directory

Automember Rules

Manage automatic group membership assignment based on user and host attributes. Automember rules automatically add users to groups or hosts to host groups when they match defined criteria. Features include inclusive and exclusive rules, default groups, regular expression matching, and support for both user groups and host groups to streamline provisioning and reduce manual group management.

12 commands
directory

Overview

Automember rules in FreeIPA automatically assign group membership based on attribute matching, eliminating manual group management for entries following predictable patterns. When users or hosts are created with attributes matching automember conditions, they automatically join appropriate groups or host groups without administrator intervention. This automation ensures consistent group membership, reduces provisioning time, and prevents errors from forgotten manual group assignments.

Automember rules use regular expression patterns to match user or host attributes against defined conditions. Each rule targets a specific group or host group, automatically adding new or modified entries whose attributes satisfy the rule’s inclusive conditions and don’t match exclusive conditions. Multiple rules can target the same group, and entries can match multiple rules, enabling flexible automation patterns.

Automember operates at the LDAP directory level through 389 Directory Server’s automembership plugin. When entries are created or modified, the directory server evaluates all applicable automember rules, automatically updating group membership based on current attribute values. This real-time evaluation ensures membership accurately reflects current entry state without manual updates.

Rule Components

Target Groups

Each automember rule is associated with exactly one group (for user rules) or one host group (for host rules). The target group must exist before creating the rule; orphaned rules (referencing non-existent groups) are non-functional and should be cleaned up using automember-find-orphans.

Rules are type-specific: user automember rules target user groups and evaluate user attributes, while hostgroup automember rules target host groups and evaluate host attributes. The --type parameter specifies whether a rule operates on users or hosts.

Multiple rules can target the same group from different attribute conditions, enabling complex membership logic. For example, a “developers” group might have rules matching both department=‘Engineering’ and title=‘Developer’, adding users satisfying either condition.

Inclusive Conditions

Inclusive conditions define patterns that trigger group membership. When an entry’s attribute matches an inclusive condition’s regular expression, the entry is added to the rule’s target group. Inclusive conditions use LDAP attribute names (uid, fqdn, manager, description, etc.) and POSIX extended regular expressions for pattern matching.

Multiple inclusive conditions within a rule create OR logic: matching ANY inclusive condition triggers membership. This enables flexible matching where entries meeting any of several criteria join the group.

Regular expressions must follow POSIX extended regex syntax supported by 389 Directory Server. Anchors (^, $), character classes ([a-z]), quantifiers (*, +, {n,m}), and grouping are all supported.

Exclusive Conditions

Exclusive conditions prevent group membership even when inclusive conditions match. If an entry matches any exclusive condition, it is excluded from the target group regardless of inclusive condition matches. This exception-based logic enables patterns like “all developers except contractors.”

Exclusive conditions override inclusive conditions in all cases. When an entry matches both inclusive and exclusive conditions, the exclusive condition takes precedence and the entry is NOT added to the group.

Exclusive conditions use the same attribute and regex syntax as inclusive conditions. The distinction is behavioral: inclusive adds to group, exclusive prevents addition.

Default Groups

Default groups (configured with automember-default-group-set) serve as fallback destinations for entries matching no automember rules. When a user or host is created and doesn’t match any inclusive automember rules (or matches only exclusive rules), it’s added to the configured default group.

For users, the default group supplements the global default group configured in IPA settings (typically “ipausers”). User entries belong to both the IPA default group and the automember default group if they don’t match specific rules.

For hosts, the default host group provides a destination for uncategorized hosts, useful for ensuring all hosts have some group membership for policy application.

Default groups are optional. If no default is configured, entries matching no rules simply don’t receive automatic group membership.

Rebuilding Membership

The automember-rebuild command retroactively applies automember rules to existing entries. This is necessary when rules are created after entries exist or when rules are modified and existing memberships should reflect new logic.

Rebuild operations re-evaluate all applicable automember rules for specified entries (or all entries of a type), removing memberships created by previous automember logic and applying current rules. Manual group memberships (not created by automember) are preserved during rebuild.

Rebuild can target all users (--type=group), all hosts (--type=hostgroup), or specific entries (--users, --hosts). Targeted rebuilds are faster and less disruptive than full rebuilds, useful when rule changes affect limited entry subsets.

