule with a RunAs alias to run a sudo command as another user or group. For example, you might have an IdM client that hosts a database application, and you need to run commands as the local service account that corresponds to that application.

Use this example to create a sudo rule in the IdM WebUI called run_third-party-app_report to allow the idm_user account to run the /opt/third-party-app/bin/report command as the thirdpartyapp service account on the idmclient host.

Prerequisites

  • You are logged in as IdM administrator.
  • You have created a user account for idm_user in IdM and unlocked the account by creating a password for the user. For details on adding a new IdM user using the CLI, see Adding users using the command line.
  • No local idm_user account is present on the idmclient host. The idm_user user is not listed in the local /etc/passwd file.
  • You have a custom application named third-party-app installed on the idmclient host.
  • The report command for the third-party-app application is installed in the /opt/third-party-app/bin/report directory.
  • You have created a local service account named thirdpartyapp to execute commands for the third-party-app application.

Procedure

  1. Add the /opt/third-party-app/bin/report command to the IdM database of sudo commands:

    1. Navigate to Policy>Sudo>Sudo Commands.
    2. Click Add in the upper right corner to open the Add sudo command dialog box.
    3. Enter the command: /opt/third-party-app/bin/report.
    4. Click Add.

  2. Use the new sudo command entry to create the new sudo rule:

    1. Navigate to PolicySudoSudo rules.
    2. Click Add in the upper right corner to open the Add sudo rule dialog box.
    3. Enter the name of the sudo rule: run_third-party-app_report.
    4. Click Add and Edit.

    5. Specify the user:

      1. In the Who section, check the Specified Users and Groups radio button.
      2. In the User section, click Add to open the Add users into sudo rule "run_third-party-app_report" dialog box.
      3. In the Available column, check the idm_user checkbox, and move it to the Prospective column.
      4. Click Add.

    6. Specify the host:

      1. In the Access this host section, check the Specified Hosts and Groups radio button.
      2. In the Hosts section, click Add to open the Add hosts into sudo rule "run_third-party-app_report" dialog box.
      3. In the Available column, check the idmclient.idm.example.com checkbox, and move it to the Prospective column.
      4. Click Add.

    7. Specify the commands:

      1. In the Run Commands section, check the Specified Commands and Groups radio button.
      2. In the Sudo Allow Commands section, click Add to open the Add allow sudo commands into sudo rule "run_third-party-app_report" dialog box.
      3. In the Available column, check the /opt/third-party-app/bin/report checkbox, and move it to the Prospective column.
      4. Click Add to return to the run_third-party-app_report page.

    8. Specify the RunAs user:

      1. In the As Whom section, check the Specified Users and Groups radio button.
      2. In the RunAs Users section, click Add to open the Add RunAs users into sudo rule "run_third-party-app_report" dialog box.
      3. Enter the thirdpartyapp service account in the External box and move it to the Prospective column.
      4. Click Add to return to the run_third-party-app_report page.
    9. Click Save in the top left corner.

The new rule is enabled by default.

Note

Propagating the changes from the server to the client can take a few minutes.

Verification

  1. Log in to the idmclient host as the idm_user account.

  2. Test the new sudo rule:

    1. Display which sudo rules the idm_user account is allowed to perform. 

      [idm_user@idmclient ~]$ sudo -l
Matching Defaults entries for idm_user@idm.example.com on idmclient:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User idm_user@idm.example.com may run the following commands on idmclient:
    (thirdpartyapp) /opt/third-party-app/bin/report
      Copy to Clipboard Toggle word wrap

    2. Run the report command as the thirdpartyapp service account. 

      [idm_user@idmclient ~]$ sudo -u thirdpartyapp /opt/third-party-app/bin/report
[sudo] password for idm_user@idm.example.com:
Executing report...
Report successful.
      Copy to Clipboard Toggle word wrap

Enable Generic Security Service Application Program Interface (GSSAPI) authentication on an IdM client for the sudo and sudo -i commands via the pam_sss_gss.so PAM module. With this configuration, IdM users can authenticate to the sudo command with their Kerberos ticket.

Prerequisites

  • You have created a sudo rule for an IdM user that applies to an IdM host. For this example, you have created the idm_user_reboot sudo rule to grant the idm_user account the permission to run the /usr/sbin/reboot command on the idmclient host.
  • The idmclient host is running RHEL 8.4 or later.
  • You need root privileges to modify the /etc/sssd/sssd.conf file and PAM files in the /etc/pam.d/ directory.

Procedure

  1. Open the /etc/sssd/sssd.conf configuration file.

  2. Add the following entry to the [domain/<domain_name>] section. 

    [domain/<domain_name>]
pam_gssapi_services = sudo, sudo-i
    Copy to Clipboard Toggle word wrap
  3. Save and close the /etc/sssd/sssd.conf file.

  4. Restart the SSSD service to load the configuration changes. 

    [root@idmclient ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

  5. On RHEL 8.8 or later:

    1. Optional: Determine if you have selected the sssd authselect profile: 

      # authselect current
Profile ID: sssd
      Copy to Clipboard Toggle word wrap

    2. If the sssd authselect profile is selected, enable GSSAPI authentication: 

      # authselect enable-feature with-gssapi
      Copy to Clipboard Toggle word wrap

    3. If the sssd authselect profile is not selected, select it and enable GSSAPI authentication: 

      # authselect select sssd with-gssapi
      Copy to Clipboard Toggle word wrap

  6. On RHEL 8.7 or earlier:

    1. Open the /etc/pam.d/sudo PAM configuration file.

    2. Add the following entry as the first line of the auth section in the /etc/pam.d/sudo file. 

      #%PAM-1.0
auth sufficient pam_sss_gss.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
      Copy to Clipboard Toggle word wrap
    3. Save and close the /etc/pam.d/sudo file.

Verification

  1. Log into the host as the idm_user account. 

    [root@idm-client ~]# ssh -l idm_user@idm.example.com localhost
idm_user@idm.example.com's password:
    Copy to Clipboard Toggle word wrap

  2. Verify that you have a ticket-granting ticket as the idm_user account. 

    [idmuser@idmclient ~]$ klist
Ticket cache: KCM:1366201107
Default principal: idm_user@IDM.EXAMPLE.COM

Valid starting       Expires              Service principal
01/08/2021 09:11:48  01/08/2021 19:11:48  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
	renew until 01/15/2021 09:11:44
    Copy to Clipboard Toggle word wrap

  3. Optional: If you do not have Kerberos credentials for the idm_user account, delete your current Kerberos credentials and request the correct ones. 

    [idm_user@idmclient ~]$ kdestroy -A

[idm_user@idmclient ~]$ kinit idm_user@IDM.EXAMPLE.COM
Password for idm_user@idm.example.com:
    Copy to Clipboard Toggle word wrap

  4. Reboot the machine using sudo, without specifying a password. 

    [idm_user@idmclient ~]$ sudo /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

You can enable Generic Security Service Application Program Interface (GSSAPI) authentication on an Identity Management (IdM) client for PAM-enabled services such as sudo and sudo -i via the pam_sss_gss.so PAM module. Additionally, you can enable only users who have logged in with a smart card to authenticate to those services with their Kerberos ticket.

Note

You can use this procedure as a template to configure GSSAPI authentication with SSSD for other PAM-aware services, and further restrict access to only those users that have a specific authentication indicator attached to their Kerberos ticket.

However, using authentication indicators to restrict access has currently two limitations:

  • Only deployments based on MIT Kerberos support authentication indicators. These deployments include, for example, RHEL IdM, FreeIPA in Fedora, and Samba AD DC in Fedora.
  • Authentication indicators are removed from Kerberos tickets at the realm boundary.

Therefore, if you, for example, want to restrict sudo access by using pam_gssapi_indicators_map = sudo:pkinit, you can only apply this restriction to users stored in IdM LDAP. Tickets issued to users stored elsewhere, such as those stored in Active Directory, currently cannot satisfy the pam_gssapi_indicators_map = sudo:pkinit condition.

Prerequisites

  • You have created a sudo rule for an IdM user that applies to an IdM host. For this example, you have created the idm_user_reboot sudo rule to grant the idm_user account the permission to run the /usr/sbin/reboot command on the idmclient host.
  • You have configured smart card authentication for the idmclient host.
  • The idmclient host is running RHEL 8.4 or later.
  • You need root privileges to modify the /etc/sssd/sssd.conf file and PAM files in the /etc/pam.d/ directory.

Procedure

  1. Open the /etc/sssd/sssd.conf configuration file.

  2. Add the following entries to the [domain/<idm_domain_name>] section. 

    [domain/<idm_domain_name>]
pam_gssapi_services = sudo, sudo-i
pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
    Copy to Clipboard Toggle word wrap
  3. Save and close the /etc/sssd/sssd.conf file.

