Automember Rules
Manage automatic group membership assignment based on user and host attributes. Automember rules automatically add users to groups or hosts to host groups when they match defined criteria. Features include inclusive and exclusive rules, default groups, regular expression matching, and support for both user groups and host groups to streamline provisioning and reduce manual group management.
Overview
Automember rules in FreeIPA automatically assign group membership based on attribute matching, eliminating manual group management for entries following predictable patterns. When users or hosts are created with attributes matching automember conditions, they automatically join appropriate groups or host groups without administrator intervention. This automation ensures consistent group membership, reduces provisioning time, and prevents errors from forgotten manual group assignments.
Automember rules use regular expression patterns to match user or host attributes against defined conditions. Each rule targets a specific group or host group, automatically adding new or modified entries whose attributes satisfy the rule’s inclusive conditions and don’t match exclusive conditions. Multiple rules can target the same group, and entries can match multiple rules, enabling flexible automation patterns.
Automember operates at the LDAP directory level through 389 Directory Server’s automembership plugin. When entries are created or modified, the directory server evaluates all applicable automember rules, automatically updating group membership based on current attribute values. This real-time evaluation ensures membership accurately reflects current entry state without manual updates.
Rule Components
Target Groups
Each automember rule is associated with exactly one group (for user rules) or one host group (for host rules). The target group must exist before creating the rule; orphaned rules (referencing non-existent groups) are non-functional and should be cleaned up using automember-find-orphans.
Rules are type-specific: user automember rules target user groups and evaluate user attributes, while hostgroup automember rules target host groups and evaluate host attributes. The --type parameter specifies whether a rule operates on users or hosts.
Multiple rules can target the same group from different attribute conditions, enabling complex membership logic. For example, a “developers” group might have rules matching both department=‘Engineering’ and title=‘Developer’, adding users satisfying either condition.
Inclusive Conditions
Inclusive conditions define patterns that trigger group membership. When an entry’s attribute matches an inclusive condition’s regular expression, the entry is added to the rule’s target group. Inclusive conditions use LDAP attribute names (uid, fqdn, manager, description, etc.) and POSIX extended regular expressions for pattern matching.
Multiple inclusive conditions within a rule create OR logic: matching ANY inclusive condition triggers membership. This enables flexible matching where entries meeting any of several criteria join the group.
Regular expressions must follow POSIX extended regex syntax supported by 389 Directory Server. Anchors (^, $), character classes ([a-z]), quantifiers (*, +, {n,m}), and grouping are all supported.
Exclusive Conditions
Exclusive conditions prevent group membership even when inclusive conditions match. If an entry matches any exclusive condition, it is excluded from the target group regardless of inclusive condition matches. This exception-based logic enables patterns like “all developers except contractors.”
Exclusive conditions override inclusive conditions in all cases. When an entry matches both inclusive and exclusive conditions, the exclusive condition takes precedence and the entry is NOT added to the group.
Exclusive conditions use the same attribute and regex syntax as inclusive conditions. The distinction is behavioral: inclusive adds to group, exclusive prevents addition.
Default Groups
Default groups (configured with automember-default-group-set) serve as fallback destinations for entries matching no automember rules. When a user or host is created and doesn’t match any inclusive automember rules (or matches only exclusive rules), it’s added to the configured default group.
For users, the default group supplements the global default group configured in IPA settings (typically “ipausers”). User entries belong to both the IPA default group and the automember default group if they don’t match specific rules.
For hosts, the default host group provides a destination for uncategorized hosts, useful for ensuring all hosts have some group membership for policy application.
Default groups are optional. If no default is configured, entries matching no rules simply don’t receive automatic group membership.
Rebuilding Membership
The automember-rebuild command retroactively applies automember rules to existing entries. This is necessary when rules are created after entries exist or when rules are modified and existing memberships should reflect new logic.
Rebuild operations re-evaluate all applicable automember rules for specified entries (or all entries of a type), removing memberships created by previous automember logic and applying current rules. Manual group memberships (not created by automember) are preserved during rebuild.
Rebuild can target all users (--type=group), all hosts (--type=hostgroup), or specific entries (--users, --hosts). Targeted rebuilds are faster and less disruptive than full rebuilds, useful when rule changes affect limited entry subsets.
