interface
Web UI & Command Line
Modern web interface and powerful CLI for comprehensive identity management
Overview
FreeIPA provides multiple interfaces for managing your identity infrastructure: a modern web-based UI for interactive management, a comprehensive command-line interface for automation, and a REST API for programmatic access.
Web User Interface
Modern Dashboard
The FreeIPA web UI provides an intuitive, single-page application for managing all aspects of your identity infrastructure:
- Responsive Design: Works on desktop, tablet, and mobile devices
- Real-Time Updates: Changes reflected immediately
- Integrated Help: Context-sensitive documentation
- Keyboard Shortcuts: Power user efficiency
- Multi-Tab Support: Manage multiple entities simultaneously
Key Features
User Management
- Create, modify, and delete user accounts
- Reset passwords and unlock accounts
- Manage user groups and group membership
- Add SSH public keys and certificates
- Configure OTP tokens for two-factor authentication
- Set user-specific policies
Host and Service Management
- Enroll new hosts
- Manage host groups
- Create service principals
- Request and track certificates
- Configure host-based access control
Policy Administration
- Create and manage HBAC rules
- Configure sudo rules
- Set password policies
- Manage SELinux user mappings
- Define Kerberos policies
DNS Management
- Add and modify DNS zones
- Manage DNS records (A, AAAA, SRV, TXT, etc.)
- Enable DNSSEC
- Configure forwarders
- Create DNS views
Accessing the Web UI
# Access via browser
https://ipa.example.com
# Login with Kerberos (SSO)
# If authenticated to the domain, automatic login
# Login with username/password
# Enter credentials on login pageSelf-Service Portal
Users can manage their own information:
- Change password
- Add SSH public keys
- Update contact information
- Manage OTP tokens
- View group memberships
- Access service tickets
Customization
Brand the web UI for your organization:
# Custom logo and colors
# Edit /etc/ipa/custodia/server.conf
# Add custom CSS in /usr/share/ipa/ui/css/custom.cssCommand-Line Interface (CLI)
IPA Command Structure
The IPA CLI follows a consistent pattern:
ipa <object>-<action> [object-identifier] [options]Examples:
# Create user
ipa user-add jsmith --first=John --last=Smith
# Find hosts
ipa host-find --hostname=web
# Modify group
ipa group-mod developers --desc="Development Team"
# Delete service
ipa service-del HTTP/old.example.comCommon Objects and Actions
User Management
# Add user
ipa user-add jsmith --first=John --last=Smith \
--email=jsmith@example.com --shell=/bin/bash
# Modify user
ipa user-mod jsmith --title="Senior Developer"
# Disable user
ipa user-disable jsmith
# Enable user
ipa user-enable jsmith
# Delete user (preserve mode)
ipa user-del jsmith --preserve
# Find users
ipa user-find --mail=*@example.com
# Show user details
ipa user-show jsmith --allGroup Management
# Create group
ipa group-add developers --desc="Development Team"
# Add members
ipa group-add-member developers \
--users=jsmith,ajones --groups=interns
# Remove members
ipa group-remove-member developers --users=ajones
# Show group
ipa group-show developersHost Management
# Add host
ipa host-add server01.example.com \
--ip-address=192.168.1.101
# Create host group
ipa hostgroup-add web_servers \
--desc="Web server hosts"
# Add hosts to group
ipa hostgroup-add-member web_servers \
--hosts=web01.example.com,web02.example.com
# Show host
ipa host-show server01.example.com --allService Management
# Add service
ipa service-add HTTP/webapp.example.com
# Request certificate
ipa service-add-cert HTTP/webapp.example.com \
--certificate="$(cat webapp.crt)"
# Show service
ipa service-show HTTP/webapp.example.comBatch Operations
CSV Import
Create users from CSV file:
# users.csv format:
# username,firstname,lastname,email
# jsmith,John,Smith,jsmith@example.com
# Import script
while IFS=, read -r user first last email; do
ipa user-add "$user" \
--first="$first" \
--last="$last" \
--email="$email" \
--shell=/bin/bash
done < users.csvBulk Operations
# Disable multiple users
for user in user1 user2 user3; do
ipa user-disable "$user"
done
# Add users to group
ipa group-add-member developers \
--users={user1,user2,user3,user4}Output Formatting
JSON Output
# Machine-readable JSON output
ipa user-show jsmith --all --raw --output-json
# Parse with jq
ipa user-find --all --raw --output-json | \
jq '.result.result[] | {uid: .uid[0], mail: .mail[0]}'Formatted Tables
# Show in table format (default)
ipa user-find
# Show specific fields
ipa user-find --all | \
awk '/User login:/ {print $3}'Automation and Scripting
Using in Scripts
#!/bin/bash
# Example: Create user with SSH key
USERNAME="$1"
PUBKEY="$2"
# Create user
ipa user-add "$USERNAME" \
--first="$USERNAME" \
--last="User" \
--shell=/bin/bash
# Add SSH key
echo "$PUBKEY" | ipa user-add-sshpubkey "$USERNAME" --sshpubkey-file=-
# Add to default group
ipa group-add-member users --users="$USERNAME"Error Handling
# Check command success
if ipa user-show "$USERNAME" &>/dev/null; then
echo "User exists"
else
echo "User not found"
fi
# Capture error codes
ipa user-add duplicate-user || {
echo "Failed to create user: $?"