  4. Restart the SSSD service to load the configuration changes. 

    [root@idmclient ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

  5. On RHEL 8.8 or later:

    1. Determine if you have selected the sssd authselect profile: 

      # authselect current
Profile ID: sssd
      Copy to Clipboard Toggle word wrap

    2. Optional: Select the sssd authselect profile: 

      # authselect select sssd
      Copy to Clipboard Toggle word wrap

    3. Enable GSSAPI authentication: 

      # authselect enable-feature with-gssapi
      Copy to Clipboard Toggle word wrap

    4. Configure the system to authenticate only users with smart cards: 

      # authselect with-smartcard-required
      Copy to Clipboard Toggle word wrap

  6. On RHEL 8.7 or earlier:

    1. Open the /etc/pam.d/sudo PAM configuration file.

    2. Add the following entry as the first line of the auth section in the /etc/pam.d/sudo file. 

      #%PAM-1.0
auth sufficient pam_sss_gss.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
      Copy to Clipboard Toggle word wrap
    3. Save and close the /etc/pam.d/sudo file.
    4. Open the /etc/pam.d/sudo-i PAM configuration file.

    5. Add the following entry as the first line of the auth section in the /etc/pam.d/sudo-i file. 

      #%PAM-1.0
auth sufficient pam_sss_gss.so
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo
      Copy to Clipboard Toggle word wrap
    6. Save and close the /etc/pam.d/sudo-i file.

Verification

  1. Log into the host as the idm_user account and authenticate with a smart card. 

    [root@idmclient ~]# ssh -l idm_user@idm.example.com localhost
PIN for smart_card
    Copy to Clipboard Toggle word wrap

  2. Verify that you have a ticket-granting ticket as the smart card user. 

    [idm_user@idmclient ~]$ klist
Ticket cache: KEYRING:persistent:1358900015:krb_cache_TObtNMd
Default principal: idm_user@IDM.EXAMPLE.COM

Valid starting       Expires              Service principal
02/15/2021 16:29:48  02/16/2021 02:29:48  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
	renew until 02/22/2021 16:29:44
    Copy to Clipboard Toggle word wrap

  3. Display which sudo rules the idm_user account is allowed to perform. 

    [idm_user@idmclient ~]$ sudo -l
Matching Defaults entries for idmuser on idmclient:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User idm_user may run the following commands on idmclient:
    (root) /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

  4. Reboot the machine using sudo, without specifying a password. 

    [idm_user@idmclient ~]$ sudo /usr/sbin/reboot
    Copy to Clipboard Toggle word wrap

You can use the following options for the /etc/sssd/sssd.conf configuration file to adjust the GSSAPI configuration within the SSSD service.

pam_gssapi_services
GSSAPI authentication with SSSD is disabled by default. You can use this option to specify a comma-separated list of PAM services that are allowed to try GSSAPI authentication using the pam_sss_gss.so PAM module. To explicitly disable GSSAPI authentication, set this option to -.
pam_gssapi_indicators_map

This option only applies to Identity Management (IdM) domains. Use this option to list Kerberos authentication indicators that are required to grant PAM access to a service. Pairs must be in the format <PAM_service>:_<required_authentication_indicator>_.

Valid authentication indicators are:

  • otp for two-factor authentication
  • radius for RADIUS authentication
  • pkinit for PKINIT, smart card, or certificate authentication
  • hardened for hardened passwords
pam_gssapi_check_upn
This option is enabled and set to true by default. If this option is enabled, the SSSD service requires that the user name matches the Kerberos credentials. If false, the pam_sss_gss.so PAM module authenticates every user that is able to obtain the required service ticket.

Examples

The following options enable Kerberos authentication for the sudo and sudo-i services, requires that sudo users authenticated with a one-time password, and user names must match the Kerberos principal. Because these settings are in the [pam] section, they apply to all domains: 

[pam]
pam_gssapi_services = sudo, sudo-i
pam_gssapi_indicators_map = sudo:otp
pam_gssapi_check_upn = true
Copy to Clipboard Toggle word wrap

You can also set these options in individual [domain] sections to overwrite any global values in the [pam] section. The following options apply different GSSAPI settings to each domain:

For the idm.example.com domain
  • Enable GSSAPI authentication for the sudo and sudo -i services.
  • Require certificate or smart card authentication authenticators for the sudo command.
  • Require one-time password authentication authenticators for the sudo -i command.
  • Enforce matching user names and Kerberos principals.
For the ad.example.com domain
  • Enable GSSAPI authentication only for the sudo service.
  • Do not enforce matching user names and principals. 
[domain/idm.example.com]
pam_gssapi_services = sudo, sudo-i
pam_gssapi_indicators_map = sudo:pkinit, sudo-i:otp
pam_gssapi_check_upn = true
...

[domain/ad.example.com]
pam_gssapi_services = sudo
pam_gssapi_check_upn = false
...
Copy to Clipboard Toggle word wrap

If you are unable to authenticate to the sudo service with a Kerberos ticket from IdM, use the following scenarios to troubleshoot your configuration.

Prerequisites

Procedure

  • If you see the following error, the Kerberos service might not able to resolve the correct realm for the service ticket based on the host name: 

    Server not found in Kerberos database
    Copy to Clipboard Toggle word wrap

    In this situation, add the hostname directly to [domain_realm] section in the /etc/krb5.conf Kerberos configuration file: 

    [idm-user@idm-client ~]$ cat /etc/krb5.conf
...

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 server.example.com = EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  • If you see the following error, you do not have any Kerberos credentials: 

    No Kerberos credentials available
    Copy to Clipboard Toggle word wrap

    In this situation, retrieve Kerberos credentials with the kinit utility or authenticate with SSSD: 

    [idm-user@idm-client ~]$ kinit idm-user@IDM.EXAMPLE.COM
Password for idm-user@idm.example.com:
    Copy to Clipboard Toggle word wrap

  • If you see either of the following errors in the /var/log/sssd/sssd_pam.log log file, the Kerberos credentials do not match the username of the user currently logged in: 

    User with UPN [<UPN>] was not found.

UPN [<UPN>] does not match target user [<username>].
    Copy to Clipboard Toggle word wrap

    In this situation, verify that you authenticated with SSSD, or consider disabling the pam_gssapi_check_upn option in the /etc/sssd/sssd.conf file: 

    [idm-user@idm-client ~]$ cat /etc/sssd/sssd.conf
...

pam_gssapi_check_upn = false
    Copy to Clipboard Toggle word wrap

  • For additional troubleshooting, you can enable debugging output for the pam_sss_gss.so PAM module.

    • Add the debug option at the end of all pam_sss_gss.so entries in PAM files, such as /etc/pam.d/sudo and /etc/pam.d/sudo-i: 

      [root@idm-client ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       sufficient   pam_sss_gss.so   debug
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
      Copy to Clipboard Toggle word wrap 
      [root@idm-client ~]# cat /etc/pam.d/sudo-i
#%PAM-1.0
auth       sufficient   pam_sss_gss.so   debug
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo
      Copy to Clipboard Toggle word wrap

    • Try to authenticate with the pam_sss_gss.so module and review the console output. In this example, the user did not have any Kerberos credentials. 

      [idm-user@idm-client ~]$ sudo ls -l /etc/sssd/sssd.conf
pam_sss_gss: Initializing GSSAPI authentication with SSSD
pam_sss_gss: Switching euid from 0 to 1366201107
pam_sss_gss: Trying to establish security context
pam_sss_gss: SSSD User name: idm-user@idm.example.com
pam_sss_gss: User domain: idm.example.com
pam_sss_gss: User principal:
pam_sss_gss: Target name: host@idm.example.com
pam_sss_gss: Using ccache: KCM:
pam_sss_gss: Acquiring credentials, principal name will be derived
pam_sss_gss: Unable to read credentials from [KCM:] [maj:0xd0000, min:0x96c73ac3]
pam_sss_gss: GSSAPI: Unspecified GSS failure.  Minor code may provide more information
pam_sss_gss: GSSAPI: No credentials cache found
pam_sss_gss: Switching euid from 1366200907 to 0
pam_sss_gss: System error [5]: Input/output error
      Copy to Clipboard Toggle word wrap

In Identity Management (IdM), you can ensure sudo access to a specific command is granted to an IdM user account on a specific IdM host.

Complete this procedure to ensure a sudo rule named idm_user_reboot exists. The rule grants idm_user the permission to run the /usr/sbin/reboot command on the idmclient machine.