Rebuild operations can be long-running for large directories. Plan rebuilds during maintenance windows and monitor progress through server logs. Incremental rebuilds targeting specific entries are preferred over full rebuilds when possible.
Orphan Rules
Orphan automember rules reference target groups that no longer exist. These rules are non-functional but remain in configuration, potentially causing confusion. Orphans typically result from deleting groups without first deleting their associated automember rules.
The automember-find-orphans command identifies orphaned rules, returning rules whose target groups are missing. The --remove flag automatically deletes orphaned rules, cleaning up defunct configuration.
Regular orphan cleanup maintains configuration hygiene and prevents administrators from being confused by rules that don’t function. Orphan detection should be part of routine maintenance, especially after group reorganization projects.
Attribute Matching
Automember rules can match against any LDAP attribute present in user or host entries. Common attributes for matching include:
User Attributes:
uid: Usernamemanager: Manager’s DNou: Organizational unittitle: Job titledepartmentNumber: Department numberemployeeType: Employee typel: Location/city
Host Attributes:
fqdn: Fully qualified domain namedescription: Host descriptionnshostlocation: Physical locationnshardwareplatform: Hardware platformnsosversion: Operating system version
Custom attributes can also be matched if they’re present in entries. Attribute selection should align with attributes consistently populated during provisioning.
Use Cases
Department-Based Automatic Group Assignment
Scenario: Users from different departments need automatic group membership.
Solution:
# Create groups for each department
ipa group-add engineering --desc="Engineering department"
ipa group-add sales --desc="Sales department"
ipa group-add operations --desc="Operations department"
# Create automember rules matching department attribute
ipa automember-add --type=group engineering
ipa automember-add-condition --type=group engineering \
--key=departmentNumber --inclusive-regex='^10$'
ipa automember-add --type=group sales
ipa automember-add-condition --type=group sales \
--key=departmentNumber --inclusive-regex='^20$'
ipa automember-add --type=group operations
ipa automember-add-condition --type=group operations \
--key=departmentNumber --inclusive-regex='^30$'
# New users with departmentNumber=10 automatically join engineering
# New users with departmentNumber=20 automatically join sales
# etc.
Hostname Pattern-Based Host Grouping
Scenario: Hosts with naming convention need automatic host group assignment.
Solution:
# Create host groups for server types
ipa hostgroup-add webservers --desc="Web servers"
ipa hostgroup-add databases --desc="Database servers"
ipa hostgroup-add loadbalancers --desc="Load balancers"
# Create automember rules matching hostname patterns
ipa automember-add --type=hostgroup webservers
ipa automember-add-condition --type=hostgroup webservers \
--key=fqdn --inclusive-regex='^web[0-9]+\.example\.com$'
ipa automember-add --type=hostgroup databases
ipa automember-add-condition --type=hostgroup databases \
--key=fqdn --inclusive-regex='^db[0-9]+\.example\.com$'
ipa automember-add --type=hostgroup loadbalancers
ipa automember-add-condition --type=hostgroup loadbalancers \
--key=fqdn --inclusive-regex='^lb[0-9]+\.example\.com$'
# web01.example.com automatically joins webservers
# db01.example.com automatically joins databases
# lb01.example.com automatically joins loadbalancers
Contractors Exclusion from Employee Groups
Scenario: All engineering users automatically join engineering group except contractors.
Solution:
# Create engineering group
ipa group-add engineering --desc="Engineering team"
# Create automember rule with inclusive and exclusive conditions
ipa automember-add --type=group engineering
# Include all users with department=Engineering
ipa automember-add-condition --type=group engineering \
--key=departmentNumber --inclusive-regex='^10$'
# Exclude contractors (employeeType=contractor)
ipa automember-add-condition --type=group engineering \
--key=employeeType --exclusive-regex='^contractor$'
# Regular employees with dept=10 join engineering
# Contractors with dept=10 and employeeType=contractor excluded
Location-Based Host Group Assignment
Scenario: Hosts in different datacenters need location-based grouping.
