红帽全球峰会4.7. Default user and group attributes in IdM
Identity Management (IdM) uses a template when it creates new entries.
The template for users is more specific than the template for groups. IdM uses default values for several core attributes for IdM user accounts. These defaults can define actual values for user account attributes, such as the home directory location, or they can define the formats of attribute values, such as the user name length. The template also defines the object classes assigned to users.
For groups, the template only defines the assigned object classes.
In the IdM LDAP directory, these default definitions are all contained in a single configuration entry for the IdM server, cn=ipaconfig,cn=etc,dc=example,dc=com.
You can modify the configuration of default user parameters in IdM by using the ipa config-mod command. The table below summarizes some of the key parameters, the command-line options that you can use with ipa config-mod to modify them, and the parameter descriptions.
| Web UI field | Command-line option | Description |
|---|---|---|
| Maximum user name length |
| Sets the maximum number of characters for user names. Default: 32. |
| Root for home directories |
|
Sets the default directory for user home directories. Default: |
| Default shell |
|
Sets the default shell for users. Default: |
| Default user group |
|
Sets the default group for newly created accounts. Default: |
| Default e-mail domain |
| Sets the email domain for creating addresses based on user accounts. Default: server domain. |
| Search time limit |
| Sets the maximum time in seconds for a search before returning results. |
| Search size limit |
| Sets the maximum number of records to return in a search. |
| User search fields |
| Defines searchable fields in user entries, impacting server performance if too many attributes are set. |
| Group search fields |
| Defines searchable fields in group entries. |
| Certificate subject base | Sets the base DN for creating subject DNs for client certificates during setup. | |
| Default user object classes |
| Defines object classes for creating user accounts. Must provide a complete list as it overwrites the existing one. |
| Default group object classes |
| Defines object classes for creating group accounts. Must provide a complete list. |
| Password expiration notification |
| Defines the number of days before a password expires for sending a notification. |
| Password plug-in features | Sets the format of allowable passwords for users. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}