Prerequisites

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaservers in it: 

    [ipaservers]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Add one or more sudo commands:

    1. Create an ensure-reboot-sudocmd-is-present.yml Ansible playbook that ensures the presence of the /usr/sbin/reboot command in the IdM database of sudo commands. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/sudocmd/ensure-sudocmd-is-present.yml file: 

      ---
- name: Playbook to manage sudo command
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure sudo command is present
  - ipasudocmd:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: /usr/sbin/reboot
      state: present
      Copy to Clipboard Toggle word wrap

    2. Run the playbook: 

      $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-reboot-sudocmd-is-present.yml
      Copy to Clipboard Toggle word wrap

  3. Create a sudo rule that references the commands:

    1. Create an ensure-sudorule-for-idmuser-on-idmclient-is-present.yml Ansible playbook that uses the sudo command entry to ensure the presence of a sudo rule. The sudo rule allows idm_user to reboot the idmclient machine. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/sudorule/ensure-sudorule-is-present.yml file: 

      ---
- name: Tests
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure a sudorule is present granting idm_user the permission to run /usr/sbin/reboot on idmclient
  - ipasudorule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: idm_user_reboot
      description: A test sudo rule.
      allow_sudocmd: /usr/sbin/reboot
      host: idmclient.idm.example.com
      user: idm_user
      state: present
      Copy to Clipboard Toggle word wrap

    2. Run the playbook: 

      $ ansible-playbook -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-sudorule-for-idmuser-on-idmclient-is-present.yml
      Copy to Clipboard Toggle word wrap

Verification

Test that the sudo rule whose presence you have ensured on the IdM server works on idmclient by verifying that idm_user can reboot idmclient using sudo. Note that it can take a few minutes for the changes made on the server to take effect on the client.

  1. Log in to idmclient as idm_user.

  2. Reboot the machine using sudo. Enter the password for idm_user when prompted: 

    $ sudo /usr/sbin/reboot
[sudo] password for idm_user:
    Copy to Clipboard Toggle word wrap

If sudo is configured correctly, the machine reboots.

You can use host-based access control (HBAC) rules to manage access control in your Identity Management (IdM) domain. HBAC rules define which users or user groups can access specified hosts or host groups by using which services or services in a service group. For example, you can use HBAC rules to achieve the following goals:

  • Limit access to a specified system in your domain to members of a specific user group.
  • Allow only a specific service to be used to access the systems in your domain.

By default, IdM is configured with a default HBAC rule named allow_all, which allows universal access to every host for every user via every relevant service in the entire IdM domain.

You can fine-tune access to different hosts by replacing the default allow_all rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.

To configure your domain for host-based access control, complete the following steps:

  1. Create HBAC rules in the IdM WebUI.
  2. Test the new HBAC rules.
  3. Disable the default allow_all HBAC rule].
Note

Do not disable the allow_all rule before creating your custom HBAC rules as if you do so, no users will be able to access any hosts.

57.1.1. Creating HBAC rules in the IdM WebUI
Copy link

To configure your domain for host-based access control using the IdM WebUI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin access to all systems in the domain using any service.

Note

IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.

Prerequisites

  • User sysadmin exists in IdM.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Rules.
  2. Click Add to start adding a new rule.
  3. Enter a name for the rule, and click Add and Edit to open the HBAC rule configuration page.
  4. In the Who area, select Specified Users and Groups. Then click Add to add the users or groups.
  5. Select the sysadmin user from the list of the Available users and click > to move to the list of Prospective users and click Add.
  6. In the Accessing area, select Any Host to apply the HBAC rule to all hosts.

  7. In the Via Service area, select Any Service to apply the HBAC rule to all services.

    Note

    Only the most common services and service groups are configured for HBAC rules by default.

    • To display the list of services that are currently available, select Policy>Host-Based Access Control>HBAC Services.
    • To display the list of service groups that are currently available, select Policy>Host-Based Access Control>HBAC Service Groups.

    To add more services and service groups, see Adding HBAC Service Entries for Custom HBAC Services and Adding HBAC Service Groups.

  8. To save any changes you make on the HBAC rule configuration page, click Save at the top of the page.

57.1.2. Testing HBAC rules in the IdM WebUI
Copy link

IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Important

Always test custom HBAC rules before you start using them in production.

Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Test.
  2. On the Who window, specify the user under whose identity you want to perform the test, and click Next.
  3. On the Accessing window, specify the host that the user will attempt to access, and click Next.
  4. On the Via Service window, specify the service that the user will attempt to use, and click Next.

  5. On the Rules window, select the HBAC rules you want to test, and click Next. If you do not select any rule, all rules are tested.

    Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select Policy>Host-Based Access Control>HBAC Rules.

    Important

    If the test runs on multiple rules, it passes successfully if at least one of the selected rules allows access.

  6. On the Run Test window, click Run Test.

  7. Review the test results:

    • If you see ACCESS DENIED, the user is not granted access in the test.
    • If you see ACCESS GRANTED, the user is able to access the host successfully.

    By default, IdM lists all the tested HBAC rules when displaying the test results.

    • Select Matched to display the rules that allowed successful access.
    • Select Unmatched to display the rules that prevented access.

57.1.3. Disabling HBAC rules in the IdM WebUI
Copy link

You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Rules.
  2. Select the HBAC rule you want to disable.
  3. Click Disable.
  4. Click OK to confirm you want to disable the selected HBAC rule.

To configure your domain for host-based access control, complete the following steps:

  1. Create HBAC rules in the IdM CLI.
  2. Test the new HBAC rules.
  3. Disable the default allow_all HBAC rule.
Note

Do not disable the allow_all rule before creating your custom HBAC rules. If you disable it before creating your custom rules, access to all hosts for all users will be denied.

57.2.1. Creating HBAC rules in the IdM CLI
Copy link

To configure your domain for host-based access control using the IdM CLI, follow the steps below. For the purposes of this example, the procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.

Note

IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.

Prerequisites

  • User sysadmin exists in IdM.

Procedure

  1. Use the ipa hbacrule-add command to add the rule. 

    $ ipa hbacrule-add
Rule name: rule_name
---------------------------
Added HBAC rule "rule_name"
---------------------------
  Rule name: rule_name
  Enabled: TRUE
    Copy to Clipboard Toggle word wrap

  2. To apply the HBAC rule to the sysadmin user only, use the ipa hbacrule-add-user command. 

    $ ipa hbacrule-add-user --users=sysadmin
Rule name: rule_name
  Rule name: rule_name
  Enabled: True
  Users: sysadmin
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap
    Note

    To apply a HBAC rule to all users, use the ipa hbacrule-mod command and specify the all user category --usercat=all. Note that if the HBAC rule is associated with individual users or groups, ipa hbacrule-mod --usercat=all fails. In this situation, remove the users and groups using the ipa hbacrule-remove-user command.

  3. Specify the target hosts. To apply the HBAC rule to all hosts, use the ipa hbacrule-mod command and specify the all host category: 

    $ ipa hbacrule-mod rule_name --hostcat=all
------------------------------
Modified HBAC rule "rule_name"
------------------------------
  Rule name: rule_name
  Host category: all
  Enabled: TRUE
  Users: sysadmin
    Copy to Clipboard Toggle word wrap
    Note

    If the HBAC rule is associated with individual hosts or groups, ipa hbacrule-mod --hostcat=all fails. In this situation, remove the hosts and groups using the ipa hbacrule-remove-host command.

  4. Specify the target HBAC services. To apply the HBAC rule to all services, use the ipa hbacrule-mod command and specify the all service category: 

    $ ipa hbacrule-mod rule_name --servicecat=all
------------------------------
Modified HBAC rule "rule_name"
------------------------------
  Rule name: rule_name
  Host category: all
  Service category: all
  Enabled: True
  Users: sysadmin
    Copy to Clipboard Toggle word wrap
Note

If the HBAC rule is associated with individual services or groups, ipa hbacrule-mod --servicecat=all fails. In this situation, remove the services and groups using the ipa hbacrule-remove-service command.

Verification

  • Verify that the HBAC rule has been added correctly.

    1. Use the ipa hbacrule-find command to verify that the HBAC rule exists in IdM.
    2. Use the ipa hbacrule-show command to verify the properties of the HBAC rule.

57.2.2. Testing HBAC rules in the IdM CLI
Copy link

IdM allows you to test your HBAC configuration in various situations using simulated scenarios. Performing these simulated tests, you can discover misconfiguration problems or security risks before deploying HBAC rules in production.

Important

Always test custom HBAC rules before you start using them in production.

Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.

Procedure

  • Use the ipa hbactest command to test your HBAC rule. You have the option to test a single HBAC rule or multiple HBAC rules.

    • To test a single HBAC rule: 

      $ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name
---------------------
Access granted: True
---------------------
  Matched rules: rule_name
      Copy to Clipboard Toggle word wrap

    • To test multiple HBAC rules:

      1. Add a second rule only allowing the sysadmin to use ssh on all hosts: 

        $ ipa hbacrule-add --hostcat=all rule2_name
$ ipa hbacrule-add-user --users sysadmin rule2_name
$ ipa hbacrule-add-service --hbacsvcs=sshd rule2_name
  Rule name: rule2_name
  Host category: all
  Enabled: True
  Users: admin
  HBAC Services: sshd
-------------------------
Number of members added 1
-------------------------
        Copy to Clipboard Toggle word wrap

      2. Test multiple HBAC rules by running the following command: 

        $ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --rules=rule2_name
--------------------
Access granted: True
--------------------
  Matched rules: rule_name
  Not matched rules: rule2_name
        Copy to Clipboard Toggle word wrap

        In the output, Matched rules list the rules that allowed successful access while Not matched rules list the rules that prevented access. Note that if you do not specify the --rules option, all rules are applied. Using --rules is useful to independently test each rule.