Rebuild operations can be long-running for large directories. Plan rebuilds during maintenance windows and monitor progress through server logs. Incremental rebuilds targeting specific entries are preferred over full rebuilds when possible.

Orphan Rules

Orphan automember rules reference target groups that no longer exist. These rules are non-functional but remain in configuration, potentially causing confusion. Orphans typically result from deleting groups without first deleting their associated automember rules.

The automember-find-orphans command identifies orphaned rules, returning rules whose target groups are missing. The --remove flag automatically deletes orphaned rules, cleaning up defunct configuration.

Regular orphan cleanup maintains configuration hygiene and prevents administrators from being confused by rules that don’t function. Orphan detection should be part of routine maintenance, especially after group reorganization projects.

Attribute Matching

Automember rules can match against any LDAP attribute present in user or host entries. Common attributes for matching include:

User Attributes:

  • uid: Username
  • manager: Manager’s DN
  • ou: Organizational unit
  • title: Job title
  • departmentNumber: Department number
  • employeeType: Employee type
  • l: Location/city

Host Attributes:

  • fqdn: Fully qualified domain name
  • description: Host description
  • nshostlocation: Physical location
  • nshardwareplatform: Hardware platform
  • nsosversion: Operating system version

Custom attributes can also be matched if they’re present in entries. Attribute selection should align with attributes consistently populated during provisioning.

Use Cases

Department-Based Automatic Group Assignment

Scenario: Users from different departments need automatic group membership.

Solution:

# Create groups for each department
ipa group-add engineering --desc="Engineering department"
ipa group-add sales --desc="Sales department"
ipa group-add operations --desc="Operations department"

# Create automember rules matching department attribute
ipa automember-add --type=group engineering
ipa automember-add-condition --type=group engineering \
    --key=departmentNumber --inclusive-regex='^10$'

ipa automember-add --type=group sales
ipa automember-add-condition --type=group sales \
    --key=departmentNumber --inclusive-regex='^20$'

ipa automember-add --type=group operations
ipa automember-add-condition --type=group operations \
    --key=departmentNumber --inclusive-regex='^30$'

# New users with departmentNumber=10 automatically join engineering
# New users with departmentNumber=20 automatically join sales
# etc.

Hostname Pattern-Based Host Grouping

Scenario: Hosts with naming convention need automatic host group assignment.

Solution:

# Create host groups for server types
ipa hostgroup-add webservers --desc="Web servers"
ipa hostgroup-add databases --desc="Database servers"
ipa hostgroup-add loadbalancers --desc="Load balancers"

# Create automember rules matching hostname patterns
ipa automember-add --type=hostgroup webservers
ipa automember-add-condition --type=hostgroup webservers \
    --key=fqdn --inclusive-regex='^web[0-9]+\.example\.com$'

ipa automember-add --type=hostgroup databases
ipa automember-add-condition --type=hostgroup databases \
    --key=fqdn --inclusive-regex='^db[0-9]+\.example\.com$'

ipa automember-add --type=hostgroup loadbalancers
ipa automember-add-condition --type=hostgroup loadbalancers \
    --key=fqdn --inclusive-regex='^lb[0-9]+\.example\.com$'

# web01.example.com automatically joins webservers
# db01.example.com automatically joins databases
# lb01.example.com automatically joins loadbalancers

Contractors Exclusion from Employee Groups

Scenario: All engineering users automatically join engineering group except contractors.

Solution:

# Create engineering group
ipa group-add engineering --desc="Engineering team"

# Create automember rule with inclusive and exclusive conditions
ipa automember-add --type=group engineering

# Include all users with department=Engineering
ipa automember-add-condition --type=group engineering \
    --key=departmentNumber --inclusive-regex='^10$'

# Exclude contractors (employeeType=contractor)
ipa automember-add-condition --type=group engineering \
    --key=employeeType --exclusive-regex='^contractor$'

# Regular employees with dept=10 join engineering
# Contractors with dept=10 and employeeType=contractor excluded

Location-Based Host Group Assignment

Scenario: Hosts in different datacenters need location-based grouping.

