Chapter 20. Modifying user and group attributes in IdM


In Identity Management (IdM), information is stored as LDAP attributes. When you create a user entry in IdM, the entry is automatically assigned certain LDAP object classes. These object classes define what attributes are available to the user entry. For more information about the default user objects classes and how they are organized, see the table below.

Table 20.1. Default IdM user object classes
Object classesDescription

ipaobject, ipasshuser

IdM object classes

person, organizationalperson, inetorgperson, inetuser, posixAccount

Person object classes

krbprincipalaux, krbticketpolicyaux

Kerberos object classes

mepOriginEntry

Managed entries (template) object classes

As an administrator, you can modify the list of user object classes as well as the format of the attributes. For example, you can specify how many characters are allowed in a user name.

The way that user and group object classes and attributes are organized in IdM is called the IdM user and group schema.

20.1. The default IdM user attributes

A user entry contains attributes. The values of certain attributes are set automatically, based on defaults, unless you set a specific value yourself. For other attributes, you have to set the values manually. Certain attributes, such as First name, require a value, whereas others, such as Street address, do not. As an administrator, you can configure the values generated or used by the default attributes. For more information, see the Default IdM user attributes table below.

Table 20.2. Default IdM user attributes
Web UI fieldCommand-line optionRequired, optional, or default?

User login

username

Required

First name

--first

Required

Last name

--last

Required

Full name

--cn

Optional

Display name

--displayname

Optional

Initials

--initials

Default

Home directory

--homedir

Default

GECOS field

--gecos

Default

Shell

--shell

Default

Kerberos principal

--principal

Default

Email address

--email

Optional

Password

--password

Optional. Note that the script prompts for a new password, rather than accepting a value with the argument.

User ID number

--uid

Default

Group ID number

--gidnumber

Default

Street address

--street

Optional

City

--city

Optional

State/Province

--state

Optional

Zip code

--postalcode

Optional

Telephone number

--phone

Optional

Mobile telephone number

--mobile

Optional

Pager number

--pager

Optional

Fax number

--fax

Optional

Organizational unit

--orgunit

Optional

Job title

--title

Optional

Manager

--manager

Optional

Car license

--carlicense

Optional

 

--noprivate

Optional

SSH Keys

--sshpubkey

Optional

Additional attributes

--addattr

Optional

Department Number

--departmentnumber

Optional

Employee Number

--employeenumber

Optional

Employee Type

--employeetype

Optional

Preferred Language

--preferredlanguage

Optional

You can also add any attributes available in the Default IdM user object classes, even if no Web UI or command-line argument for that attribute exists.

20.2. Considerations in changing the default user and group schema

User and group accounts are created with a predefined set of LDAP object classes applied to them. While the standard IdM-specific LDAP object classes and attributes cover most deployment scenarios, you can create custom object classes with custom attributes for user and group entries.

When you modify object classes, IdM provides the following validation:

  • All of the object classes and their specified attributes must be known to the LDAP server.
  • All default attributes that are configured for the entry must be supported by the configured object classes.

However, the IdM schema validation has limitations. The IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject object class. However, if the user or group schema is changed, the server does not check if this object class is included. If the object class is accidentally deleted and you then try to add a new user, the attempt fails.

Also, all object class changes are atomic, not incremental. You must define the entire list of default object classes every time a change occurs. For example, you may decide to create a custom object class to store employee information such as birthdays and employment start dates. In this scenario, you cannot simply add the custom object class to the list. Instead, you must set the entire list of current default object classes plus the new object class. If you do not include the existing default object classes when you update the configuration, the current settings are overwritten. This causes serious performance problems.

Note

After you modify the list of default object classes, new user and group entries will contain the custom object classes but the old entries are not modified.

20.3. Modifying user object classes in the IdM Web UI

This procedure describes how you can use the IdM Web UI to modify object classes for future Identity Management (IdM) user entries. As a result, these entries will have different attributes than the current user entries do.

Prerequisites

  • You are logged in as the IdM administrator.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the User Options area.

    User options in IPA Server configuration

  4. Keep all the object classes listed in the Default IdM user object classes table.

    Important

    If any object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.

  5. At the bottom of the users area, click Add for a new field to appear.

    Changing default user object classes

  6. Enter the name of the user object class you want to add.
  7. Click Save at the top of the Configuration page.

20.4. Modifying user object classes in the IdM CLI

This procedure describes how you can use the Identity Management (IdM) CLI to modify user object classes for future IdM user entries. As a result, these entries will have different attributes than the current user entries do.

Prerequisites

  • You have enabled the brace expansion feature:

    # set -o braceexpand
  • You are logged in as the IdM administrator.

Procedure

  • Use the ipa config-mod command to modify the current schema. For example, to add top and mailRecipient object classes to the future user entries:

    [bjensen@server ~]$ ipa config-mod --userobjectclasses={person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,mepOriginEntry,top,mailRecipient}

    The command adds all the ten user object classes that are native to IdM as well as the two new ones, top and mailRecipient.

    Important

    The information passed with the config-mod command overwrites the previous values. If any user object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.

    Note

    Alternatively, you can add a user object class by using the ipa config-mod --addattr ipauserobjectclasses=<user object class> command. In this way, you do not risk forgetting a native IdM class in the list. For example, to add the mailRecipient user object class without overwriting the current configuration, enter ipa config-mod --addattr ipauserobjectclasses=mailRecipient. Analogously, to remove only the mailRecipient object class, enter ipa config-mod --delattr ipauserobjectclasses=mailRecipient.