57.2.3. Disabling HBAC rules in the IdM CLI
Copy link

You can disable an HBAC rule but it only deactivates the rule and does not delete it. If you disable an HBAC rule, you can re-enable it later.

Note

Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.

Procedure

  • Use the ipa hbacrule-disable command. For example, to disable the allow_all rule: 

    $ ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------
    Copy to Clipboard Toggle word wrap

The most common services and service groups are configured for HBAC rules by default, but you can also configure any other pluggable authentication module (PAM) service as an HBAC service. This allows you to define custom PAM services in an HBAC rule. These PAM services files are in the etc/pam.d directory on RHEL systems.

Note

Adding a service as an HBAC service is not the same as adding a service to the domain. Adding a service to the domain makes it available to other resources in the domain, but it does not allow you to use the service in HBAC rules.

To add a custom HBAC service entry, follow the steps described below.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Services.
  2. Click Add to add an HBAC service entry.
  3. Enter a name for the service, and click Add.

To add a custom HBAC service entry, follow the steps described below.

Procedure

  • Use the ipa hbacsvc-add command. For example, to add an entry for the tftp service: 

    $ ipa hbacsvc-add tftp
-------------------------
Added HBAC service "tftp"
-------------------------
  Service name: tftp
    Copy to Clipboard Toggle word wrap

57.4. Adding HBAC service groups
Copy link

HBAC service groups can simplify HBAC rules management. For example, instead of adding individual services to an HBAC rule, you can add a whole service group.

To add an HBAC service group in the IdM WebUI, follow the steps outlined below.

Procedure

  1. Select Policy>Host-Based Access Control>HBAC Service Groups.
  2. Click Add to add an HBAC service group.
  3. Enter a name for the service group, and click Edit.
  4. On the service group configuration page, click Add to add an HBAC service as a member of the group.

57.4.2. Adding HBAC service groups in the IdM CLI
Copy link

To add an HBAC service group in the IdM CLI, follow the steps outlined below.

Procedure

  1. Use the ipa hbacsvcgroup-add command in your terminal to add an HBAC service group. For example, to add a group named login: 

    $ ipa hbacsvcgroup-add
Service group name: login
--------------------------------
Added HBAC service group "login"
--------------------------------
  Service group name: login
    Copy to Clipboard Toggle word wrap

  2. Use the ipa hbacsvcgroup-add-member command to add an HBAC service as a member of the group. For example, to add the sshd service to the login group: 

    $ ipa hbacsvcgroup-add-member
Service group name: login
[member HBAC service]: sshd
  Service group name: login
  Member HBAC service: sshd
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap

Ansible is an automation tool used to configure systems, deploy software, and perform rolling updates. It includes support for Identity Management (IdM).

Learn more about Identity Management (IdM) host-based access policies and how to define them using Ansible.

58.1. Host-based access control rules in IdM
Copy link

Host-based access control (HBAC) rules define which users or user groups can access which hosts or host groups by using which services or services in a service group. As a system administrator, you can use HBAC rules to achieve the following goals:

  • Limit access to a specified system in your domain to members of a specific user group.
  • Allow only a specific service to be used to access systems in your domain.

By default, IdM is configured with a default HBAC rule named allow_all, which means universal access to every host for every user via every relevant service in the entire IdM domain.

You can fine-tune access to different hosts by replacing the default allow_all rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.

Follow this procedure to ensure the presence of a host-based access control (HBAC) rule in Identity Management (IdM) using an Ansible playbook.

Prerequisites

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com
    Copy to Clipboard Toggle word wrap

  2. Create your Ansible playbook file that defines the HBAC policy whose presence you want to ensure. To simplify this step, you can copy and modify the example in the /usr/share/doc/ansible-freeipa/playbooks/hbacrule/ensure-hbacrule-allhosts-present.yml file: 

    ---
- name: Playbook to handle hbacrules
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  # Ensure idm_user can access client.idm.example.com via the sshd service
  - ipahbacrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: login
      user: idm_user
      host: client.idm.example.com
      hbacsvc:
      - sshd
      state: present
    Copy to Clipboard Toggle word wrap

  3. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i path_to_inventory_directory/inventory.file path_to_playbooks_directory/ensure-new-hbacrule-present.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. Log in to the IdM Web UI as administrator.
  2. Navigate to PolicyHost-Based-Access-ControlHBAC Test.
  3. In the Who tab, select idm_user.
  4. In the Accessing tab, select client.idm.example.com.
  5. In the Via service tab, select sshd.
  6. In the Rules tab, select login.
  7. In the Run test tab, click the Run test button. If you see ACCESS GRANTED, the HBAC rule is implemented successfully.

Chapter 59. Managing replication topology
Copy link

You can manage replication between servers in an Identity Management (IdM) domain. When you create a replica, Identity Management (IdM) creates a replication agreement between the initial server and the replica. The data that is replicated is then stored in topology suffixes and when two replicas have a replication agreement between their suffixes, the suffixes form a topology segment.

59.1. Replication agreements between IdM replicas
Copy link

When an administrator creates a replica based on an existing server, Identity Management (IdM) creates a replication agreement between the initial server and the replica. The replication agreement ensures that the data and configuration is continuously replicated between the two servers.

IdM uses multiple read/write replica replication. In this configuration, all replicas joined in a replication agreement receive and provide updates, and are therefore considered suppliers and consumers. Replication agreements are always bilateral.

Figure 59.1. Server and replica agreements

An image of two servers with two sets of replication agreements between them: a data replication agreement that pertains to their Directory Server database and a certificate replication agreement that pertains to their Certificate System data
View larger image
An image of two servers with two sets of replication agreements between them: a data replication agreement that pertains to their Directory Server database and a certificate replication agreement that pertains to their Certificate System data

IdM uses two types of replication agreements:

  • Domain replication agreements replicate the identity information.
  • Certificate replication agreements replicate the certificate information.

Both replication channels are independent. Two servers can have one or both types of replication agreements configured between them. For example, when server A and server B have only domain replication agreement configured, only identity information is replicated between them, not the certificate information.

59.2. Topology suffixes
Copy link

Topology suffixes store the data that is replicated. IdM supports two types of topology suffixes: domain and ca. Each suffix represents a separate server, a separate replication topology.

When a replication agreement is configured, it joins two topology suffixes of the same type on two different servers.

The domain suffix: dc=example,dc=com

The domain suffix contains all domain-related data.

When two replicas have a replication agreement between their domain suffixes, they share directory data, such as users, groups, and policies.

The ca suffix: o=ipaca

The ca suffix contains data for the Certificate System component. It is only present on servers with a certificate authority (CA) installed.

When two replicas have a replication agreement between their ca suffixes, they share certificate data.

Figure 59.2. Topology suffixes

topology suffix
View larger image
topology suffix

An initial topology replication agreement is set up between two servers by the ipa-replica-install script when installing a new replica.

59.3. Topology segments
Copy link

When two replicas have a replication agreement between their suffixes, the suffixes form a topology segment. Each topology segment consists of a left node and a right node. The nodes represent the servers joined in the replication agreement.

Topology segments in IdM are always bidirectional. Each segment represents two replication agreements: from server A to server B, and from server B to server A. The data is therefore replicated in both directions.

Figure 59.3. Topology segments

topology segment
View larger image
topology segment

Using the Web UI, you can view, manipulate, and transform the representation of the replication topology. The topology graph in the web UI shows the relationships between the servers in the domain. You can move individual topology nodes by holding and dragging the mouse.

Interpreting the topology graph

Servers joined in a domain replication agreement are connected by an orange arrow. Servers joined in a CA replication agreement are connected by a blue arrow.

Topology graph example: recommended topology

The recommended topology example below shows one of the possible recommended topologies for four servers: each server is connected to at least two other servers, and more than one server is a CA server.

Figure 59.4. Recommended topology example

mng top rec
View larger image
mng top rec
Topology graph example: discouraged topology

In the discouraged topology example below, server1 is a single point of failure. All the other servers have replication agreements with this server, but not with any of the other servers. Therefore, if server1 fails, all the other servers will become isolated.

Avoid creating topologies like this.

Figure 59.5. Discouraged topology example: Single Point of Failure

mng top single
View larger image
mng top single

Prerequisites

  • You are logged in as an IdM administrator.