Solution:
# Create datacenter host groups
ipa hostgroup-add dc-us-east --desc="US East datacenter"
ipa hostgroup-add dc-eu-west --desc="EU West datacenter"
ipa hostgroup-add dc-apac --desc="APAC datacenter"
# Create automember rules matching location attribute
ipa automember-add --type=hostgroup dc-us-east
ipa automember-add-condition --type=hostgroup dc-us-east \
--key=nshostlocation --inclusive-regex='us-east'
ipa automember-add --type=hostgroup dc-eu-west
ipa automember-add-condition --type=hostgroup dc-eu-west \
--key=nshostlocation --inclusive-regex='eu-west'
# Hosts with nshostlocation attribute automatically grouped by location
Multi-Condition OR Logic for Flexible Membership
Scenario: Developers group needs members from multiple departments and titles.
Solution:
# Create developers group
ipa group-add developers --desc="All developers"
# Create automember rule with multiple inclusive conditions
ipa automember-add --type=group developers
# Match engineering department
ipa automember-add-condition --type=group developers \
--key=departmentNumber --inclusive-regex='^10$'
# OR match developer title
ipa automember-add-condition --type=group developers \
--key=title --inclusive-regex='Developer'
# OR match QA department
ipa automember-add-condition --type=group developers \
--key=departmentNumber --inclusive-regex='^15$'
# Users satisfying ANY condition join developers group
Default Group for Uncategorized Users
Scenario: All users without department should join general staff group.
Solution:
# Create default group for uncategorized users
ipa group-add general-staff --desc="General staff"
# Set as automember default group
ipa automember-default-group-set --type=group general-staff
# Users not matching any department-specific rule join general-staff
# Ensures all users have at least one group membership
Retroactive Rule Application with Rebuild
Scenario: Automember rules created after users exist, need retroactive application.
Solution:
# Create new automember rule for existing organization
ipa automember-add --type=group sales
ipa automember-add-condition --type=group sales \
--key=departmentNumber --inclusive-regex='^20$'
# Existing users don't automatically receive membership
# Rebuild automember to apply rules retroactively
ipa automember-rebuild --type=group
# All existing users re-evaluated against automember rules
# Sales department users now members of sales group
Operating System Version-Based Host Grouping
Scenario: Hosts need grouping by OS version for patch management.
Solution:
# Create OS version host groups
ipa hostgroup-add rhel8-hosts --desc="RHEL 8 hosts"
ipa hostgroup-add rhel9-hosts --desc="RHEL 9 hosts"
# Create automember rules matching OS version
ipa automember-add --type=hostgroup rhel8-hosts
ipa automember-add-condition --type=hostgroup rhel8-hosts \
--key=nsosversion --inclusive-regex='Red Hat Enterprise Linux 8'
ipa automember-add --type=hostgroup rhel9-hosts
ipa automember-add-condition --type=hostgroup rhel9-hosts \
--key=nsosversion --inclusive-regex='Red Hat Enterprise Linux 9'
# Hosts with OS version populated automatically grouped
# Enables OS-specific patch deployment policies
Examples
Basic User Automember Rule
Create group and automember rule for engineering department:
# Create target group
ipa group-add engineering --desc="Engineering department"
# Create automember rule
ipa automember-add --type=group engineering
# Add inclusive condition matching department
ipa automember-add-condition --type=group engineering \
--key=departmentNumber --inclusive-regex='^100$'
Host Group Automember with Hostname Pattern
Create host group for web servers based on hostname:
# Create target host group
ipa hostgroup-add webservers --desc="Web servers"
# Create automember rule
ipa automember-add --type=hostgroup webservers
# Match hostnames starting with "web"
ipa automember-add-condition --type=hostgroup webservers \
--key=fqdn --inclusive-regex='^web.*\.example\.com$'
Automember with Exclusion
Create rule that includes all engineers except contractors:
# Create rule
ipa automember-add --type=group engineering
# Include engineering department
ipa automember-add-condition --type=group engineering \
--key=departmentNumber --inclusive-regex='^100$'
# Exclude contractors
ipa automember-add-condition --type=group engineering \
--key=employeeType --exclusive-regex='contractor'
Multiple Inclusive Conditions (OR Logic)
Match users from multiple departments:
ipa automember-add --type=group technical_staff