20.5. Modifying group object classes in the IdM Web UI

Identity Management (IdM) has the following default group object classes:

  • top
  • groupofnames
  • nestedgroup
  • ipausergroup
  • ipaobject

This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.

Prerequisites

  • You are logged in as the IdM administrator.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Locate the Group Options area.
  4. Keep the default IdM group object classes.

    Important

    If any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.

  5. Click Add for a new field to appear.

    Group options in IPA Server configuration

  6. Enter the name of the group object class you want to add.
  7. Click Save at the top of the Configuration page.

20.6. Modifying group object classes in the IdM CLI

Identity Management (IdM) has the following default group object classes:

  • top
  • groupofnames
  • nestedgroup
  • ipausergroup
  • ipaobject

This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.

Prerequisites

  • You have enabled the brace expansion feature:

    # set -o braceexpand
  • You are logged in as the IdM administrator.

Procedure

  • Use the ipa config-mod command to modify the current schema. For example, to add ipasshuser and employee group object classes to the future user entries:

    [bjensen@server ~]$ ipa config-mod --groupobjectclasses={top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup}

    The command adds all the default group object classes as well as the two new ones, ipasshuser and employeegroup.

    Important

    If any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.

    Note

    Instead of the comma-separated list inside curly braces with no spaces allowed that is used in the example above, you can use the --groupobjectclasses argument repeatedly.

20.7. Default user and group attributes in IdM

Identity Management (IdM) uses a template when it creates new entries.

The template for users is more specific than the template for groups. IdM uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes, such as the home directory location, or they can define the formats of attribute values, such as the user name length. The template also defines the object classes assigned to users.

For groups, the template only defines the assigned object classes.

In the IdM LDAP directory, these default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.

You can modify the configuration of default user parameters in IdM by using the ipa config-mod command. The table below summarizes some of the key parameters, the command-line options that you can use with ipa config-mod to modify them, and the parameter descriptions.

Table 20.3. Default user parameters
Web UI fieldCommand-line optionDescription

Maximum user name length

--maxusername`

Sets the maximum number of characters for user names. Default: 32.

Root for home directories

--homedirectory

Sets the default directory for user home directories. Default: /home.

Default shell

--defaultshell

Sets the default shell for users. Default: /bin/sh.

Default user group

--defaultgroup

Sets the default group for newly created accounts. Default: ipausers.

Default e-mail domain

--emaildomain

Sets the email domain for creating addresses based on user accounts. Default: server domain.

Search time limit

--searchtimelimit

Sets the maximum time in seconds for a search before returning results.

Search size limit

--searchrecordslimit

Sets the maximum number of records to return in a search.

User search fields

--usersearch

Defines searchable fields in user entries, impacting server performance if too many attributes are set.

Group search fields

--groupsearch

Defines searchable fields in group entries.

Certificate subject base

 

Sets the base DN for creating subject DNs for client certificates during setup.

Default user object classes

--userobjectclasses

Defines object classes for creating user accounts. Must provide a complete list as it overwrites the existing one.

Default group object classes

--groupobjectclasses

Defines object classes for creating group accounts. Must provide a complete list.

Password expiration notification

--pwdexpnotify

Defines the number of days before a password expires for sending a notification.

Password plug-in features

 

Sets the format of allowable passwords for users.

20.8. Viewing and modifying user and group configuration in the IdM Web UI

You can view and modify the configuration of the default user and group attributes in the Identity Management (IdM) Web UI.

Prerequisites

  • You are logged in as IdM admin.

Procedure

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. The User Options section has multiple fields you can review and edit.

    User attributes

  4. For example, to change the default shell for future IdM users from /bin/sh to /bin/bash, locate the Default shell field, and replace /bin/sh with /bin/bash.
  5. In the Group Options section, you can only review and edit the Group search fields field.

    Group attributes

  6. Click the Save button at the top of the screen.

    The newly saved configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.

20.9. Viewing and modifying user and group configuration in the IdM CLI

You can view and modify the configuration of the current or default user and group attributes in the Identity Management (IdM) CLI.

Prerequisites

  • You have the IdM admin credentials.

Procedure

  • The ipa config-show command displays the most common attribute settings. Use the --all option for a complete list:

    [bjensen@server ~]$ ipa config-show --all
    dn: cn=ipaConfig,cn=etc,dc=example,dc=com
    Maximum username length: 32
    Home directory base: /home
    Default shell: /bin/sh
    Default users group: ipausers
    Default e-mail domain: example.com
    Search time limit: 2
    Search size limit: 100
    User search fields: uid,givenname,sn,telephonenumber,ou,title
    Group search fields: cn,description
    Enable migration mode: FALSE
    Certificate Subject base: O=EXAMPLE.COM
    Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
    Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser
    Password Expiration Notification (days): 4
    Password plugin features: AllowNThash
    SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
    Default SELinux user: unconfined_u:s0-s0:c0.c1023
    Default PAC types: MS-PAC, nfs:NONE
    cn: ipaConfig
    objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject
  • Use the ipa config-mod command to modify an attribute. For example, to change the default shell for future IdM users from /bin/sh to /bin/bash, enter:

    [bjensen@server ~]$ ipa config-mod --defaultshell "/bin/bash"

    For more ipa config-mod options, see the Default user parameters table.

    The new configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.

20.10. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.