Procedure

  1. Select IPA ServerTopologyTopology Graph.

  2. Make changes to the topology:

    • You can move the topology graph nodes using the left mouse button:

      customize graph 1
      View larger image
      customize graph 1

    • You can zoom in and zoom out the topology graph using the mouse wheel:

      customize graph 2
      View larger image
      customize graph 2

    • You can move the canvas of the topology graph by holding the left mouse button:

      customize graph 3
      View larger image
      customize graph 3
  3. If you make any changes to the topology that are not immediately reflected in the graph, click Refresh.

59.5. Viewing topology suffixes using the CLI
Copy link

In a replication agreement, topology suffixes store the data that is replicated. You can view topology suffixes using the CLI.

Procedure

  • Enter the ipa topologysuffix-find command to display a list of topology suffixes: 

    $ ipa topologysuffix-find
---------------------------
2 topology suffixes matched
---------------------------
  Suffix name: ca
  Managed LDAP suffix DN: o=ipaca

  Suffix name: domain
  Managed LDAP suffix DN: dc=example,dc=com
----------------------------
Number of entries returned 2
----------------------------
    Copy to Clipboard Toggle word wrap

59.6. Viewing topology segments using the CLI
Copy link

In a replication agreement, when two replicas have a replication agreement between their suffixes, the suffixes form a topology segments. You can view topology segments using the CLI.

Procedure

  1. Enter the ipa topologysegment-find command to show the current topology segments configured for the domain or CA suffixes. For example, for the domain suffix: 

    $ ipa topologysegment-find
Suffix name: domain
-----------------
1 segment matched
-----------------
  Segment name: server1.example.com-to-server2.example.com
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap

    In this example, domain-related data is only replicated between two servers: server1.example.com and server2.example.com.

  2. Optional: To display details for a particular segment only, enter the ipa topologysegment-show command: 

    $ ipa topologysegment-show
Suffix name: domain
Segment name: server1.example.com-to-server2.example.com
  Segment name: server1.example.com-to-server2.example.com
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both
    Copy to Clipboard Toggle word wrap

Using the Identity Management (IdM) Web UI, you can choose two servers and create a new replication agreement between them.

Prerequisites

  • You are logged in as an IdM administrator.

Procedure

  1. In the topology graph, hover your mouse over one of the server nodes.

    Figure 59.6. Domain or CA options

    mng top domain ca
    View larger image
    mng top domain ca
  2. Click on the domain or the ca part of the circle depending on what type of topology segment you want to create.

  3. A new arrow representing the new replication agreement appears under your mouse pointer. Move your mouse to the other server node, and click on it.

    Figure 59.7. Creating a new segment

    mng top drag
    View larger image
    mng top drag
  4. In the Add topology segment window, click Add to confirm the properties of the new segment.

The new topology segment between the two servers joins them in a replication agreement. The topology graph now shows the updated replication topology:

Figure 59.8. New segment created

mng top three
View larger image
mng top three

Using the Identity Management (IdM) Web UI, you can remove a replication agreement from servers.

Prerequisites

  • You are logged in as an IdM administrator.

Procedure

  1. Click on an arrow representing the replication agreement you want to remove. This highlights the arrow.

    Figure 59.9. Topology segment highlighted

    mng top highlight
    View larger image
    mng top highlight
  2. Click Delete.

  3. In the Confirmation window, click OK.

    IdM removes the topology segment between the two servers, which deletes their replication agreement. The topology graph now shows the updated replication topology:

    Figure 59.10. Topology segment deleted

    mng top delete segment
    View larger image
    mng top delete segment

You can configure replication agreements between two servers using the ipa topologysegment-add command.

Prerequisites

  • You have the IdM administrator credentials.

Procedure

  • Create a topology segment for the two servers. When prompted, provide:

    • The required topology suffix: domain or ca
    • The left node and the right node, representing the two servers

    • Optional: A custom name for the segment

      For example: 

      $ ipa topologysegment-add
Suffix name: domain
Left node: server1.example.com
Right node: server2.example.com
Segment name [server1.example.com-to-server2.example.com]: new_segment
---------------------------
Added segment "new_segment"
---------------------------
  Segment name: new_segment
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both
      Copy to Clipboard Toggle word wrap

      Adding the new segment joins the servers in a replication agreement.

Verification

  • Verify that the new segment is configured: 

    $ ipa topologysegment-show
Suffix name: domain
Segment name: new_segment
  Segment name: new_segment
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both
    Copy to Clipboard Toggle word wrap

You can terminate replication agreements from command line using the ipa topology segment-del command.

Prerequisites

  • You have the IdM administrator credentials.

Procedure

  1. Optional: If you do not know the name of the specific replication segment that you want to remove, display all segments available. Use the ipa topologysegment-find command. When prompted, provide the required topology suffix: domain or ca. For example: 

    $ ipa topologysegment-find
Suffix name: domain
------------------
8 segments matched
------------------
  Segment name: new_segment
  Left node: server1.example.com
  Right node: server2.example.com
  Connectivity: both

...

----------------------------
Number of entries returned 8
----------------------------
    Copy to Clipboard Toggle word wrap

    Locate the required segment in the output.

  2. Remove the topology segment joining the two servers: 

    $ ipa topologysegment-del
Suffix name: domain
Segment name: new_segment
-----------------------------
Deleted segment "new_segment"
-----------------------------
    Copy to Clipboard Toggle word wrap

    Deleting the segment removes the replication agreement.

Verification

  • Verify that the segment is no longer listed: 

    $ ipa topologysegment-find
Suffix name: domain
------------------
7 segments matched
------------------
  Segment name: server2.example.com-to-server3.example.com
  Left node: server2.example.com
  Right node: server3.example.com
  Connectivity: both

...

----------------------------
Number of entries returned 7
----------------------------
    Copy to Clipboard Toggle word wrap

You can use Identity Management (IdM) web interface to remove a server from the topology. This action does not uninstall the server components from the host.

Prerequisites

  • You are logged in as an IdM administrator.
  • The server you want to remove is not the only server connecting other servers with the rest of the topology; this would cause the other servers to become isolated, which is not allowed.
  • The server you want to remove is not your last CA or DNS server.
Warning

Removing a server is an irreversible action. If you remove a server, the only way to introduce it back into the topology is to install a new replica on the machine.

Procedure

  1. Select IPA ServerTopologyIPA Servers.

  2. Click on the name of the server you want to delete.

    Figure 59.11. Selecting a server

    mng top delete
    View larger image
    mng top delete
  3. Click Delete Server.

Additional resources

59.12. Removing server from topology using the CLI
Copy link

You can use the command line to remove an Identity Management (IdM) server from the topology.

Prerequisites

  • You have the IdM administrator credentials.
  • The server you want to remove is not the only server connecting other servers with the rest of the topology; this would cause the other servers to become isolated, which is not allowed.
  • The server you want to remove is not your last CA or DNS server.
Important

Removing a server is an irreversible action. If you remove a server, the only way to introduce it back into the topology is to install a new replica on the machine.

Procedure

To remove server1.example.com:

  1. On another server, run the ipa server-del command to remove server1.example.com. The command removes all topology segments pointing to the server: 

    [user@server2 ~]$ ipa server-del
Server name: server1.example.com
Removing server1.example.com from replication topology, please wait...
----------------------------------------------------------
Deleted IPA server "server1.example.com"
----------------------------------------------------------
    Copy to Clipboard Toggle word wrap

  2. Optional: On server1.example.com, run the ipa server-install --uninstall command to uninstall the server components from the machine. 

    [root@server1 ~]# ipa server-install --uninstall
    Copy to Clipboard Toggle word wrap

59.13. Removing obsolete RUV records
Copy link

If you remove a server from the IdM topology without properly removing its replication agreements, obsolete replica update vector (RUV) records will remain on one or more remaining servers in the topology. This can happen, for example, due to automation. These servers will then expect to receive updates from the now removed server. In this case, you need to clean the obsolete RUV records from the remaining servers.

Prerequisites

  • You have the IdM administrator credentials.
  • You know which replicas are corrupted or have been improperly removed.

Procedure

  1. List the details about RUVs using the ipa-replica-manage list-ruv command. The command displays the replica IDs: 

    $ ipa-replica-manage list-ruv

server1.example.com:389: 6
server2.example.com:389: 5
server3.example.com:389: 4
server4.example.com:389: 12
    Copy to Clipboard Toggle word wrap
    Important

    The ipa-replica-manage list-ruv command lists ALL replicas in the topology, not only the malfunctioning or improperly removed ones.

  2. Remove obsolete RUVs associated with a specified replica using the ipa-replica-manage clean-ruv command. Repeat the command for every replica ID with obsolete RUVs. For example, if you know server1.example.com and server2.example.com are the malfunctioning or improperly removed replicas: 

    ipa-replica-manage clean-ruv 6
ipa-replica-manage clean-ruv 5
    Copy to Clipboard Toggle word wrap
Warning

Proceed with extreme caution when using ipa-replica-manage clean-ruv. Running the command against a valid replica ID will corrupt all the data associated with that replica in the replication database.

