4.9. Viewing and modifying user and group configuration in the IdM CLI

Prerequisites

• You have the IdM admin credentials.

Procedure

• The ipa config-show command displays the most common attribute settings. Use the --all option for a complete list:

  [bjensen@server ~]$ ipa config-show --all
  dn: cn=ipaConfig,cn=etc,dc=example,dc=com
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: example.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
  Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: MS-PAC, nfs:NONE
  cn: ipaConfig
  objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject

• Use the ipa config-mod command to modify an attribute. For example, to change the default shell for future IdM users from /bin/sh to /bin/bash, enter:

  [bjensen@server ~]$ ipa config-mod --defaultshell "/bin/bash"

  For more ipa config-mod options, see the Default user parameters table.

  The new configuration will be applied to future IdM user and group accounts. The current accounts remain unchanged.