User Management
User Management
Section titled “User Management”FreeIPA centralizes user and permission management. Users created on the server are immediately available on all joined clients.
Creating Users
Section titled “Creating Users”Standard User
Section titled “Standard User”ipa user-add testuser \ --first=Test \ --last=User \ --passwordThe --password flag prompts interactively. To set a password non-interactively, use --password='value' instead.
Full User Record
Section titled “Full User Record”ipa user-add devops01 \ --first=Devops \ --last=Admin \ --phone=+1-555-123-4567 \ --uid=2001 \ --gidnumber=2001 \ --login-shell=/bin/bash \ --homedir=/home/devops01 \ --passwordService Account (No Login)
Section titled “Service Account (No Login)”For daemon accounts like Slurm, Prometheus, or application services:
ipa user-add slurm \ --first=Slurm \ --last=Service \ --uid=202 \ --gidnumber=202 \ --noprivate \ --shell=/sbin/nologin \ --homedir=/var/lib/slurm| Flag | Purpose |
|---|---|
--noprivate | No private user group |
--shell=/sbin/nologin | Block interactive login |
--homedir | Place in service directory instead of /home |
Creating Groups
Section titled “Creating Groups”# Create a groupipa group-add engineers \ --gid=3000 \ --desc="Engineering team"
# Add membersipa group-add-member engineers --users=testuser,devops01Querying Users and Groups
Section titled “Querying Users and Groups”# Single user, full detailsipa user-find testuser --all
# All usersipa user-find
# Group membershipipa group-show engineersPassword Management
Section titled “Password Management”# Admin resets a user's passwordipa passwd testuser
# User changes their own passwordpasswdPassword Expiration Policy
Section titled “Password Expiration Policy”# View default policyipa pwpolicy-find
# Set expiration to 90 daysipa user-mod testuser --password-expiration=$(date -d '+90 days' +%Y%m%d%H%M%SZ)SSH Public Key Authentication
Section titled “SSH Public Key Authentication”Store SSH public keys in FreeIPA for passwordless login across all clients:
ipa user-mod testuser --sshpubkey="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... testuser@host"Verify on any client:
ssh testuser@client-1# No password requiredCombined with Kerberos, this gives you true passwordless authentication across your infrastructure.
Sudo Rules
Section titled “Sudo Rules”Grant sudo access through FreeIPA instead of editing /etc/sudoers on individual machines:
# Create a sudo ruleipa sudorule-add allow-all
# Allow all commands on all hostsipa sudorule-mod allow-all --cmdcat=allipa sudorule-mod allow-all --hostcat=all
# Add a user to the ruleipa sudorule-add-user allow-all --users=devops01Granular Command Access
Section titled “Granular Command Access”# Define specific allowed commandsipa sudocmd-add /usr/bin/systemctlipa sudocmd-add /usr/bin/journalctl
# Add them to a ruleipa sudorule-add-allow-command operator-access --sudocmds=/usr/bin/systemctlipa sudorule-add-allow-command operator-access --sudocmds=/usr/bin/journalctl
# Assign usersipa sudorule-add-user operator-access --users=testuser
# Verifyipa sudorule-show operator-accessDeleting Users
Section titled “Deleting Users”ipa user-del testuserNext Steps
Section titled “Next Steps”- Troubleshoot issues like login timeouts or missing users
- Quick command reference for day-to-day operations
Adapted from Dawn’s Blog : FreeIPA Complete Deployment Guide.