If this happens, re-initialize the replica from another replica using $ ipa-replica-manage re-initialize --from server1.example.com.

Verification

  1. Run ipa-replica-manage list-ruv again. If the command no longer displays any corrupt RUVs, the records have been successfully cleaned.

  2. If the command still displays corrupt RUVs, clear them manually using this task: 

    dn: cn=clean replica_ID, cn=cleanallruv, cn=tasks, cn=config
objectclass: extensibleObject
replica-base-dn: dc=example,dc=com
replica-id: replica_ID
replica-force-cleaning: no
cn: clean replica_ID
    Copy to Clipboard Toggle word wrap

Based on the services installed on an IdM server, it can perform various server roles. For example:

  • CA server
  • DNS server
  • Key recovery authority (KRA) server.

Procedure

  • For a complete list of the supported server roles, see IPA ServerTopologyServer Roles.

    Note
    • Role status absent means that no server in the topology is performing the role.
    • Role status enabled means that one or more servers in the topology are performing the role.

    Figure 59.12. Server roles in the web UI

    server role absent
    View larger image
    server role absent

Based on the services installed on an IdM server, it can perform various server roles. For example:

  • CA server
  • DNS server
  • Key recovery authority (KRA) server.

Procedure

  • To display all CA servers in the topology and the current CA renewal server: 

    $ ipa config-show
  ...
  IPA masters: server1.example.com, server2.example.com, server3.example.com
  IPA CA servers: server1.example.com, server2.example.com
  IPA CA renewal master: server1.example.com
    Copy to Clipboard Toggle word wrap

  • Alternatively, to display a list of roles enabled on a particular server, for example server.example.com: 

    $ ipa server-show
Server name: server.example.com
  ...
  Enabled server roles: CA server, DNS server, KRA server
    Copy to Clipboard Toggle word wrap

  • Alternatively, use the ipa server-find --servrole command to search for all servers with a particular server role enabled. For example, to search for all CA servers: 

    $ ipa server-find --servrole "CA server"
---------------------
2 IPA servers matched
---------------------
  Server name: server1.example.com
  ...

  Server name: server2.example.com
  ...
----------------------------
Number of entries returned 2
----------------------------
    Copy to Clipboard Toggle word wrap

If your IdM deployment uses an embedded certificate authority (CA), one of the IdM CA servers acts as the CA renewal server, a server that manages the renewal of CA subsystem certificates. One of the IdM CA servers also acts as the IdM CRL publisher server, a server that generates certificate revocation lists.

By default, the CA renewal server and CRL publisher server roles are installed on the first server on which the system administrator installed the CA role using the ipa-server-install or ipa-ca-install command. You can, however, transfer either of the two roles to any other IdM server on which the CA role is enabled.

Prerequisites

  • You have the IdM administrator credentials.

Procedure

59.17. Demoting or promoting hidden replicas
Copy link

After a replica has been installed, you can configure whether the replica is hidden or visible.

For details about hidden replicas, see The hidden replica mode.

Prerequisites

  • Ensure that the replica is not the DNSSEC key master. If it is, move the service to another replica before making this replica hidden.
  • Ensure that the replica is not a CA renewal server. If it is, move the service to another replica before making this replica hidden. For details, see Changing and resetting IdM CA renewal server.

Procedure

  • To hide a replica: 

    # ipa server-state replica.idm.example.com --state=hidden
    Copy to Clipboard Toggle word wrap

  • To make a replica visible again: 

    # ipa server-state replica.idm.example.com --state=enabled
    Copy to Clipboard Toggle word wrap

  • To view a list of all the hidden replicas in your topology: 

    # ipa config-show
    Copy to Clipboard Toggle word wrap

    If all of your replicas are enabled, the command output does not mention hidden replicas.

X.509 public key certificates are used to authenticate users, hosts and services in Identity Management (IdM). In addition to authentication, X.509 certificates also enable digital signing and encryption to provide privacy, integrity and non-repudiation.

A certificate contains the following information:

  • The subject that the certificate authenticates.
  • The issuer, that is the CA that has signed the certificate.
  • The start and end date of the validity of the certificate.
  • The valid uses of the certificate.
  • The public key of the subject.

A message encrypted by the public key can only be decrypted by a corresponding private key. While a certificate and the public key it includes can be made publicly available, the user, host or service must keep their private key secret.

60.1. Certificate authorities in IdM
Copy link

Certificate authorities operate in a hierarchy of trust. In an IdM environment with an internal Certificate Authority (CA), all the IdM hosts, users and services trust certificates that have been signed by the CA. Apart from this root CA, IdM supports sub-CAs to which the root CA has granted the ability to sign certificates in their turn. Frequently, the certificates that such sub-CAs are able to sign are certificates of a specific kind, for example VPN certificates. Finally, IdM supports using external CAs. The table below presents the specifics of using the individual types of CA in IdM.

Expand
Table 60.1. Comparison of using integrated and external CAs in IdM
Name of CADescriptionUseUseful links

The ipa CA

An integrated CA based on the Dogtag upstream project

Integrated CAs can create, revoke, and issue certificates for users, hosts, and services.

Using the ipa CA to request a new user certificate and exporting it to the client

IdM sub-CAs

An integrated CA that is subordinate to the ipa CA

IdM sub-CAs are CAs to which the ipa CA has granted the ability to sign certificates. Frequently, these certificates are of a specific kind, for example VPN certificates.

Restricting an application to trust only a subset of certificates

External CAs

An external CA is a CA other than the integrated IdM CA or its sub-CAs.

Using IdM tools, you add certificates issued by these CAs to users, services, or hosts as well as remove them.

Managing externally signed certificates for IdM users, hosts, and services

From the certificate point of view, there is no difference between being signed by a self-signed IdM CA and being signed externally.

The role of the CA includes the following purposes:

  • It issues digital certificates.
  • By signing a certificate, it certifies that the subject named in the certificate owns a public key. The subject can be a user, host or service.
  • It can revoke certificates, and provides revocation status via Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP).

60.2. Comparison of certificates and Kerberos
Copy link

Certificates perform a similar function to that performed by Kerberos tickets. Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. The following table shows a comparison of Kerberos and X.509 certificates:

Expand
Table 60.2. Comparison of certificates and Kerberos

Characteristic

Kerberos

X.509

Authentication

Yes

Yes

Privacy

Optional

Yes

Integrity

Optional

Yes

Type of cryptography involved

Symmetrical

Asymmetrical

Default validity

Short (1 day)

Long(2 years)

By default, Kerberos in Identity Management only ensures the identity of the communicating parties.

The advantages of using certificates to authenticate users in IdM include the following points:

  • A PIN that protects the private key on a smart card is typically less complex and easier to remember than a regular password.
  • Depending on the device, a private key stored on a smart card cannot be exported. This provides additional security.
  • Smart cards can make logout automatic: IdM can be configured to log out users when they remove the smart card from the reader.
  • Stealing the private key requires actual physical access to a smart card, making smart cards secure against hacking attacks.
  • Smart card authentication is an example of two-factor authentication: it requires both something you have (the card) and something you know (the PIN).
  • Smart cards are more flexible than passwords because they provide the keys that can be used for other purposes, such as encrypting email.
  • Using smart cards use on shared machines that are IdM clients does not typically pose additional configuration problems for system administrators. In fact, smart card authentication is an ideal choice for shared machines.

The disadvantages of using certificates to authenticate users in IdM include the following points:

  • Users might lose or forget to bring their smart card or certificate and be effectively locked out.
  • Mistyping a PIN multiple times might result in a card becoming locked.
  • There is generally an intermediate step between request and authorization by some sort of security officer or approver. In IdM, the security officer or administrator must run the ipa cert-request command.
  • Smart cards and readers tend to be vendor and driver specific: although a lot of readers can be used for different cards, a smart card of a specific vendor might not work in the reader of another vendor or in the type of a reader for which it was not designed.
  • Certificates and smart cards have a steep learning curve for administrators.

This user story describes how to make sure that you as an IdM system administrator are using the correct format of a certificate with specific IdM commands. This is useful, for example, in the following situations:

61.1. Certificate formats and encodings in IdM
Copy link

Certificate authentication including smart card authentication in IdM proceeds by comparing the certificate that the user presents with the certificate, or certificate data, that are stored in the user’s IdM profile.

System configuration

What is stored in the IdM profile is only the certificate, not the corresponding private key. During authentication, the user must also show that he is in possession of the corresponding private key. The user does that by either presenting a PKCS #12 file that contains both the certificate and the private key or by presenting two files: one that contains the certificate and the other containing the private key.

