Chapter 20. Modifying user and group attributes in IdM
In Identity Management (IdM), information is stored as LDAP attributes. When you create a user entry in IdM, the entry is automatically assigned certain LDAP object classes. These object classes define what attributes are available to the user entry. For more information about the default user objects classes and how they are organized, see the table below.
Object classes | Description |
---|---|
ipaobject, ipasshuser | IdM object classes |
person, organizationalperson, inetorgperson, inetuser, posixAccount | Person object classes |
krbprincipalaux, krbticketpolicyaux | Kerberos object classes |
mepOriginEntry | Managed entries (template) object classes |
As an administrator, you can modify the list of user object classes as well as the format of the attributes. For example, you can specify how many characters are allowed in a user name.
The way that user and group object classes and attributes are organized in IdM is called the IdM user and group schema.
20.1. The default IdM user attributes
A user entry contains attributes. The values of certain attributes are set automatically, based on defaults, unless you set a specific value yourself. For other attributes, you have to set the values manually. Certain attributes, such as First name
, require a value, whereas others, such as Street address
, do not. As an administrator, you can configure the values generated or used by the default attributes. For more information, see the Default IdM user attributes table below.
Web UI field | Command-line option | Required, optional, or default? |
---|---|---|
User login | username | Required |
First name | --first | Required |
Last name | --last | Required |
Full name | --cn | Optional |
Display name | --displayname | Optional |
Initials | --initials | Default |
Home directory | --homedir | Default |
GECOS field | --gecos | Default |
Shell | --shell | Default |
Kerberos principal | --principal | Default |
Email address | | Optional |
Password | --password | Optional. Note that the script prompts for a new password, rather than accepting a value with the argument. |
User ID number | --uid | Default |
Group ID number | --gidnumber | Default |
Street address | --street | Optional |
City | --city | Optional |
State/Province | --state | Optional |
Zip code | --postalcode | Optional |
Telephone number | --phone | Optional |
Mobile telephone number | --mobile | Optional |
Pager number | --pager | Optional |
Fax number | --fax | Optional |
Organizational unit | --orgunit | Optional |
Job title | --title | Optional |
Manager | --manager | Optional |
Car license | --carlicense | Optional |
--noprivate | Optional | |
SSH Keys | --sshpubkey | Optional |
Additional attributes | --addattr | Optional |
Department Number | --departmentnumber | Optional |
Employee Number | --employeenumber | Optional |
Employee Type | --employeetype | Optional |
Preferred Language | --preferredlanguage | Optional |
You can also add any attributes available in the Default IdM user object classes, even if no Web UI or command-line argument for that attribute exists.
20.2. Considerations in changing the default user and group schema
User and group accounts are created with a predefined set of LDAP object classes applied to them. While the standard IdM-specific LDAP object classes and attributes cover most deployment scenarios, you can create custom object classes with custom attributes for user and group entries.
When you modify object classes, IdM provides the following validation:
- All of the object classes and their specified attributes must be known to the LDAP server.
- All default attributes that are configured for the entry must be supported by the configured object classes.
However, the IdM schema validation has limitations. The IdM server does not check that the defined user or group object classes contain all of the required object classes for IdM entries. For example, all IdM entries require the ipaobject
object class. However, if the user or group schema is changed, the server does not check if this object class is included. If the object class is accidentally deleted and you then try to add a new user, the attempt fails.
Also, all object class changes are atomic, not incremental. You must define the entire list of default object classes every time a change occurs. For example, you may decide to create a custom object class to store employee information such as birthdays and employment start dates. In this scenario, you cannot simply add the custom object class to the list. Instead, you must set the entire list of current default object classes plus the new object class. If you do not include the existing default object classes when you update the configuration, the current settings are overwritten. This causes serious performance problems.
After you modify the list of default object classes, new user and group entries will contain the custom object classes but the old entries are not modified.
20.3. Modifying user object classes in the IdM Web UI
This procedure describes how you can use the IdM Web UI to modify object classes for future Identity Management (IdM) user entries. As a result, these entries will have different attributes than the current user entries do.
Prerequisites
- You are logged in as the IdM administrator.
Procedure
-
Open the
IPA Server
tab. -
Select the
Configuration
subtab. Scroll to the
User Options
area.Keep all the object classes listed in the Default IdM user object classes table.
ImportantIf any object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.
At the bottom of the users area, click
Add
for a new field to appear.- Enter the name of the user object class you want to add.
-
Click
Save
at the top of theConfiguration
page.
20.4. Modifying user object classes in the IdM CLI
This procedure describes how you can use the Identity Management (IdM) CLI to modify user object classes for future IdM user entries. As a result, these entries will have different attributes than the current user entries do.
Prerequisites
You have enabled the
brace expansion
feature:# set -o braceexpand
- You are logged in as the IdM administrator.
Procedure
Use the
ipa config-mod
command to modify the current schema. For example, to addtop
andmailRecipient
object classes to the future user entries:[bjensen@server ~]$ ipa config-mod --userobjectclasses={person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,mepOriginEntry,top,mailRecipient}
The command adds all the ten user object classes that are native to IdM as well as the two new ones,
top
andmailRecipient
.ImportantThe information passed with the
config-mod
command overwrites the previous values. If any user object classes required by IdM are not included, then subsequent attempts to add a user entry will fail with object class violations.NoteAlternatively, you can add a user object class by using the
ipa config-mod --addattr ipauserobjectclasses=<user object class>
command. In this way, you do not risk forgetting a native IdM class in the list. For example, to add themailRecipient
user object class without overwriting the current configuration, enteripa config-mod --addattr ipauserobjectclasses=mailRecipient
. Analogously, to remove only themailRecipient
object class, enteripa config-mod --delattr ipauserobjectclasses=mailRecipient
.
20.5. Modifying group object classes in the IdM Web UI
Identity Management (IdM) has the following default group object classes:
- top
- groupofnames
- nestedgroup
- ipausergroup
- ipaobject
This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.
Prerequisites
- You are logged in as the IdM administrator.
Procedure
-
Open the
IPA Server
tab. -
Select the
Configuration
subtab. -
Locate the
Group Options
area. Keep the default IdM group object classes.
ImportantIf any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.
Click
Add
for a new field to appear.- Enter the name of the group object class you want to add.
-
Click
Save
at the top of theConfiguration
page.
20.6. Modifying group object classes in the IdM CLI
Identity Management (IdM) has the following default group object classes:
- top
- groupofnames
- nestedgroup
- ipausergroup
- ipaobject
This procedure describes how you can use the IdM Web UI to add additional group object classes for future Identity Management (IdM) user group entries. As a result, these entries will have different attributes than the current the group entries do.
Prerequisites
You have enabled the
brace expansion
feature:# set -o braceexpand
- You are logged in as the IdM administrator.
Procedure
Use the
ipa config-mod
command to modify the current schema. For example, to addipasshuser
andemployee
group object classes to the future user entries:[bjensen@server ~]$ ipa config-mod --groupobjectclasses={top,groupofnames,nestedgroup,ipausergroup,ipaobject,ipasshuser,employeegroup}
The command adds all the default group object classes as well as the two new ones,
ipasshuser
andemployeegroup
.ImportantIf any group object classes required by IdM are not included, then subsequent attempts to add a group entry will fail with object class violations.
NoteInstead of the comma-separated list inside curly braces with no spaces allowed that is used in the example above, you can use the
--groupobjectclasses
argument repeatedly.
20.7. Default user and group attributes in IdM
Identity Management (IdM) uses a template when it creates new entries.
The template for users is more specific than the template for groups. IdM uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes, such as the home directory location, or they can define the formats of attribute values, such as the user name length. The template also defines the object classes assigned to users.
For groups, the template only defines the assigned object classes.
In the IdM LDAP directory, these default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com
.
You can modify the configuration of default user parameters in IdM by using the ipa config-mod
command. The table below summarizes some of the key parameters, the command-line options that you can use with ipa config-mod
to modify them, and the parameter descriptions.
Web UI field | Command-line option | Description |
---|---|---|
Maximum user name length | --maxusername` | Sets the maximum number of characters for user names. Default: 32. |
Root for home directories |
|
Sets the default directory for user home directories. Default: |
Default shell |
|
Sets the default shell for users. Default: |
Default user group |
|
Sets the default group for newly created accounts. Default: |
Default e-mail domain |
| Sets the email domain for creating addresses based on user accounts. Default: server domain. |
Search time limit |
| Sets the maximum time in seconds for a search before returning results. |
Search size limit |
| Sets the maximum number of records to return in a search. |
User search fields |
| Defines searchable fields in user entries, impacting server performance if too many attributes are set. |
Group search fields |
| Defines searchable fields in group entries. |
Certificate subject base | Sets the base DN for creating subject DNs for client certificates during setup. | |
Default user object classes |
| Defines object classes for creating user accounts. Must provide a complete list as it overwrites the existing one. |
Default group object classes |
| Defines object classes for creating group accounts. Must provide a complete list. |
Password expiration notification |
| Defines the number of days before a password expires for sending a notification. |
Password plug-in features | Sets the format of allowable passwords for users. |
20.8. Viewing and modifying user and group configuration in the IdM Web UI
You can view and modify the configuration of the default user and group attributes in the Identity Management (IdM) Web UI.
Prerequisites
-
You are logged in as IdM
admin
.
Procedure
-
Open the
IPA Server
tab. -
Select the
Configuration
subtab. The
User Options
section has multiple fields you can review and edit.-
For example, to change the default shell for future IdM users from
/bin/sh
to/bin/bash
, locate theDefault shell
field, and replace/bin/sh
with/bin/bash
. In the
Group Options
section, you can only review and edit theGroup search fields
field.Click the
Save
button at the top of the screen.The newly saved configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.
20.9. Viewing and modifying user and group configuration in the IdM CLI
You can view and modify the configuration of the current or default user and group attributes in the Identity Management (IdM) CLI.
Prerequisites
-
You have the IdM
admin
credentials.
Procedure
The
ipa config-show
command displays the most common attribute settings. Use the--all
option for a complete list:[bjensen@server ~]$ ipa config-show --all dn: cn=ipaConfig,cn=etc,dc=example,dc=com Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: example.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=EXAMPLE.COM Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE cn: ipaConfig objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject
Use the
ipa config-mod
command to modify an attribute. For example, to change the default shell for future IdM users from/bin/sh
to/bin/bash
, enter:[bjensen@server ~]$ ipa config-mod --defaultshell "/bin/bash"
For more
ipa config-mod
options, see the Default user parameters table.The new configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.