# Match engineering department (100)
ipa automember-add-condition --type=group technical_staff \
--key=departmentNumber --inclusive-regex='^100$'
# OR match IT department (200)
ipa automember-add-condition --type=group technical_staff \
--key=departmentNumber --inclusive-regex='^200$'
# Users in either department join technical_staff
Set Default Group
Configure default group for uncategorized entries:
# For users
ipa group-add default-users --desc="Default user group"
ipa automember-default-group-set --type=group default-users
# For hosts
ipa hostgroup-add default-hosts --desc="Default host group"
ipa automember-default-group-set --type=hostgroup default-hosts
View Automember Rules
List all automember rules:
# List all user automember rules
ipa automember-find --type=group
# List all host automember rules
ipa automember-find --type=hostgroup
# Show specific rule with conditions
ipa automember-show --type=group engineering
Remove Automember Condition
Remove specific condition from rule:
# Remove inclusive condition
ipa automember-remove-condition --type=group engineering \
--key=departmentNumber --inclusive-regex='^100$'
# Remove exclusive condition
ipa automember-remove-condition --type=group engineering \
--key=employeeType --exclusive-regex='contractor'
Rebuild Automember for Specific Users
Apply automember rules to specific users:
# Rebuild for specific users
ipa automember-rebuild --users=alice,bob,charlie
# Rebuild for all users
ipa automember-rebuild --type=group
# Rebuild for specific hosts
ipa automember-rebuild --hosts=web01.example.com,web02.example.com
# Rebuild for all hosts
ipa automember-rebuild --type=hostgroup
Find and Remove Orphan Rules
Cleanup rules for deleted groups:
# Find orphaned automember rules
ipa automember-find-orphans --type=group
ipa automember-find-orphans --type=hostgroup
# Remove all orphaned rules
ipa automember-find-orphans --type=group --remove
ipa automember-find-orphans --type=hostgroup --remove
Delete Automember Rule
Remove automember rule entirely:
# Delete user automember rule
ipa automember-del --type=group engineering
# Delete host automember rule
ipa automember-del --type=hostgroup webservers
Security Considerations
Automember bypasses manual approval: Entries automatically join groups based on attribute matches without administrator review. Misconfigured rules could grant unintended permissions. Review automember rules carefully before deployment.
Attribute manipulation for privilege escalation: If users can modify attributes used in automember conditions (department, title), they could change values to join privileged groups. Restrict attribute modification permissions to trusted admins only.
Regex complexity enables unintended matches: Complex regular expressions may match more entries than intended. Overly broad patterns (e.g., .*) could add all entries to groups. Test regex patterns thoroughly before deploying rules.
Default group membership exposure: Default groups automatically receive all uncategorized entries. If default group has privileged access, new entries gain unintended privileges. Review default group permissions carefully.
Exclusive condition bypass via attribute removal: Exclusive conditions check attribute values. Removing the attribute entirely may bypass exclusion. Ensure exclusive logic accounts for missing attributes.
Rebuild operations modify memberships: automember-rebuild removes and re-adds automember memberships. During rebuild, entries may temporarily lose group memberships causing access disruption. Plan rebuilds during maintenance windows.
Orphan rules invisible until search: Orphaned automember rules don’t function but remain in configuration. These rules could be re-activated if target groups recreated with same names. Regularly cleanup orphans.
Automember rules visible to all authenticated users: Automember configuration visible to authenticated users. Rule patterns may reveal organizational structure or naming conventions. Don’t encode sensitive information in rule patterns.
Attribute population delays automember matching: Automember evaluates when entries created/modified. If attributes populated after entry creation, automember doesn’t trigger. Ensure attributes populated during provisioning, not later.
Manual membership removals re-added: If automember rule active, manually removing member from group is ineffective. Automember re-adds member on next evaluation. Disable automember rule or modify entry attributes to prevent re-addition.
