Complete command-line interface reference for FreeIPA. Browse commands by topic, category, or search for specific functionality.
Manage user accounts including creation, modification, deletion, and lifecycle operations. IPA users are POSIX-compliant and support Kerberos authentication, certificate mapping, passkey authentication, SSH public keys, and organizational attributes. Features include account enable/disable, password reset, principal aliases, manager relationships, and account lockout management across replicated servers.
Manage user groups including POSIX and non-POSIX groups with support for nested membership. Groups can contain users, other groups, and Kerberos services. Features include external group membership for Active Directory trust integration, group membership managers for delegated administration, automatic GID assignment, and flexible membership management for organizing users and services.
Manage DNS zones and resource records with integrated DNSSEC support. Features include master and forward zones, comprehensive record type support (A, AAAA, MX, SRV, PTR, TXT, etc.), dynamic updates with Kerberos authentication, zone transfers with TSIG, per-zone permissions for delegation, and interactive record management. Supports both IPv4 and IPv6, reverse zones, and DNS-based service discovery for IPA infrastructure.
Manage host entries for enrolled machines and servers. Hosts store service principals, participate in host-based access control rules, and can be organized into host groups. Features include enrollment with one-time passwords, SSH key management, certificate management, DNS integration, location assignment, and support for various enrollment scenarios including full and limited administrator workflows.
Manage groups of hosts for policy application and delegated administration. Host groups enable centralized configuration of access control rules, sudo policies, and SELinux mappings. Supports nested host group membership, external members, and membership managers for fine-grained control over host organization and policy assignment.
Manage Kerberos service principals for network services requiring authentication. Service entries store service credentials, support certificate-based authentication, and enable delegation scenarios. Features include service principal management, certificate operations, host and user delegation, and support for constrained delegation (S4U2Proxy) for application integration and single sign-on.
Manage X.509 certificates including issuance, renewal, revocation, and retrieval. Integrates with Dogtag Certificate Authority for certificate lifecycle management. Features include certificate requests with various profiles, certificate holds and releases, revocation with reason codes, certificate retrieval by serial number, and support for service and host certificates with automatic renewal via certmonger.
Manage sudo rules for privilege escalation control. Sudo rules define which users can execute which commands as other users on specified hosts. Features include RunAs user and group specifications, command and command group targeting, host and host group filtering, sudo options (NOPASSWD, etc.), order-based priority, and integration with SSSD for centralized sudo policy enforcement.
Manage host-based access control rules to restrict which users can access specific hosts and services. HBAC rules enforce fine-grained access policies based on user groups, host groups, and service groups. Features include rule categories (all users/hosts or specific groups), source hosts, service targeting, external host support, and testing capabilities to verify access decisions before deployment.
Set and reset user passwords with support for password policies and OTP authentication. Password changes trigger automatic policy validation and can require old password verification. Features include self-service password changes, administrative password resets, OTP integration for two-factor password changes, and automatic password expiration for initial administrator-set passwords requiring user change on first use.
Manage automatic group membership assignment based on user and host attributes. Automember rules automatically add users to groups or hosts to host groups when they match defined criteria. Features include inclusive and exclusive rules, default groups, regular expression matching, and support for both user groups and host groups to streamline provisioning and reduce manual group management.
Manage automount maps and keys for automatic filesystem mounting in NFS environments. Automount configuration enables centralized management of mount points, indirect and direct maps, and supports standard automounter syntax. Features include map and key lifecycle management, location-based map organization, and import/export capabilities for migration and backup.
Manage certificate authorities within the integrated PKI subsystem. Supports lightweight sub-CAs for certificate isolation and policy enforcement. Features include CA creation and management, CA certificate retrieval, enabling and disabling CAs, and integration with certificate profiles and ACLs for fine-grained control over certificate issuance across organizational boundaries.
Manage certificate authority access control lists to restrict which certificate profiles can be used by which users, hosts, or services. CA ACLs enforce policy by controlling profile usage, target principals, and issuing CAs. Features include rule-based access control, profile and CA filtering, user and host category support, and enable/disable capabilities for flexible certificate issuance governance.
Manage certificate mapping rules for user authentication via certificates. Certificate mapping enables users to authenticate using X.509 certificates by defining how certificate attributes map to IPA user accounts. Features include mapping rules with priority, certificate matching data, domains for cross-realm support, and enable/disable controls for flexible certificate-based authentication policies.
Manage certificate profiles that define certificate properties, extensions, and constraints. Profiles control certificate content including validity period, key usage, extended key usage, subject alternative names, and other X.509 extensions. Features include profile import/export, modification of profile configuration, and integration with CA ACLs for controlling certificate issuance based on organizational requirements.
Manage global IPA server configuration settings affecting server behavior and policy defaults. Configuration includes search limits, default user and group settings, email domain, certificate subject base, username format, home directory templates, default shells, and migration mode controls. Features include comprehensive configuration display and modification for customizing IPA deployment behavior and organizational standards.