Solution:

# Create datacenter host groups
ipa hostgroup-add dc-us-east --desc="US East datacenter"
ipa hostgroup-add dc-eu-west --desc="EU West datacenter"
ipa hostgroup-add dc-apac --desc="APAC datacenter"

# Create automember rules matching location attribute
ipa automember-add --type=hostgroup dc-us-east
ipa automember-add-condition --type=hostgroup dc-us-east \
    --key=nshostlocation --inclusive-regex='us-east'

ipa automember-add --type=hostgroup dc-eu-west
ipa automember-add-condition --type=hostgroup dc-eu-west \
    --key=nshostlocation --inclusive-regex='eu-west'

# Hosts with nshostlocation attribute automatically grouped by location

Multi-Condition OR Logic for Flexible Membership

Scenario: Developers group needs members from multiple departments and titles.

Solution:

# Create developers group
ipa group-add developers --desc="All developers"

# Create automember rule with multiple inclusive conditions
ipa automember-add --type=group developers

# Match engineering department
ipa automember-add-condition --type=group developers \
    --key=departmentNumber --inclusive-regex='^10$'

# OR match developer title
ipa automember-add-condition --type=group developers \
    --key=title --inclusive-regex='Developer'

# OR match QA department
ipa automember-add-condition --type=group developers \
    --key=departmentNumber --inclusive-regex='^15$'

# Users satisfying ANY condition join developers group

Default Group for Uncategorized Users

Scenario: All users without department should join general staff group.

Solution:

# Create default group for uncategorized users
ipa group-add general-staff --desc="General staff"

# Set as automember default group
ipa automember-default-group-set --type=group general-staff

# Users not matching any department-specific rule join general-staff
# Ensures all users have at least one group membership

Retroactive Rule Application with Rebuild

Scenario: Automember rules created after users exist, need retroactive application.

Solution:

# Create new automember rule for existing organization
ipa automember-add --type=group sales
ipa automember-add-condition --type=group sales \
    --key=departmentNumber --inclusive-regex='^20$'

# Existing users don't automatically receive membership
# Rebuild automember to apply rules retroactively
ipa automember-rebuild --type=group

# All existing users re-evaluated against automember rules
# Sales department users now members of sales group

Operating System Version-Based Host Grouping

Scenario: Hosts need grouping by OS version for patch management.

Solution:

# Create OS version host groups
ipa hostgroup-add rhel8-hosts --desc="RHEL 8 hosts"
ipa hostgroup-add rhel9-hosts --desc="RHEL 9 hosts"

# Create automember rules matching OS version
ipa automember-add --type=hostgroup rhel8-hosts
ipa automember-add-condition --type=hostgroup rhel8-hosts \
    --key=nsosversion --inclusive-regex='Red Hat Enterprise Linux 8'

ipa automember-add --type=hostgroup rhel9-hosts
ipa automember-add-condition --type=hostgroup rhel9-hosts \
    --key=nsosversion --inclusive-regex='Red Hat Enterprise Linux 9'

# Hosts with OS version populated automatically grouped
# Enables OS-specific patch deployment policies

Examples

Basic User Automember Rule

Create group and automember rule for engineering department:

# Create target group
ipa group-add engineering --desc="Engineering department"

# Create automember rule
ipa automember-add --type=group engineering

# Add inclusive condition matching department
ipa automember-add-condition --type=group engineering \
    --key=departmentNumber --inclusive-regex='^100$'

Host Group Automember with Hostname Pattern

Create host group for web servers based on hostname:

# Create target host group
ipa hostgroup-add webservers --desc="Web servers"

# Create automember rule
ipa automember-add --type=hostgroup webservers

# Match hostnames starting with "web"
ipa automember-add-condition --type=hostgroup webservers \
    --key=fqdn --inclusive-regex='^web.*\.example\.com$'

Automember with Exclusion

Create rule that includes all engineers except contractors:

# Create rule
ipa automember-add --type=group engineering

# Include engineering department
ipa automember-add-condition --type=group engineering \
    --key=departmentNumber --inclusive-regex='^100$'

# Exclude contractors
ipa automember-add-condition --type=group engineering \
    --key=employeeType --exclusive-regex='contractor'

Multiple Inclusive Conditions (OR Logic)

Match users from multiple departments:

ipa automember-add --type=group technical_staff

# Match engineering department (100)
ipa automember-add-condition --type=group technical_staff \
    --key=departmentNumber --inclusive-regex='^100$'