Troubleshooting
Automember rule not adding entries to group:
# Verify rule exists and target group correct
ipa automember-show --type=group groupname
# Check inclusive conditions
ipa automember-show --type=group groupname | grep -A5 "Inclusive"
# Verify entry attribute matches regex pattern
ipa user-show username --all | grep departmentNumber
# Test regex pattern manually
# If departmentNumber=100, does '^100$' match?
# Rebuild automember for specific entry
ipa automember-rebuild --users=username
# Check group membership after rebuild
ipa group-show groupname
Entry matches multiple conflicting automember rules:
# Automember allows multiple group memberships
# Entry can match multiple rules and join multiple groups
# Verify all groups entry should belong to
ipa user-show username | grep "Member of groups"
# If unintended membership, check which rule added it
ipa automember-find --type=group
# Review each rule's conditions
ipa automember-show --type=group groupname
# Remove from unintended group if needed
ipa group-remove-member groupname --users=username
# Note: If automember rule still active, will re-add
Exclusive condition not preventing membership:
# Verify exclusive condition exists
ipa automember-show --type=group groupname | grep -A5 "Exclusive"
# Check if entry attribute matches exclusive pattern
ipa user-show username --all | grep employeeType
# Exclusive conditions must match to exclude
# If attribute missing, exclusive doesn't trigger
# Rebuild to apply exclusive logic
ipa automember-rebuild --users=username
Automember rebuild not applying rules:
# Verify rules exist
ipa automember-find --type=group
# Check if default group set (affects rebuild logic)
ipa automember-default-group-show --type=group
# Rebuild with verbose output
ipa automember-rebuild --type=group -v
# Check LDAP server logs for errors
journalctl -u dirsrv@REALM -n 100
# Verify 389-ds automember plugin enabled
dsconf -D "cn=Directory Manager" ldap://localhost plugin show MemberOf
Default group not receiving entries:
# Verify default group configured
ipa automember-default-group-show --type=group
# Default group only receives entries matching NO rules
# Check if entry matches any rule
ipa automember-find --type=group
# If entry matches rule, won't join default group
# Create entry with no matching attributes to test default group
Orphaned automember rules after group deletion:
# Find orphaned rules
ipa automember-find-orphans --type=group
# Orphans show rules referencing deleted groups
# Remove orphans
ipa automember-find-orphans --type=group --remove
# Prevent orphans: delete automember rule before deleting group
ipa automember-del --type=group groupname
ipa group-del groupname
Regex pattern not matching expected entries:
# Test regex syntax
# POSIX extended regex, not PCRE or Python regex
# Common issues:
# - Need to escape special chars: \. \* \+ \?
# - Anchors: ^ for start, $ for end
# - Case sensitivity: patterns are case-sensitive
# Verify entry attribute value exactly
ipa user-show username --all | grep departmentNumber
# Test simple pattern first
ipa automember-remove-condition --type=group groupname \
--key=departmentNumber --inclusive-regex='complex.*pattern'
ipa automember-add-condition --type=group groupname \
--key=departmentNumber --inclusive-regex='^100$'
# Rebuild to test
ipa automember-rebuild --users=username
Automember adding entries immediately on creation:
# Automember triggers on entry creation
# This is correct behavior, not an error
# If entry should NOT be auto-added:
# - Modify entry attributes to not match rules
# - Or remove from group manually
# - Or disable/delete automember rule
# Prevent auto-addition:
# Create entry without matching attributes
# Add matching attributes later if needed
Manual group membership keeps getting removed:
# Automember rebuild removes manual memberships
# Only automember-created memberships preserved
# To preserve manual memberships:
# - Don't run automember-rebuild
# - Or convert manual membership to automember rule
# Create automember rule matching specific user
ipa automember-add-condition --type=group groupname \
--key=uid --inclusive-regex='^username$'
Host automember rule not working:
# Verify rule type is hostgroup, not group
ipa automember-show --type=hostgroup hostgroupname
# Check host attributes populated
ipa host-show hostname.example.com --all
# Common issue: fqdn vs hostname
# Rule must match fully qualified domain name
ipa automember-add-condition --type=hostgroup webservers \
--key=fqdn --inclusive-regex='^web01\.example\.com$'
# Not: --key=hostname
Automember rebuild very slow:
# Large directories take time to rebuild
# Rebuild processes all entries
# Use targeted rebuild instead of full rebuild
ipa automember-rebuild --users=user1,user2,user3
# Instead of:
# ipa automember-rebuild --type=group
# Monitor progress in LDAP logs
tail -f /var/log/dirsrv/slapd-REALM/access
# Plan full rebuilds during maintenance windows
Cannot delete automember rule - “does not exist”:
# Verify rule exists and correct type
ipa automember-find --type=group
ipa automember-find --type=hostgroup
# Rule name must match exactly (case-sensitive)
ipa automember-del --type=group Engineering
# vs
ipa automember-del --type=group engineering
# Check if rule is orphaned
ipa automember-find-orphans --type=group
# Orphaned rules still deleted normally
Best Practices
Rule Design
Match stable attributes: Base rules on attributes unlikely to change frequently. Department or role is more stable than manager or temporary project assignments.