Manage delegation rules for allowing users to modify specific attributes of other users. Delegation rules provide granular control over attribute-level access without requiring full administrative privileges. Features include attribute specification, member user and group management, and support for self-service delegation enabling users to manage their own attributes or those of their direct reports.
Manage IPA domain functional level for enabling version-specific features. Domain level controls feature availability across replicated servers, requiring all servers to meet minimum version requirements before level advancement. Features include level display, level raising for feature enablement, and enforcement of version compatibility for coordinated infrastructure upgrades.
Manage HBAC service definitions for use in host-based access control rules. Services represent specific system services (SSH, su, sudo, etc.) that can be controlled via HBAC policies. Features include service creation with descriptions, service grouping for policy management, and integration with HBAC rules for granular service-level access control.
Manage groups of HBAC services for simplified policy management. Service groups enable collective assignment of multiple services to HBAC rules, reducing administrative overhead. Features include nested service group membership, service addition and removal, and centralized management of related service access policies.
Test host-based access control rules to verify access decisions before deployment. HBAC test simulates authentication attempts and evaluates whether access would be granted based on current HBAC rules. Features include testing specific user, source host, target host, and service combinations with detailed output showing matched rules, unmatched rules, and access decisions.
Configure external OAuth2 and OpenID Connect identity providers for federated authentication. External IdP integration enables users to authenticate using cloud identity providers like Google, GitHub, Azure AD, and Keycloak. Features include IdP registration with client credentials, authorization endpoint configuration, scope management, user ID attribute mapping, and integration with IPA user accounts for hybrid authentication scenarios.
Manage UID and GID ranges for POSIX attribute assignment and trust domain integration. ID ranges define allocatable ranges for user and group identifiers, ensuring no conflicts between local users and trusted domain users. Features include range creation with base IDs and sizes, domain and range type specification (local, AD trust with SID), automatic range detection for trusted domains, and range modification for scaling deployments.
Manage ID views for overriding user and group attributes on specific hosts. ID views enable per-host attribute customization including UID, GID, home directory, and shell without modifying the master user entry. Features include view creation, host application, user override management, anchor-based override assignment, and support for Default Trust View for managing AD user attributes across IPA infrastructure.
Manage Kerberos ticket lifetime and renewal policies. Ticket policies control maximum ticket lifetimes, renewable lifetimes, and maximum renewable age for both users and services. Features include per-user and per-service policy overrides, global default policies, and integration with MIT Kerberos for enforcing authentication session limits and ticket renewal windows.
Manage IPA locations for DNS-based service discovery and client affinity. Locations enable clients to discover nearby services automatically based on DNS SRV record priorities. Features include location creation and management, server-to-location assignment, automatic DNS SRV record updates, and integration with DNS for optimized service discovery and reduced cross-site authentication traffic.
Tools and utilities for migrating from standalone LDAP or NIS to IPA. Migration support includes user and group data import, password migration modes, and migration planning assistance. Provides guidance for transitioning from traditional directory services to IPA's integrated identity management including considerations for DNS, automount, and client configuration.
Miscellaneous utility commands and helper functions. Provides various utility operations that don't fit into other command categories. Features include environment information, plugin enumeration, and other auxiliary functions for IPA administration and development.
Manage NIS netgroups for legacy UNIX authentication and authorization systems. Netgroups define sets of users, hosts, and domains for network-wide access control. Supports triple notation (user, host, domain), nested netgroup membership, and integration with NIS compatibility mode for environments requiring traditional UNIX authentication mechanisms.
Configure global one-time password authentication settings. OTP configuration defines TOTP and HOTP parameters including algorithm selection (SHA1, SHA256, SHA512), token time step intervals, and authentication window sizes. Features include configuration modification for organization-wide OTP standards and integration with user OTP tokens for two-factor authentication enforcement.
Manage one-time password tokens for two-factor authentication. OTP tokens provide TOTP (time-based) and HOTP (counter-based) authentication for users. Features include token creation and import, QR code generation for mobile authenticator apps, token synchronization, enable/disable controls, token removal, and support for hardware tokens and software authenticators.
Configure global passkey and WebAuthn authentication settings. Passkey configuration defines requirements for FIDO2/WebAuthn authentication including relying party ID and user verification settings. Features include organization-wide passkey policy configuration and integration with user passkey registration for passwordless and multi-factor authentication support.
Manage individual permissions in the role-based access control system. Permissions define atomic operations on LDAP objects and attributes. Features include bind type control (permission or all), target filters, attribute restrictions, permission granting and revocation, and integration with privileges for building flexible, least-privilege access control policies.
Test IPA server connectivity and API accessibility. Ping verifies that the IPA API is responding and the server is operational. Features include simple connectivity testing for troubleshooting server availability and confirming authenticated API access for monitoring and health check automation.
Configure PKINIT for certificate-based Kerberos authentication. PKINIT enables users and services to obtain Kerberos tickets using X.509 certificates instead of passwords. Features include anonymous PKINIT support and configuration of certificate validation requirements for flexible, certificate-based authentication workflows.