Therefore, processes such as loading a certificate into a user profile only accept certificate files that do not contain the private key.

Similarly, when a system administrator provides you with an external CA certificate, he will provide only the public data: the certificate without the private key. The ipa-advise utility for configuring the IdM server or the IdM client for smart card authentication expects the input file to contain the certificate of the external CA but not the private key.

Certificate encodings

There are two common certificate encodings: Privacy-enhanced Electronic Mail (PEM) and Distinguished Encoding Rules (DER). The base64 format is almost identical to the PEM format but it does not contain the -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- header and footer.

A certificate that has been encoded using DER is a binary X509 digital certificate file. As a binary file, the certificate is not human-readable. DER files sometimes use the .der filename extension, but files with the .crt and .cer filename extensions also sometimes contain DER certificates. DER files containing keys can be named .key.

A certificate that has been encoded using PEM Base64 is a human-readable file. The file contains ASCII (Base64) armored data prefixed with a “-----BEGIN …” line. PEM files sometimes use the .pem filename extension, but files with the .crt and .cer filename extensions also sometimes contain PEM certificates. PEM files containing keys can be named .key.

Different ipa commands have different limitations regarding the types of certificates that they accept. For example, the ipa user-add-cert command only accepts certificates encoded in the base64 format but ipa-server-certinstall accepts PEM, DER, PKCS #7, PKCS #8 and PKCS #12 certificates.

Expand
Table 61.1. Certificate encodings
Encoding formatHuman-readableCommon filename extensionsSample IdM commands accepting the encoding format

PEM/base64

Yes

.pem, .crt, .cer

ipa user-add-cert, ipa-server-certinstall, …​

DER

No

.der, .crt, .cer

ipa-server-certinstall, …​

Certificate-related commands and formats in IdM lists further ipa commands with the certificate formats that the commands accept.

User authentication

When using the web UI to access IdM, the user proves that he is in possession of the private key corresponding to the certificate by having both stored in the browser’s database.

When using the CLI to access IdM, the user proves that he is in possession of the private key corresponding to the certificate by one of the following methods:

  • The user adds, as the value of the X509_user_identity parameter of the kinit -X command, the path to the smart card module that is connected to the smart card that contains both the certificate and the key: 

    $ kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so' idm_user
    Copy to Clipboard Toggle word wrap

  • The user adds two files as the values of the X509_user_identity parameter of the kinit -X command, one containing the certificate and the other the private key: 

    $ kinit -X X509_user_identity='FILE:`/path/to/cert.pem,/path/to/cert.key`' idm_user
    Copy to Clipboard Toggle word wrap

Useful certificate commands

To view the certificate data, such as the subject and the issuer: 

$ openssl x509 -noout -text -in ca.pem
Copy to Clipboard Toggle word wrap

To compare in which lines two certificates differ: 

$ diff cert1.crt cert2.crt
Copy to Clipboard Toggle word wrap

To compare in which lines two certificates differ with the output displayed in two columns: 

$ diff cert1.crt cert2.crt -y
Copy to Clipboard Toggle word wrap

This section describes how to make sure that an external certificate is correctly encoded and formatted before adding it to a user entry.

61.2.1. Prerequisites
Copy link

  • If your certificate was issued by an Active Directory certificate authority and uses the PEM encoding, make sure that the PEM file has been converted into the UNIX format. To convert a file, use the dos2unix utility provided by the eponymous package.

The IdM CLI only accepts a PEM certificate from which the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) have been removed.

Follow this procedure to convert an external certificate to PEM format and add it to an IdM user account using the IdM CLI.

Procedure

  1. Convert the certificate to the PEM format:

    • If your certificate is in the DER format: 

      $ openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
      Copy to Clipboard Toggle word wrap

    • If your file is in the PKCS #12 format, whose common filename extensions are .pfx and .p12, and contains a certificate, a private key, and possibly other data, extract the certificate using the openssl pkcs12 utility. When prompted, enter the password protecting the private key stored in the file: 

      $ openssl pkcs12 -in cert_and_key.p12 -clcerts -nokeys -out cert.pem
Enter Import Password:
      Copy to Clipboard Toggle word wrap

  2. Obtain the administrator’s credentials: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  3. Add the certificate to the user account using the IdM CLI following one of the following methods:

    • Remove the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) of the PEM file using the sed utility before adding the string to the ipa user-add-cert command: 

      $ ipa user-add-cert some_user --certificate="$(sed -e '/BEGIN CERTIFICATE/d;/END CERTIFICATE/d' cert.pem)"
      Copy to Clipboard Toggle word wrap

    • Copy and paste the contents of the certificate file without the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into the ipa user-add-cert command: 

      $ ipa user-add-cert some_user --certificate=MIIDlzCCAn+gAwIBAgIBATANBgkqhki...
      Copy to Clipboard Toggle word wrap
      Note

      You cannot pass a PEM file containing the certificate as input to the ipa user-add-cert command directly, without first removing the first and last lines (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----): 

      $ ipa user-add-cert some_user --cert=some_user_cert.pem
      Copy to Clipboard Toggle word wrap

      This command results in the "ipa: ERROR: Base64 decoding failed: Incorrect padding" error message.

  4. To check if the certificate was accepted by the system: 

    [idm_user@r8server]$ ipa user-show some_user
    Copy to Clipboard Toggle word wrap

Follow this procedure to convert an external certificate to PEM format and add it to an IdM user account in the IdM web UI.

Procedure

  1. Using the CLI, convert the certificate to the PEM format:

    • If your certificate is in the DER format: 

      $ openssl x509 -in cert.crt -inform der -outform pem -out cert.pem
      Copy to Clipboard Toggle word wrap

    • If your file is in the PKCS #12 format, whose common filename extensions are .pfx and .p12, and contains a certificate, a private key, and possibly other data, extract the certificate using the openssl pkcs12 utility. When prompted, enter the password protecting the private key stored in the file: 

      $ openssl pkcs12 -in cert_and_key.p12 -clcerts -nokeys -out cert.pem
Enter Import Password:
      Copy to Clipboard Toggle word wrap
  2. Open the certificate in an editor and copy the contents. You can include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" header and footer lines but you do not have to, as both the PEM and base64 formats are accepted by the IdM web UI.
  3. In the IdM web UI, log in as security officer.
  4. Go to IdentityUserssome_user.
  5. Click Add next to Certificates.
  6. Paste the PEM-formatted contents of the certificate into the window that opens.
  7. Click Add.

If the certificate was accepted by the system, you can see it listed among the Certificates in the user profile.

Before importing a user certificate into the browser, make sure that the certificate and the corresponding private key are in a PKCS #12 format. There are two common situations requiring extra preparatory work:

Afterwards, to import both the CA certificate in the PEM format and the user certificate in the PKCS #12 format into the browser, follow the procedures in Configuring a browser to enable certificate authentication and Authenticating to the Identity Management Web UI with a Certificate as an Identity Management User.

Procedure

  1. Use the pk12util command to export the certificate from the NSS database to the PKCS12 format. For example, to export the certificate with the some_user nickname from the NSS database stored in the ~/certdb directory into the ~/some_user.p12 file: 

    $ pk12util -d ~/certdb -o ~/some_user.p12 -n some_user
Enter Password or Pin for "NSS Certificate DB":
Enter password for PKCS12 file:
Re-enter password:
pk12util: PKCS12 EXPORT SUCCESSFUL
    Copy to Clipboard Toggle word wrap

  2. Set appropriate permissions for the .p12 file: 

    # chmod 600 ~/some_user.p12
    Copy to Clipboard Toggle word wrap

    Because the PKCS #12 file also contains the private key, it must be protected to prevent other users from using the file. Otherwise, they would be able to impersonate the user.

Follow this procedure to combine a certificate and the corresponding key stored in separate PEM files into a PKCS #12 file.

Procedure

  • To combine a certificate stored in certfile.cer and a key stored in certfile.key into a certfile.p12 file that contains both the certificate and the key: 

    $ openssl pkcs12 -export -in certfile.cer -inkey certfile.key -out certfile.p12
    Copy to Clipboard Toggle word wrap

The following table displays certificate-related commands in IdM with acceptable formats.

Expand
Table 61.2. IdM certificate commands and formats
CommandAcceptable formatsNotes

ipa user-add-cert some_user --certificate

base64 PEM certificate

 

ipa-server-certinstall

PEM and DER certificate; PKCS#7 certificate chain; PKCS#8 and raw private key; PKCS#12 certificate and private key

 

ipa-cacert-manage install

DER; PEM; PKCS#7

 

ipa-cacert-manage renew --external-cert-file

PEM and DER certificate; PKCS#7 certificate chain

 

ipa-ca-install --external-cert-file

PEM and DER certificate; PKCS#7 certificate chain

 

ipa cert-show <cert serial> --certificate-out /path/to/file.pem

N/A

Creates the PEM-encoded file.pem file with the certificate having the <cert_serial> serial number.

ipa cert-show <cert serial> --certificate-out /path/to/file.pem

N/A

Creates the PEM-encoded file.pem file with the certificate having the <cert_serial> serial number. If the --chain option is used, the PEM file contains the certificate including the certificate chain.

ipa cert-request --certificate-out=FILE /path/to/req.csr

N/A

Creates the req.csr file in the PEM format with the new certificate.

ipa cert-request --certificate-out=FILE /path/to/req.csr

N/A

Creates the req.csr file in the PEM format with the new certificate. If the --chain option is used, the PEM file contains the certificate including the certificate chain.