Use anchored regexes: Include ^ and $ anchors in patterns to ensure complete matches. ^web.*\.com$ is more precise than web.*com.
Test patterns before deployment: Verify regex patterns match intended entries using test users/hosts before applying to production.
Document rule purposes: Clearly document why each rule exists and what membership it manages. Future administrators will need this context.
Performance Considerations
Limit rule complexity: Excessive automember rules or complex regexes impact directory performance. Keep rules simple and targeted.
Use targeted rebuilds: Rebuild specific entries rather than all entries when possible. Full rebuilds are expensive operations.
Schedule large rebuilds carefully: Plan directory-wide rebuilds during maintenance windows when entry creation/modification is minimal.
Monitor rule evaluation: Track automember plugin performance in directory server logs, optimizing or simplifying rules if performance degrades.
Operational Practices
Create groups before rules: Always create target groups before automember rules. Attempting the reverse creates orphans.
Clean up orphans regularly: Run automember-find-orphans --remove periodically, especially after group reorganizations.
Version control rule configuration: Document automember rules in version control alongside group and policy configurations.
Test rule changes: When modifying rules, test with specific entries before rebuilding all membership.
Pattern Accuracy
Validate regexes thoroughly: Incorrect regexes can cause wrong memberships or miss intended entries. Test patterns against various inputs.
Account for edge cases: Ensure patterns handle unusual but valid values (hyphens in names, special characters, etc.).
Use exclusive rules carefully: Exclusive conditions can create unexpected membership gaps. Document all exclusions clearly.
Review membership after rebuild: After rebuild operations, audit resulting membership to verify it matches expectations.
Integration Planning
Coordinate with provisioning: Ensure user/host provisioning sets attributes that automember rules depend on.
Align with policy structure: Design automember rules that create group memberships useful for HBAC/sudo rules.
Plan for attribute consistency: Automember effectiveness depends on consistent attribute population. Standardize provisioning practices.
Security Considerations
Avoid sensitive attribute matching: Don’t base membership on attributes users can modify (description, some custom fields). Use controlled attributes.
Audit automatic assignments: Regularly review automember-created memberships to ensure they align with intended policy.
Limit default group permissions: Default groups should have minimal privileges since they receive entries by exclusion.
Test security impact: When creating rules affecting security-sensitive groups, verify membership changes don’t grant unintended access.
Integration with Other IPA Components
User and Group Management
Automember rules automatically populate user groups (group-* commands) based on user attributes (user-* commands), eliminating manual group membership management for pattern-following users.
Host and Host Group Management
Automember rules automatically populate host groups (hostgroup-* commands) based on host attributes (host-* commands), ensuring consistent host organization.
HBAC and Sudo Rules
Automember-created group memberships automatically affect HBAC and sudo rule evaluation, enabling policy that dynamically responds to user/host attributes.
Provisioning Workflows
Automember integrates with provisioning automation (Ansible, Puppet, scripts) by automatically handling group assignments when provisioning tools create properly attributed entries.
LDAP Directory
Automember operates through 389 Directory Server’s automembership plugin, evaluating rules during LDAP add/modify operations in real-time.