exit 1
}Python SDK
Using the API
from ipalib import api
from ipalib.errors import DuplicateEntry
# Initialize API
api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
# Create user
try:
api.Command.user_add(
'jsmith',
givenname='John',
sn='Smith',
mail='jsmith@example.com'
)
print("User created successfully")
except DuplicateEntry:
print("User already exists")
# Find users
result = api.Command.user_find(
mail='*@example.com'
)
for user in result['result']:
print(f"Found user: {user['uid'][0]}")
# Disconnect
api.Backend.rpcclient.disconnect()Advanced Automation
#!/usr/bin/env python3
from ipalib import api
def create_user_with_groups(username, firstname, lastname, groups):
"""Create user and add to specified groups"""
api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
try:
# Create user
api.Command.user_add(
username,
givenname=firstname,
sn=lastname,
mail=f"{username}@example.com"
)
# Add to groups
for group in groups:
api.Command.group_add_member(
group,
user=[username]
)
print(f"User {username} created and added to groups: {', '.join(groups)}")
except Exception as e:
print(f"Error: {e}")
finally:
api.Backend.rpcclient.disconnect()
# Usage
create_user_with_groups('jsmith', 'John', 'Smith', ['developers', 'users'])REST API
JSON-RPC Interface
FreeIPA exposes a JSON-RPC API:
# Example API call
curl -k -H "Content-Type: application/json" \
-H "referer: https://ipa.example.com/ipa" \
-H "Accept: application/json" \
-X POST \
--negotiate -u : \
-d '{"method":"user_find","params":[[""],{"all":true}],"id":0}' \
https://ipa.example.com/ipa/jsonAuthentication
- Kerberos: GSS-Negotiate authentication
- Session Cookie: Web UI session
- Password: Basic authentication
API Explorer
Access API documentation:
https://ipa.example.com/ipa/ui/apibrowser.htmlAdministrative Tools
ipa-server-install
Initial FreeIPA server setup:
ipa-server-install \
--realm=EXAMPLE.COM \
--domain=example.com \
--ds-password=directory_manager_password \
--admin-password=admin_password \
--setup-dns \
--forwarder=8.8.8.8 \
--no-reverseipa-replica-install
Create FreeIPA replicas:
ipa-replica-install \
--principal=admin \
--admin-password=admin_password \
--setup-dns \
--forwarder=8.8.8.8ipa-client-install
Enroll clients:
ipa-client-install \
--domain=example.com \
--realm=EXAMPLE.COM \
--principal=admin \
--password=admin_password \
--mkhomedirBackup and Restore
# Full backup
ipa-backup --data --logs --online
# Restore from backup
ipa-restore /var/lib/ipa/backup/ipa-full-YYYY-MM-DD-HH-MM-SSMobile Access
Mobile-Friendly Web UI
The web interface adapts to mobile devices:
- Responsive layout
- Touch-friendly controls
- Simplified navigation
- Essential operations accessible
VPN Integration
Access web UI securely from remote locations:
- VPN with FreeIPA authentication
- Two-factor authentication required
- Geofencing policies
- Access logging
Use Cases
Interactive Administration
System administrators use the web UI for:
- Daily user management tasks
- Troubleshooting access issues
- Reviewing policies and rules
- Certificate management
- DNS administration
Automation and DevOps
DevOps teams use the CLI and API for:
- Automated user provisioning
- CI/CD integration
- Infrastructure as code
- Configuration management
- Monitoring integration
Self-Service
End users access the web UI for:
- Password changes
- SSH key management
- OTP token setup
- Profile updates
- Certificate requests
Best Practices
- Use CLI for Automation: Script repetitive tasks
- Web UI for Exploration: Learn the system interactively
- API for Integration: Connect FreeIPA to other systems
- RBAC: Grant minimal necessary permissions
- Audit Logs: Review administrative actions regularly
- SSL/TLS: Always use HTTPS for web UI access
- Strong Authentication: Require Kerberos or OTP for admins
- Session Timeouts: Configure appropriate timeouts
Keyboard Shortcuts
Web UI power user shortcuts:
- Ctrl+Alt+A: Focus search field
- Ctrl+Alt+N: Create new entity
- Ctrl+S: Save changes
- Esc: Cancel operation
- Tab: Navigate between fields
Accessibility
The web UI supports:
- Screen readers
- Keyboard navigation
- High contrast modes
- Configurable font sizes
- ARIA labels
Getting Started
First Login
# Access web UI
# Navigate to: https://ipa.example.com
# Login as admin
Username: admin
Password: [admin password set during install]Basic CLI Commands
# Show current user
ipa user-show admin
# List all users
ipa user-find
# Get help
ipa help user
# Show command options
ipa user-add --helpExplore the API
# Interactive Python session
from ipalib import api
api.bootstrap(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
# List available commands
dir(api.Command)
# Get help on a command
help(api.Command.user_add)