# OR match IT department (200)
ipa automember-add-condition --type=group technical_staff \
    --key=departmentNumber --inclusive-regex='^200$'

# Users in either department join technical_staff

Set Default Group

Configure default group for uncategorized entries:

# For users
ipa group-add default-users --desc="Default user group"
ipa automember-default-group-set --type=group default-users

# For hosts
ipa hostgroup-add default-hosts --desc="Default host group"
ipa automember-default-group-set --type=hostgroup default-hosts

View Automember Rules

List all automember rules:

# List all user automember rules
ipa automember-find --type=group

# List all host automember rules
ipa automember-find --type=hostgroup

# Show specific rule with conditions
ipa automember-show --type=group engineering

Remove Automember Condition

Remove specific condition from rule:

# Remove inclusive condition
ipa automember-remove-condition --type=group engineering \
    --key=departmentNumber --inclusive-regex='^100$'

# Remove exclusive condition
ipa automember-remove-condition --type=group engineering \
    --key=employeeType --exclusive-regex='contractor'

Rebuild Automember for Specific Users

Apply automember rules to specific users:

# Rebuild for specific users
ipa automember-rebuild --users=alice,bob,charlie

# Rebuild for all users
ipa automember-rebuild --type=group

# Rebuild for specific hosts
ipa automember-rebuild --hosts=web01.example.com,web02.example.com

# Rebuild for all hosts
ipa automember-rebuild --type=hostgroup

Find and Remove Orphan Rules

Cleanup rules for deleted groups:

# Find orphaned automember rules
ipa automember-find-orphans --type=group
ipa automember-find-orphans --type=hostgroup

# Remove all orphaned rules
ipa automember-find-orphans --type=group --remove
ipa automember-find-orphans --type=hostgroup --remove

Delete Automember Rule

Remove automember rule entirely:

# Delete user automember rule
ipa automember-del --type=group engineering

# Delete host automember rule
ipa automember-del --type=hostgroup webservers

Security Considerations

Automember bypasses manual approval: Entries automatically join groups based on attribute matches without administrator review. Misconfigured rules could grant unintended permissions. Review automember rules carefully before deployment.

Attribute manipulation for privilege escalation: If users can modify attributes used in automember conditions (department, title), they could change values to join privileged groups. Restrict attribute modification permissions to trusted admins only.

Regex complexity enables unintended matches: Complex regular expressions may match more entries than intended. Overly broad patterns (e.g., .*) could add all entries to groups. Test regex patterns thoroughly before deploying rules.

Default group membership exposure: Default groups automatically receive all uncategorized entries. If default group has privileged access, new entries gain unintended privileges. Review default group permissions carefully.

Exclusive condition bypass via attribute removal: Exclusive conditions check attribute values. Removing the attribute entirely may bypass exclusion. Ensure exclusive logic accounts for missing attributes.

Rebuild operations modify memberships: automember-rebuild removes and re-adds automember memberships. During rebuild, entries may temporarily lose group memberships causing access disruption. Plan rebuilds during maintenance windows.

Orphan rules invisible until search: Orphaned automember rules don’t function but remain in configuration. These rules could be re-activated if target groups recreated with same names. Regularly cleanup orphans.

Automember rules visible to all authenticated users: Automember configuration visible to authenticated users. Rule patterns may reveal organizational structure or naming conventions. Don’t encode sensitive information in rule patterns.

Attribute population delays automember matching: Automember evaluates when entries created/modified. If attributes populated after entry creation, automember doesn’t trigger. Ensure attributes populated during provisioning, not later.

Manual membership removals re-added: If automember rule active, manually removing member from group is ineffective. Automember re-adds member on next evaluation. Disable automember rule or modify entry attributes to prevent re-addition.