Manage privileges that group related permissions for role assignment. Privileges aggregate permissions into meaningful units representing administrative capabilities. Features include privilege creation and modification, permission membership management, and integration with roles for implementing role-based access control (RBAC) across the IPA domain.
Manage password policies controlling complexity, history, and lifetime requirements. Password policies enforce minimum length, character classes, history depth, maximum lifetime, and other password quality constraints. Features include group-based policy assignment, priority ordering, failure lockout configuration, grace period settings, and coordination with Kerberos ticket policies for comprehensive password security.
Manage RADIUS proxy servers for external authentication and two-factor authentication integration. RADIUS proxies enable integration with external authentication systems, hardware tokens, and managed authentication services. Features include proxy server configuration with secrets, timeout and retry settings, user assignment, and support for per-user RADIUS server configuration and username mapping.
Manage DNS domains associated with the IPA realm. Realm domains define which DNS domains are considered part of the IPA realm for authentication purposes. Features include domain addition and removal, automatic DNS validation, and realm domain listing for controlling which domains participate in Kerberos authentication and service discovery.
Manage roles for assigning administrative privileges to users and groups. Roles are the primary mechanism for delegating administrative authority in IPA. Features include role creation and modification, privilege assignment, user and group membership, service membership, and support for both built-in and custom roles for flexible delegation of administrative responsibilities.
Display LDAP schema information including object classes and attributes. Schema browsing enables discovery of available LDAP object classes, their attributes, inheritance hierarchies, and attribute syntax definitions. Features include object class and attribute listing with detailed metadata for understanding directory structure and planning schema extensions.
Manage self-service permissions allowing users to modify their own attributes. Self-service rules enable users to update specific personal information without administrative intervention. Features include attribute selection, automatic application to all users, and integration with the permission system for secure, user-initiated attribute management.
Manage SELinux user context mapping for IPA users on client systems. SELinux user maps assign SELinux user contexts to IPA users and hosts, controlling the SELinux domain users run in. Features include user and host category specification, SELinux user assignment (guest_u, user_u, staff_u, etc.), priority ordering, enable/disable controls, and integration with SSSD for applying SELinux contexts during user login.
Manage IPA server entries and server configuration. Server management includes adding and removing replica servers, server role information, location assignment, and server configuration settings. Features include server enrollment, server deletion with force options, server state management, and integration with topology and server role tracking for maintaining multi-master replication infrastructure.
Display server role information showing service distribution across IPA infrastructure. Server roles indicate which services (CA, DNS, KRA, AD Trust) are enabled on each server. Features include comprehensive role status display showing server names, role types, and enablement status for infrastructure planning and redundancy verification.
Manage constrained delegation rules for Kerberos services (S4U2Proxy). Service delegation enables services to obtain tickets on behalf of users for accessing other services. Features include delegation rule creation, membership management for delegating and delegated services, and support for constrained delegation scenarios enabling secure service-to-service authentication on behalf of end users.
Manage users in the staging area prior to activation. Staged users allow for provisioning workflows where user accounts are prepared and reviewed before being activated into production. Supports moving users between staged, active, preserved, and deleted states with full attribute management and bulk operations for user lifecycle management.
Manage subordinate UID and GID ranges for user namespaces in containers. Subordinate IDs enable unprivileged container usage by providing non-overlapping UID/GID ranges for container processes. Features include automatic range assignment, range generation, range statistics, and integration with container runtimes for secure, isolated container deployments without requiring privileged operations.
Manage individual sudo commands for use in sudo rules. Commands represent specific executables with full paths that can be permitted or denied via sudo policies. Features include command creation with descriptions, command grouping, and integration with sudo rules for fine-grained privilege escalation control.
Manage groups of sudo commands for simplified sudo policy management. Command groups enable collective assignment of multiple commands to sudo rules, reducing administrative overhead. Features include command addition and removal, nested command group membership, and centralized management of related command access policies.
Manage system accounts used by IPA services for internal operations. System accounts provide credentials for IPA service components and should not be used for regular user authentication. Features include system account creation, password management, and service-specific account configuration for maintaining secure internal service authentication.
Manage replication topology and agreements between IPA servers. Topology management defines data replication paths for domain and CA data. Features include replication agreement creation and deletion, topology segment management, suffix specification (domain, ca), direction control (both, left-right, right-left), and replication reinitalization for maintaining consistent multi-master replication infrastructure.
Manage trust relationships with Active Directory domains for cross-realm authentication and user federation. Trusts enable Active Directory users to access IPA resources using their existing credentials. Features include trust establishment with AD administrator credentials, trust type selection (AD, IPA), bidirectional and one-way trust support, SID mapping, external group membership for AD user mapping to POSIX groups, and DNS integration for service discovery.
Securely store and retrieve passwords, keys, and other secrets with encryption. Vaults provide encrypted storage with three security types: standard (transport encryption), symmetric (password-encrypted), and asymmetric (public key encrypted). Features include user, service, and shared vault ownership models, secret archival and retrieval, vault membership for access control, escrow for recovery, and integration with KRA (Key Recovery Authority) for secure secrets management.