interface

IPA Configuration

Manage global IPA [server](/reference/server) configuration settings affecting server behavior and policy defaults. Configuration includes search limits, default [user](/reference/user) and [group](/reference/group) settings, email domain, certificate subject base, username format, home directory templates, default shells, and migration mode controls. Features include comprehensive configuration display and modification for customizing IPA deployment behavior and organizational standards.

2 commands
interface

Manage the default values that IPA uses and some of its tuning parameters.

NOTES

The password notification value (—pwdexpnotify) is stored here so it will be replicated. It is not currently used to notify users in advance of an expiring password.

Some attributes are read-only, provided only for information purposes. These include:

Certificate Subject base: the configured certificate subject base,

e.g. O=EXAMPLE.COM. This is configurable only at install time.

Password plug-in features: currently defines additional hashes that the

password will generate (there may be other conditions).

When setting the order list for mapping SELinux users you may need to quote the value so it isn’t interpreted by the shell.

The maximum length of a hostname in Linux is controlled by MAXHOSTNAMELEN in the kernel and defaults to 64. Some other operating systems, Solaris for example, allows hostnames up to 255 characters. This option will allow flexibility in length but by default limiting to the Linux maximum length.

EXAMPLES

Show basic server configuration:

ipa config-show

Show all configuration options:

ipa config-show --all

Change maximum username length to 99 characters:

ipa config-mod --maxusername=99

Change maximum host name length to 255 characters:

ipa config-mod --maxhostname=255

Increase default time and size limits for maximum IPA server search:

ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000

Set default user e-mail domain:

ipa config-mod --emaildomain=example.com

Enable migration mode to make “ipa migrate-ds” command operational:

ipa config-mod --enable-migration=TRUE

Define SELinux user map order:

ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

Commands

config-mod

Usage: ipa [global-options] config-mod [options]

Modify configuration options.

Options

OptionDescription
--maxusername MAXUSERNAMEMaximum username length
--maxhostname MAXHOSTNAMEMaximum hostname length
--homedirectory HOMEDIRECTORYDefault location of home directories
--defaultshell DEFAULTSHELLDefault shell for new users
--defaultgroup DEFAULTGROUPDefault group for new users
--emaildomain EMAILDOMAINDefault e-mail domain
--searchtimelimit SEARCHTIMELIMITMaximum amount of time (seconds) for a search (-1 or 0 is unlimited)
--searchrecordslimit SEARCHRECORDSLIMITMaximum number of records to search (-1 or 0 is unlimited)
--usersearch USERSEARCHA comma-separated list of fields to search in when searching for users
--groupsearch GROUPSEARCHA comma-separated list of fields to search in when searching for groups
--enable-migration ENABLE-MIGRATIONEnable migration mode
--groupobjectclasses GROUPOBJECTCLASSESDefault group objectclasses (comma-separated list)
--userobjectclasses USEROBJECTCLASSESDefault user objectclasses (comma-separated list)
--pwdexpnotify PWDEXPNOTIFYNumber of days’s notice of impending password expiration
--ipaconfigstring IPACONFIGSTRINGExtra hashes to generate in password plug-in
--ipaselinuxusermaporder IPASELINUXUSERMAPORDEROrder in increasing priority of SELinux users, delimited by $
--ipaselinuxusermapdefault IPASELINUXUSERMAPDEFAULTDefault SELinux user when no match is found in SELinux map rule
--pac-type PAC-TYPEDefault types of PAC supported for services
--user-auth-type USER-AUTH-TYPEDefault types of supported user authentication
--user-default-subid USER-DEFAULT-SUBIDEnable adding subids to new users
--ca-renewal-master-server CA-RENEWAL-MASTER-SERVERRenewal master for IPA certificate authority
--domain-resolution-order DOMAIN-RESOLUTION-ORDERcolon-separated list of domains used for short name qualification
--enable-sidNew users and groups automatically get a SID assigned
--add-sidsAdd SIDs for existing users and groups
--netbios-name NETBIOS-NAMENetBIOS name of the IPA domain
--key-type-size KEY-TYPE-SIZEIPA Service key type:size
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

config-show

Usage: ipa [global-options] config-show [options]

Show the current configuration.

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

Use Cases

Adjusting Search Limits for Large Directory Environments

Organizations with large user populations frequently encounter LDAP search limit errors when running queries that return many results. Increasing search limits allows administrative operations to complete successfully.

# Display current search limits
ipa config-show | grep -i limit

# Increase time limit to 10 seconds (default is 2)
# Increase record limit to 10000 results (default is 100)
ipa config-mod --searchtimelimit=10 --searchrecordslimit=10000

# Verify changes
ipa config-show --all | grep search

# Now large queries will succeed
ipa user-find --all  # Returns more results without hitting limits
ipa group-find --all

Setting Default Email Domain for Automatic Email Address Generation

When creating users, IPA can automatically generate email addresses based on username and a default email domain, eliminating manual email address entry for standard organizational email conventions.

# Set default email domain
ipa config-mod --emaildomain=example.com

# Now when creating users, email is auto-generated if not specified
ipa user-add jsmith --first=John --last=Smith
# Email will be automatically set to jsmith@example.com

# View configured email domain
ipa config-show | grep "Default e-mail domain"

Enabling Migration Mode for Legacy Directory Migration

Organizations migrating from other LDAP directories need to enable migration mode to allow password hashes to be imported and the migrate-ds command to function.