Troubleshooting

Automember rule not adding entries to group:

# Verify rule exists and target group correct
ipa automember-show --type=group groupname

# Check inclusive conditions
ipa automember-show --type=group groupname | grep -A5 "Inclusive"

# Verify entry attribute matches regex pattern
ipa user-show username --all | grep departmentNumber

# Test regex pattern manually
# If departmentNumber=100, does '^100$' match?

# Rebuild automember for specific entry
ipa automember-rebuild --users=username

# Check group membership after rebuild
ipa group-show groupname

Entry matches multiple conflicting automember rules:

# Automember allows multiple group memberships
# Entry can match multiple rules and join multiple groups

# Verify all groups entry should belong to
ipa user-show username | grep "Member of groups"

# If unintended membership, check which rule added it
ipa automember-find --type=group

# Review each rule's conditions
ipa automember-show --type=group groupname

# Remove from unintended group if needed
ipa group-remove-member groupname --users=username
# Note: If automember rule still active, will re-add

Exclusive condition not preventing membership:

# Verify exclusive condition exists
ipa automember-show --type=group groupname | grep -A5 "Exclusive"

# Check if entry attribute matches exclusive pattern
ipa user-show username --all | grep employeeType

# Exclusive conditions must match to exclude
# If attribute missing, exclusive doesn't trigger

# Rebuild to apply exclusive logic
ipa automember-rebuild --users=username

Automember rebuild not applying rules:

# Verify rules exist
ipa automember-find --type=group

# Check if default group set (affects rebuild logic)
ipa automember-default-group-show --type=group

# Rebuild with verbose output
ipa automember-rebuild --type=group -v

# Check LDAP server logs for errors
journalctl -u dirsrv@REALM -n 100

# Verify 389-ds automember plugin enabled
dsconf -D "cn=Directory Manager" ldap://localhost plugin show MemberOf

Default group not receiving entries:

# Verify default group configured
ipa automember-default-group-show --type=group

# Default group only receives entries matching NO rules
# Check if entry matches any rule
ipa automember-find --type=group

# If entry matches rule, won't join default group
# Create entry with no matching attributes to test default group

Orphaned automember rules after group deletion:

# Find orphaned rules
ipa automember-find-orphans --type=group

# Orphans show rules referencing deleted groups
# Remove orphans
ipa automember-find-orphans --type=group --remove

# Prevent orphans: delete automember rule before deleting group
ipa automember-del --type=group groupname
ipa group-del groupname

Regex pattern not matching expected entries:

# Test regex syntax
# POSIX extended regex, not PCRE or Python regex

# Common issues:
# - Need to escape special chars: \. \* \+ \?
# - Anchors: ^ for start, $ for end
# - Case sensitivity: patterns are case-sensitive

# Verify entry attribute value exactly
ipa user-show username --all | grep departmentNumber

# Test simple pattern first
ipa automember-remove-condition --type=group groupname \
    --key=departmentNumber --inclusive-regex='complex.*pattern'

ipa automember-add-condition --type=group groupname \
    --key=departmentNumber --inclusive-regex='^100$'

# Rebuild to test
ipa automember-rebuild --users=username

Automember adding entries immediately on creation:

# Automember triggers on entry creation
# This is correct behavior, not an error

# If entry should NOT be auto-added:
# - Modify entry attributes to not match rules
# - Or remove from group manually
# - Or disable/delete automember rule

# Prevent auto-addition:
# Create entry without matching attributes
# Add matching attributes later if needed

Manual group membership keeps getting removed:

# Automember rebuild removes manual memberships
# Only automember-created memberships preserved

# To preserve manual memberships:
# - Don't run automember-rebuild
# - Or convert manual membership to automember rule

# Create automember rule matching specific user
ipa automember-add-condition --type=group groupname \
    --key=uid --inclusive-regex='^username$'

Host automember rule not working:

# Verify rule type is hostgroup, not group
ipa automember-show --type=hostgroup hostgroupname

# Check host attributes populated
ipa host-show hostname.example.com --all

# Common issue: fqdn vs hostname
# Rule must match fully qualified domain name
ipa automember-add-condition --type=hostgroup webservers \
    --key=fqdn --inclusive-regex='^web01\.example\.com$'

# Not: --key=hostname

Automember rebuild very slow:

# Large directories take time to rebuild
# Rebuild processes all entries

# Use targeted rebuild instead of full rebuild
ipa automember-rebuild --users=user1,user2,user3
# Instead of:
# ipa automember-rebuild --type=group

# Monitor progress in LDAP logs
tail -f /var/log/dirsrv/slapd-REALM/access

# Plan full rebuilds during maintenance windows

Cannot delete automember rule - “does not exist”:

# Verify rule exists and correct type
ipa automember-find --type=group
ipa automember-find --type=hostgroup

# Rule name must match exactly (case-sensitive)
ipa automember-del --type=group Engineering
# vs
ipa automember-del --type=group engineering

# Check if rule is orphaned
ipa automember-find-orphans --type=group
# Orphaned rules still deleted normally

Best Practices

Rule Design

Match stable attributes: Base rules on attributes unlikely to change frequently. Department or role is more stable than manager or temporary project assignments.