This chapter covers managing certificates in Identity Management (IdM) using the integrated CA, the ipa CA, and its sub-CAs.

Follow this procedure to use the Identity Management (IdM) Web UI to request a new certificate for any IdM entity from the integrated IdM certificate authorities (CAs): the ipa CA or any of its sub-CAs.

IdM entities include:

  • Users
  • Hosts
  • Services
Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM Web UI as the IdM administrator.

Procedure

  1. Under the Identity tab, select the Users, Hosts, or Services subtab.

  2. Click the name of the user, host, or service to open its configuration page.

    Figure 62.1. List of Hosts

    A screenshot of the
    View larger image
    A screenshot of the
  3. Click ActionsNew Certificate.
  4. Optional: Select the issuing CA and profile ID.
  5. Follow the instructions for using the certutil command-line (CLI) utility on the screen.
  6. Click Issue.

You can use the certutil utility to request a certificate for an Identity Management (IdM) user, host or service in standard IdM situations. To ensure that a host or service Kerberos alias can use a certificate, use the openssl utility to request a certificate instead.

Follow this procedure to request a certificate for an IdM user, host, or service from ipa, the IdM certificate authority (CA), using certutil.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM command-line interface (CLI) as the IdM administrator.

Procedure

  1. Create a temporary directory for the certificate database: 

    # mkdir ~/certdb/
    Copy to Clipboard Toggle word wrap

  2. Create a new temporary certificate database, for example: 

    # certutil -N -d ~/certdb/
    Copy to Clipboard Toggle word wrap

  3. Create the CSR and redirect the output to a file. For example, to create a CSR for a 4096 bit certificate and to set the subject to CN=server.example.com,O=EXAMPLE.COM: 

    # certutil -R -d ~/certdb/ -a -g 4096 -s "CN=server.example.com,O=EXAMPLE.COM" -8 server.example.com > certificate_request.csr
    Copy to Clipboard Toggle word wrap

  4. Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate: 

    # ipa cert-request certificate_request.csr --principal=host/server.example.com
    Copy to Clipboard Toggle word wrap

    The ipa cert-request command in IdM uses the following defaults:

    • The caIPAserviceCert certificate profile

      To select a custom profile, use the --profile-id option.

    • The integrated IdM root CA, ipa

      To select a sub-CA, use the --ca option.

You can use the openssl utility to request a certificate for an Identity Management (IdM) host or service if you want to ensure that the Kerberos alias of the host or service can use the certificate. In standard situations, consider requesting a new certificate using the certutil utility instead.

Follow this procedure to request a certificate for an IdM host, or service from ipa, the IdM certificate authority, using openssl.

Important

Services typically run on dedicated service nodes on which the private keys are stored. Copying a service’s private key to the IdM server is considered insecure. Therefore, when requesting a certificate for a service, create the certificate signing request (CSR) on the service node.

Prerequisites

  • Your IdM deployment contains an integrated CA.
  • You are logged into the IdM command-line interface (CLI) as the IdM administrator.

Procedure

  1. Create one or more aliases for your Kerberos principal test/server.example.com. For example, test1/server.example.com and test2/server.example.com.

  2. In the CSR, add a subjectAltName for dnsName (server.example.com) and otherName (test2/server.example.com). To do this, configure the openssl.conf file to include the following line specifying the UPN otherName and subjectAltName: 

    otherName=1.3.6.1.4.1.311.20.2.3;UTF8:test2/server.example.com@EXAMPLE.COM
DNS.1 = server.example.com
    Copy to Clipboard Toggle word wrap

  3. Create a certificate request using openssl: 

    openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -out certificate_request.csr -config openssl.conf
    Copy to Clipboard Toggle word wrap

  4. Submit the certificate request file to the CA running on the IdM server. Specify the Kerberos principal to associate with the newly-issued certificate: 

    # ipa cert-request certificate_request.csr --principal=host/server.example.com
    Copy to Clipboard Toggle word wrap

    The ipa cert-request command in IdM uses the following defaults:

    • The caIPAserviceCert certificate profile

      To select a custom profile, use the --profile-id option.

    • The integrated IdM root CA, ipa

      To select a sub-CA, use the --ca option.

You can use the ansible-freeipa ipacert module to request, revoke, and retrieve SSL certificates for Identity Management (IdM) users, hosts and services. You can also restore a certificate that has been put on hold.

You can use the ansible-freeipa ipacert module to request SSL certificates for Identity Management (IdM) users, hosts and services. They can then use these certificates to authenticate to IdM.

Complete this procedure to request a certificate for an HTTP server from an IdM certificate authority (CA) using an Ansible playbook.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • Your IdM deployment has an integrated CA.

Procedure

  1. Generate a certificate-signing request (CSR) for your user, host or service. For example, to use the openssl utility to generate a CSR for the HTTP service running on client.idm.example.com, enter: 

    # openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout new.key -out new.csr -subj '/CN=client.idm.example.com,O=IDM.EXAMPLE.COM'
    Copy to Clipboard Toggle word wrap

    As a result, the CSR is stored in new.csr.

  2. Create your Ansible playbook file request-certificate.yml with the following content: 

    ---
- name: Playbook to request a certificate
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Request a certificate for a web server
    ipacert:
      ipaadmin_password: "{{ ipaadmin_password }}"
      state: requested
      csr: |
        -----BEGIN CERTIFICATE REQUEST-----
        MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
        HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
        5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
        SYaXm/gF8cDYjQI=
        -----END CERTIFICATE REQUEST-----
      principal: HTTP/client.idm.example.com
    register: cert
    Copy to Clipboard Toggle word wrap

    Replace the certificate request with the CSR from new.csr.

  3. Request the certificate: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/hosts <path_to_playbooks_directory>/request-certificate.yml
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa ipacert module to revoke SSL certificates used by Identity Management (IdM) users, hosts and services to authenticate to IdM.

Complete this procedure to revoke a certificate for an HTTP server using an Ansible playbook. The reason for revoking the certificate is “keyCompromise”.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
    • You have obtained the serial number of the certificate, for example by entering the openssl x509 -noout -text -in <path_to_certificate> command. In this example, the serial number of the certificate is 123456789.
  • Your IdM deployment has an integrated CA.

Procedure

  1. Create your Ansible playbook file revoke-certificate.yml with the following content: 

    ---
- name: Playbook to revoke a certificate
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Revoke a certificate for a web server
    ipacert:
      ipaadmin_password: "{{ ipaadmin_password }}"
      serial_number: 123456789
      revocation_reason: "keyCompromise"
      state: revoked
    Copy to Clipboard Toggle word wrap

  2. Revoke the certificate: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/hosts <path_to_playbooks_directory>/revoke-certificate.yml
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa ipacert module to restore a revoked SSL certificate previously used by an Identity Management (IdM) user, host or a service to authenticate to IdM.

Note

You can only restore a certificate that was put on hold. You may have put it on hold because, for example, you were not sure if the private key had been lost. However, now you have recovered the key and as you are certain that no-one has accessed it in the meantime, you want to reinstate the certificate.

Complete this procedure to use an Ansible playbook to release a certificate for a service enrolled into IdM from hold. This example describes how to release a certificate for an HTTP service from hold.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.13 or later.
    • You have installed the ansible-freeipa package.
    • You have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • You have stored your ipaadmin_password in the secret.yml Ansible vault.
  • Your IdM deployment has an integrated CA.
  • You have obtained the serial number of the certificate, for example by entering the openssl x509 -noout -text -in path/to/certificate command. In this example, the certificate serial number is 123456789.

Procedure

  1. Create your Ansible playbook file restore-certificate.yml with the following content: 

    ---
- name: Playbook to restore a certificate
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml

  tasks:
  - name: Restore a certificate for a web service
    ipacert:
      ipaadmin_password: "{{ ipaadmin_password }}"
      serial_number: 123456789
      state: released
    Copy to Clipboard Toggle word wrap

  2. Run the playbook: 

    $ ansible-playbook --vault-password-file=password_file -v -i <path_to_inventory_directory>/hosts <path_to_playbooks_directory>/restore-certificate.yml
    Copy to Clipboard Toggle word wrap

You can use the ansible-freeipa ipacert module to retrieve an SSL certificate issued for an Identity&n