EXAMPLES
Add the initial group or hostgroup:
ipa hostgroup-add --desc="Web Servers" webservers ipa group-add --desc="Developers" develAdd the initial rule:
ipa automember-add --type=hostgroup webservers ipa automember-add --type=group develAdd a condition to the rule:
ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott develAdd an exclusive condition to the rule to prevent auto assignment:
ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webserversAdd a host:
ipa host-add web1.example.comAdd a user:
ipa user-add --first=Tim --last=User --password tuser1 --manager=mscottVerify automembership:
ipa hostgroup-show webservers Host-group: webservers Description: Web Servers Member hosts: web1.example.com ipa group-show devel Group name: devel Description: Developers GID: 1004200000 Member users: tuserRemove a condition from the rule:
ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webserversModify the automember rule:
ipa automember-modSet the default (fallback) target group:
ipa automember-default-group-set --default-group=webservers --type=hostgroup ipa automember-default-group-set --default-group=ipausers --type=groupRemove the default (fallback) target group:
ipa automember-default-group-remove --type=hostgroup ipa automember-default-group-remove --type=groupShow the default (fallback) target group:
ipa automember-default-group-show --type=hostgroup ipa automember-default-group-show --type=groupFind all of the automember rules:
ipa automember-findFind all of the orphan automember rules:
ipa automember-find-orphans --type=hostgroupFind all of the orphan automember rules and remove them:
ipa automember-find-orphans --type=hostgroup --removeDisplay a automember rule:
ipa automember-show --type=hostgroup webservers ipa automember-show --type=group develDelete an automember rule:
ipa automember-del --type=hostgroup webservers ipa automember-del --type=group develRebuild membership for all users:
ipa automember-rebuild --type=groupRebuild membership for all hosts:
ipa automember-rebuild --type=hostgroupRebuild membership for specified users:
ipa automember-rebuild --users=tuser1 --users=tuser2Rebuild membership for specified hosts:
ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com
Commands
automember-add
Usage:
ipa [global-options] automember-add AUTOMEMBER-RULE [options]
Add an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-add-condition
Usage:
ipa [global-options] automember-add-condition AUTOMEMBER-RULE [options]
Add conditions to an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--inclusive-regex INCLUSIVE-REGEX | Inclusive Regex |
--exclusive-regex EXCLUSIVE-REGEX | Exclusive Regex |
--key KEY | Attribute to filter via regex. For example fqdn for a host, or manager for a user |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-default-group-remove
Usage:
ipa [global-options] automember-default-group-remove [options]
Remove default (fallback) group for all unmatched entries.
Options
| Option | Description |
|---|---|
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-default-group-set
Usage: ipa [global-options] automember-default-group-set [options]
Set default (fallback) group for all unmatched entries.
Options
| Option | Description |
|---|---|
--default-group DEFAULT-GROUP | Default (fallback) group for entries to land |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-default-group-show
Usage:
ipa [global-options] automember-default-group-show [options]
Display information about the default (fallback) automember groups.
Options
| Option | Description |
|---|---|
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-del
Usage:
ipa [global-options] automember-del AUTOMEMBER-RULE [options]
Delete an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--type TYPE | Grouping to which the rule applies |
automember-find
Usage: ipa [global-options] automember-find [CRITERIA] [options]
Search for automember rules.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“automember-rule”) |
automember-find-orphans
Usage:
ipa [global-options] automember-find-orphans [CRITERIA] [options]
Search for orphan automember rules. The command might need to be run as
a privileged user user to get all orphan rules.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--type TYPE | Grouping to which the rule applies |
--remove | Remove orphan automember rules |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“automember-rule”) |
automember-mod
Usage:
ipa [global-options] automember-mod AUTOMEMBER-RULE [options]
Modify an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-rebuild
Usage: ipa [global-options] automember-rebuild [options]
Rebuild auto membership.
Options
| Option | Description |
|---|---|
--type TYPE | Grouping to which the rule applies |
--users USERS | Rebuild membership for specified users |
--hosts HOSTS | Rebuild membership for specified hosts |
--no-wait | Don’t wait for rebuilding membership |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-remove-condition
Usage:
ipa [global-options] automember-remove-condition AUTOMEMBER-RULE [options]
Remove conditions from an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--desc DESC | A description of this auto member rule |
--inclusive-regex INCLUSIVE-REGEX | Inclusive Regex |
--exclusive-regex EXCLUSIVE-REGEX | Exclusive Regex |
--key KEY | Attribute to filter via regex. For example fqdn for a host, or manager for a user |
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
automember-show
Usage:
ipa [global-options] automember-show AUTOMEMBER-RULE [options]
Display information about an automember rule.
Arguments
| Argument | Required | Description |
|---|---|---|
AUTOMEMBER-RULE | yes | Automember Rule |
Options
| Option | Description |
|---|---|
--type TYPE | Grouping to which the rule applies |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |