Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 3. Introduction to the IdM command-line utilities

You can use the CLI to automate administrative tasks, such as creating users and managing certificates. Learn more about the basics of using the Identity Management (IdM) command-line utilities.

3.1. Prerequisites
Copier lien

  • An installed and accessible Identity Management (IdM) server. For more information, see Installing Identity Management.
  • To use the IPA command-line interface, authenticate to IdM with a valid Kerberos ticket.

3.2. What is the IPA command-line interface
Copier lien

Manage your Identity Management (IdM) environment by using the IPA command-line interface (CLI). The CLI provides a comprehensive set of subcommands to automate the management of users and hosts, security policies, and certificates.

You can use the IPA CLI to perform the following actions:

  • Add, manage, or remove users, groups, hosts and other objects in the network.
  • Manage certificates.
  • Search the directory to find specific entries and view their details.
  • Display and list objects.
  • Set access rights.
  • Access help to find the correct command syntax and options.

3.3. What is the IPA help
Copier lien

Access the built-in Identity Management (IdM) documentation for command syntax, usage examples, and available subcommands. The IPA command-line interface (CLI) generates available help topics from loaded IdM plugin modules.

The ipa help utility follows a specific structure for queries: 

$ ipa help [TOPIC | COMMAND | topics | commands]
Copy to Clipboard Toggle word wrap
  • [] — Brackets mean that all parameters are optional and you can write just ipa help and the command will be executed.

  • | — The pipe character means or. Therefore, you can specify a TOPIC, a COMMAND, or topics, or commands, with the basic ipa help command:

    • topics — You can run the command ipa help topics to display a list of topics that are covered by the IPA help, such as user, cert, server and many others.
    • TOPIC — The TOPIC with capital letters is a variable. Therefore, you can specify a particular topic, for example, ipa help user.
    • commands — You can enter the command ipa help commands to display a list of commands which are covered by the IPA help, for example, user-add, ca-enable, server-show and many others.
    • COMMAND — The COMMAND with capital letters is a variable. Therefore, you can specify a particular command, for example, ipa help user-add.

When you enter the ipa help command without options, the system displays information about basic help usage and the most common command examples.

3.4. Using IPA help topics
Copier lien

You can use the ipa help topics to discover available plugins and to view specific command examples for objects such as users, hosts, or certificates.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. To display a list of topics covered by help, run ipa help topics command: 

    $ ipa help topics
    Copy to Clipboard Toggle word wrap

  3. To view documentation for a specific category, run the ipa help <topic_name> command. Replace the <topic_name> placeholder with a category listed in the previous step. For example: 

    $ ipa help user
    Copy to Clipboard Toggle word wrap

  4. Optional: To view long help output one screen at a time, pipe the command to the less utility: 

    $ ipa help user | less
    Copy to Clipboard Toggle word wrap

    You can then scroll down and read the whole help.

    The IPA CLI displays a help page for the user topic. After reading the overview, you can see many examples with patterns for working with topic commands.

3.5. Using IPA help commands
Copier lien

You can use ipa help commands to list every action supported by the Identity Management (IdM) server. You can also display required arguments and optional parameters for specific commands.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. To display a list of commands covered by help, run ipa help commands: 

    $ ipa help commands
    Copy to Clipboard Toggle word wrap

  3. To view documentation for a specific command, run the ipa help <command> command. Replace the <command> placeholder with a category listed in the previous step. For example: 

    $ ipa help user-add
    Copy to Clipboard Toggle word wrap

3.6. Structure of IPA commands
Copier lien

The IPA CLI uses a predictable structure that combines an object with a specific action. You can use this pattern to perform administrative tasks across different functional areas of IdM.

The IPA CLI distinguishes the following types of commands:

  • Built-in commands — Built-in commands available on every IdM server.
  • Plug-in provided commands — Extended functions provided by specific IdM modules.

For most IdM entries, the CLI follows a standard ipa <object>-<action> structure.

Common objects:

  • Users
  • Hosts
  • DNS records
  • Certificates
  • And more.

For most of these objects, the IPA CLI includes commands to:

  • Add (add)
  • Modify (mod)
  • Delete (del)
  • Search (find)
  • Display (show)

Commands have the following structure:

ipa user-add, ipa user-mod, ipa user-del, ipa user-find, ipa user-show

ipa host-add, ipa host-mod, ipa host-del, ipa host-find, ipa host-show

ipa dnsrecord-add, ipa dnsrecord-mod, ipa dnsrecord-del, ipa dnsrecord-find, ipa dnrecord-show

You can create a user with the ipa user-add [options], where [options] are optional. If you use just the ipa user-add command, the script asks you for details one by one.

Note that the [options] --raw and --structured are mutually exclusive and should not be run together.

To change an existing object, you must to define the object, therefore the command also includes an object: ipa user-mod <user_name>.

3.7. Using an IPA command to add a user account to IdM
Copier lien

Create new user entries in the Identity Management (IdM) database by using the IPA command-line interface (CLI).

Prerequisites

  • You have administrator privileges.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. To add a user interactively, run the ipa user-add command: 

    $ ipa user-add
    Copy to Clipboard Toggle word wrap

    The command prompts you to provide basic data necessary for creating a user account.

  3. In the First name: field, enter the first name of the new user and press Enter.
  4. In the Last name: field, enter the last name of the new user and press Enter.

  5. In the User login [suggested user name]: enter the user name, or just press Enter to accept the suggested user name.

    The user name must be unique for the whole IdM database. If an error occurs because that user name already exists, repeat the process with the ipa user-add command and use a different, unique user name.

    After you add the user name, the user account is added to the IdM database and the IPA command-line interface (CLI) prints the following output: 

    ----------------------
Added user "euser"
----------------------
User login: euser
First name: Example
Last name: User
Full name: Example User
Display name: Example User
Initials: EU
Home directory: /home/euser
GECOS: Example User
Login shell: /bin/sh
Principal name: euser@IDM.EXAMPLE.COM
Principal alias: euser@IDM.EXAMPLE.COM
Email address: euser@idm.example.com
UID: 427200006
GID: 427200006
Password: False
Member of groups: ipausers
Kerberos keys available: False
    Copy to Clipboard Toggle word wrap
    Note

    By default, the account does not have a password. To add a password while creating a user account, use the ipa user-add command with the following syntax: 

    $ ipa user-add --first=<user_name> --last=<user_surname> --password
    Copy to Clipboard Toggle word wrap

    The IPA CLI then prompts you to add or confirm a user name and password.

    If the user has been created already, you can add the password with the ipa user-mod command.

3.8. Using an IPA command to modify a user account in IdM
Copier lien

Update existing user attributes and security settings in the Identity Management (IdM) database by using the command-line interface. You can use the ipa user-mod command to modify parameters such as contact information, login shells, or passwords for any existing user account.

Prerequisites

  • You have administrator privileges.

Procedure

  1. Open a terminal and connect to the IdM server.

  2. To update a user account, run the ipa user-mod <user_login> command and include the options for the attributes you want to change. Replace the <user_login> placeholder with the login name of the user: 

    $ ipa user-mod <user_login> --password
    Copy to Clipboard Toggle word wrap

  3. If you used the --password option, provide the new password at the prompt and press Enter.

    The IPA CLI prints the following output. For example: 

    ----------------------
Modified user "euser"
----------------------
User login: euser
First name: Example
Last name: User
Home directory: /home/euser
Principal name: euser@IDM.EXAMPLE.COM
Principal alias: euser@IDM.EXAMPLE.COM
Email address: euser@idm.example.com
UID: 427200006
GID: 427200006
Password: True
Member of groups: ipausers
Kerberos keys available: True
    Copy to Clipboard Toggle word wrap

    The user password is now set for the account and the user can log into IdM.

3.9. Multi-valued attributes in IdM
Copier lien

Understand the syntax and overwrite logic for attributes that support multiple values in Identity Management (IdM). When you manage objects with multi-valued attributes, such as permissions or group memberships, you must provide the complete list of values during updates to prevent unintended data loss.

IdM supports the following methods of supplying multi-valued lists:

  • Using the same command-line argument multiple times within the same command invocation: 

    $ ipa permission-add --right=read --permissions=write --permissions=delete <object_name>
    Copy to Clipboard Toggle word wrap

  • Alternatively, you can enclose the list in curly braces. The shell expands these into individual arguments before execution: 

    $ ipa permission-add --right={read,write,delete} <object_name>
    Copy to Clipboard Toggle word wrap

When you update such multi-valued attributes from the command line, IdM completely overwrites the previous list of values with a new list. Therefore, when updating a multi-valued attribute, you must specify the whole new list, not just a single value you want to add.

Examples of the overwrite logic

The following examples illustrate how the IdM database processes modifications to multi-valued attributes. During a modification, the absence of an existing value results in its removal from the record:

  • The ipa permission-mod command updates all previously added permissions: 

    $ ipa permission-mod --right=read --right=write --right=delete <object_name>
    Copy to Clipboard Toggle word wrap

    or 

    $ ipa permission-mod --right={read,write,delete} <object_name>
    Copy to Clipboard Toggle word wrap

  • The ipa permission-mod command deletes the --right=delete argument because it is not included in the command: 

    $ ipa permission-mod --right=read --right=write <object_name>
    Copy to Clipboard Toggle word wrap

    or 

    $ ipa permission-mod --right={read,write} <object_name>
    Copy to Clipboard Toggle word wrap

3.10. Special characters in the IdM CLI
Copier lien

Handle shell-sensitive characters correctly to ensure command-line arguments are processed as intended. You can use the backslash (\) escape character to prevent the shell from misinterpreting special symbols within Identity Management (IdM) commands.

For example, to escape an asterisk (*): 

$ ipa certprofile-show certificate_profile --out=exported\*profile.cfg
Copy to Clipboard Toggle word wrap

Commands with unescaped special characters fail or produce unexpected results because the shell attempts to parse the characters as shell commands rather than literal text.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red Hat