Use anchored regexes: Include ^ and $ anchors in patterns to ensure complete matches. ^web.*\.com$ is more precise than web.*com.

Test patterns before deployment: Verify regex patterns match intended entries using test users/hosts before applying to production.

Document rule purposes: Clearly document why each rule exists and what membership it manages. Future administrators will need this context.

Performance Considerations

Limit rule complexity: Excessive automember rules or complex regexes impact directory performance. Keep rules simple and targeted.

Use targeted rebuilds: Rebuild specific entries rather than all entries when possible. Full rebuilds are expensive operations.

Schedule large rebuilds carefully: Plan directory-wide rebuilds during maintenance windows when entry creation/modification is minimal.

Monitor rule evaluation: Track automember plugin performance in directory server logs, optimizing or simplifying rules if performance degrades.

Operational Practices

Create groups before rules: Always create target groups before automember rules. Attempting the reverse creates orphans.

Clean up orphans regularly: Run automember-find-orphans --remove periodically, especially after group reorganizations.

Version control rule configuration: Document automember rules in version control alongside group and policy configurations.

Test rule changes: When modifying rules, test with specific entries before rebuilding all membership.

Pattern Accuracy

Validate regexes thoroughly: Incorrect regexes can cause wrong memberships or miss intended entries. Test patterns against various inputs.

Account for edge cases: Ensure patterns handle unusual but valid values (hyphens in names, special characters, etc.).

Use exclusive rules carefully: Exclusive conditions can create unexpected membership gaps. Document all exclusions clearly.

Review membership after rebuild: After rebuild operations, audit resulting membership to verify it matches expectations.

Integration Planning

Coordinate with provisioning: Ensure user/host provisioning sets attributes that automember rules depend on.

Align with policy structure: Design automember rules that create group memberships useful for HBAC/sudo rules.

Plan for attribute consistency: Automember effectiveness depends on consistent attribute population. Standardize provisioning practices.

Security Considerations

Avoid sensitive attribute matching: Don’t base membership on attributes users can modify (description, some custom fields). Use controlled attributes.

Audit automatic assignments: Regularly review automember-created memberships to ensure they align with intended policy.

Limit default group permissions: Default groups should have minimal privileges since they receive entries by exclusion.

Test security impact: When creating rules affecting security-sensitive groups, verify membership changes don’t grant unintended access.

Integration with Other IPA Components

User and Group Management

Automember rules automatically populate user groups (group-* commands) based on user attributes (user-* commands), eliminating manual group membership management for pattern-following users.

Host and Host Group Management

Automember rules automatically populate host groups (hostgroup-* commands) based on host attributes (host-* commands), ensuring consistent host organization.

HBAC and Sudo Rules

Automember-created group memberships automatically affect HBAC and sudo rule evaluation, enabling policy that dynamically responds to user/host attributes.

Provisioning Workflows

Automember integrates with provisioning automation (Ansible, Puppet, scripts) by automatically handling group assignments when provisioning tools create properly attributed entries.

LDAP Directory

Automember operates through 389 Directory Server’s automembership plugin, evaluating rules during LDAP add/modify operations in real-time.

EXAMPLES

Add the initial group or hostgroup:

ipa hostgroup-add --desc="Web Servers" webservers
ipa group-add --desc="Developers" devel

Add the initial rule:

ipa automember-add --type=hostgroup webservers
ipa automember-add --type=group devel

Add a condition to the rule:

ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel

Add an exclusive condition to the rule to prevent auto assignment:

ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers

Add a host:

ipa host-add web1.example.com

Add a user:

ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott

Verify automembership:

ipa hostgroup-show webservers
  Host-group: webservers
  Description: Web Servers
  Member hosts: web1.example.com

ipa group-show devel
  Group name: devel
  Description: Developers
  GID: 1004200000
  Member users: tuser

Remove a condition from the rule:

ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers

Modify the automember rule:

ipa automember-mod

Set the default (fallback) target group:

ipa automember-default-group-set --default-group=webservers --type=hostgroup
ipa automember-default-group-set --default-group=ipausers --type=group

Remove the default (fallback) target group:

ipa automember-default-group-remove --type=hostgroup
ipa automember-default-group-remove --type=group

Show the default (fallback) target group:

ipa automember-default-group-show --type=hostgroup
ipa automember-default-group-show --type=group

Find all of the automember rules:

ipa automember-find

Find all of the orphan automember rules:

ipa automember-find-orphans --type=hostgroup

Find all of the orphan automember rules and remove them:

ipa automember-find-orphans --type=hostgroup --remove

Display a automember rule:

ipa automember-show --type=hostgroup webservers
ipa automember-show --type=group devel

Delete an automember rule:

ipa automember-del --type=hostgroup webservers
ipa automember-del --type=group devel

Rebuild membership for all users:

ipa automember-rebuild --type=group

Rebuild membership for all hosts:

ipa automember-rebuild --type=hostgroup

Rebuild membership for specified users:

ipa automember-rebuild --users=tuser1 --users=tuser2

Rebuild membership for specified hosts:

ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com

Commands

automember-add

Usage: ipa [global-options] automember-add AUTOMEMBER-RULE [options]

Add an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--desc DESCA description of this auto member rule
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-add-condition

Usage: ipa [global-options] automember-add-condition AUTOMEMBER-RULE [options]

Add conditions to an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--desc DESCA description of this auto member rule
--inclusive-regex INCLUSIVE-REGEXInclusive Regex
--exclusive-regex EXCLUSIVE-REGEXExclusive Regex
--key KEYAttribute to filter via regex. For example fqdn for a host, or manager for a user
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-default-group-remove

Usage: ipa [global-options] automember-default-group-remove [options]

Remove default (fallback) group for all unmatched entries.

Options

OptionDescription
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-default-group-set

Usage: ipa [global-options] automember-default-group-set [options]

Set default (fallback) group for all unmatched entries.

Options

OptionDescription
--default-group DEFAULT-GROUPDefault (fallback) group for entries to land
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-default-group-show

Usage: ipa [global-options] automember-default-group-show [options]

Display information about the default (fallback) automember groups.

Options

OptionDescription
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-del

Usage: ipa [global-options] automember-del AUTOMEMBER-RULE [options]

Delete an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--type TYPEGrouping to which the rule applies

automember-find

Usage: ipa [global-options] automember-find [CRITERIA] [options]

Search for automember rules.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--desc DESCA description of this auto member rule
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“automember-rule”)

automember-find-orphans

Usage: ipa [global-options] automember-find-orphans [CRITERIA] [options]

Search for orphan automember rules. The command might need to be run as

a privileged user user to get all orphan rules.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--desc DESCA description of this auto member rule
--type TYPEGrouping to which the rule applies
--removeRemove orphan automember rules
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“automember-rule”)

automember-mod

Usage: ipa [global-options] automember-mod AUTOMEMBER-RULE [options]

Modify an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--desc DESCA description of this auto member rule
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-rebuild

Usage: ipa [global-options] automember-rebuild [options]

Rebuild auto membership.

Options

OptionDescription
--type TYPEGrouping to which the rule applies
--users USERSRebuild membership for specified users
--hosts HOSTSRebuild membership for specified hosts
--no-waitDon’t wait for rebuilding membership
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-remove-condition

Usage: ipa [global-options] automember-remove-condition AUTOMEMBER-RULE [options]

Remove conditions from an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--desc DESCA description of this auto member rule
--inclusive-regex INCLUSIVE-REGEXInclusive Regex
--exclusive-regex EXCLUSIVE-REGEXExclusive Regex
--key KEYAttribute to filter via regex. For example fqdn for a host, or manager for a user
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

automember-show

Usage: ipa [global-options] automember-show AUTOMEMBER-RULE [options]

Display information about an automember rule.

Arguments

ArgumentRequiredDescription
AUTOMEMBER-RULEyesAutomember Rule

Options

OptionDescription
--type TYPEGrouping to which the rule applies
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.