# Enable migration mode
ipa config-mod --enable-migration=TRUE

# Verify migration mode is enabled
ipa config-show | grep "Migration mode"

# Now migrate-ds command will work
ipa migrate-ds ldap://old-ldap.example.com

# After migration completes, disable migration mode for security
ipa config-mod --enable-migration=FALSE

Increasing Maximum Username Length for Naming Conventions

Some organizations have naming conventions requiring longer usernames than the default 32-character limit, such as email-based usernames or department-prefixed identifiers.

# Check current maximum username length
ipa config-show | grep "Maximum username length"

# Increase to 64 characters to accommodate email addresses as usernames
ipa config-mod --maxusername=64

# Now longer usernames can be created
ipa user-add john.smith.contractor@example.com --first=John --last=Smith

# Note: This should be set early in deployment lifecycle
# Changing after users exist may cause issues with existing usernames

Configuring Default Home Directory Template for Organizational Structure

Organizations with specific home directory structures can configure templates that automatically generate correct paths when users are created, supporting different storage layouts or department-based organization.

# View current home directory template
ipa config-show | grep "Home directory base"

# Set home directory base for department-based structure
ipa config-mod --homedirectory=/home/users

# For more complex templates, home directories are generated as:
# /home/users/<username> by default

# Verify setting
ipa config-show --all | grep home

Setting Default User Shell for Security Compliance

Security policies may require specific default shells for user accounts. IPA can be configured to automatically assign compliant shells to new users.

# View current default shell
ipa config-show | grep "Default shell"

# Set default shell to /bin/bash
ipa config-mod --defaultshell=/bin/bash

# For restricted environments, use restricted shells
ipa config-mod --defaultshell=/bin/rbash

# New users will automatically get this shell
ipa user-add testuser --first=Test --last=User
ipa user-show testuser | grep "Login shell"

Adjusting Maximum Hostname Length for Multi-Platform Environments

Heterogeneous environments with Solaris or other systems supporting hostnames longer than Linux’s 64-character default need increased maximum hostname length.

# Check current maximum hostname length
ipa config-show | grep "Maximum hostname length"

# Increase to 255 to support Solaris and other platforms
ipa config-mod --maxhostname=255

# Now longer hostnames can be enrolled
ipa host-add very-long-hostname-for-solaris-system.subdomain.example.com

# Verify change
ipa config-show | grep "Maximum hostname length"

Configuring SELinux User Map Order for Access Control

Organizations using SELinux need to define the order in which SELinux user contexts are evaluated for user mapping, supporting consistent security context assignment.

# View current SELinux user map order
ipa config-show --all | grep selinux

# Set SELinux user map order with proper precedence
# Quote value to prevent shell interpretation
ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

# Verify configuration
ipa config-show --all | grep ipaselinuxusermaporder

# This affects how users get SELinux contexts on client systems

Setting Default Group Object Class for Schema Compatibility

Some integrations require specific POSIX or object class configurations for groups. IPA allows configuration of default group object classes.

# View all configuration including group settings
ipa config-show --all | grep -i group

# Default group object classes are set during installation
# View group object class settings
ipa config-show --all | grep objectclass

# These settings typically should not be modified after deployment
# but can be reviewed for troubleshooting integration issues

Configuring Certificate Subject Base for PKI Integration

During initial IPA installation, the certificate subject base is configured. While read-only after installation, understanding this setting is crucial for certificate operations and PKI integration.

# View certificate subject base (read-only)
ipa config-show | grep "Certificate Subject base"

# This shows the DN base for all certificates (e.g., O=EXAMPLE.COM)
# Cannot be changed after installation

# This value is used when generating certificates
ipa cert-request server.csr --principal=HTTP/web.example.com

# All issued certificates will have subjects under this base
# Example: CN=web.example.com,O=EXAMPLE.COM

Security Considerations

Migration Mode Disables Password Quality Checks

When migration mode is enabled with --enable-migration=TRUE, IPA disables password quality validation and allows pre-hashed passwords to be imported from legacy systems. This creates a security window where weak passwords from the old system persist in IPA. Attackers can exploit weak passwords imported during migration without IPA’s password policy enforcement detecting them.

Enable migration mode only during active migration operations. Immediately disable after completing migration: ipa config-mod --enable-migration=FALSE. Force password resets for migrated users: ipa user-mod username --password-expiration=20240101000000Z. Implement monitoring detecting migration mode being re-enabled. Document migration windows and require change control approval. Audit migrated password hashes for weakness if tooling permits.

Excessive Search Limits Enable Denial of Service

Increasing search time and record limits with --searchtimelimit and --searchrecordslimit to very large values allows single queries to consume excessive LDAP server resources. Malicious or poorly written scripts can execute broad searches returning thousands of entries, causing performance degradation or denial of service for legitimate users.

Set search limits based on actual operational needs rather than arbitrarily large values. Use --searchtimelimit=5 (5 seconds) and --searchrecordslimit=2000 as starting points, adjusting based on monitoring. Implement query monitoring and alerting for searches hitting limits. Use LDAP access controls restricting which users can execute broad searches. Consider separate limits for administrative vs regular users if supported. Test impact of limit changes in non-production environments first.

Configuration Changes Replicate Without Authorization Workflow

Global configuration changes made with config-mod immediately replicate to all IPA servers without approval workflow or staged rollout. Incorrect configuration changes affect all servers simultaneously, potentially causing widespread service disruptions. Configuration changes lack built-in rollback mechanisms.

Implement change management procedures requiring documentation and approval before configuration modifications. Test configuration changes in non-production IPA environments first. Export current configuration before changes: ipa config-show --all > config-backup.txt. Implement monitoring alerting on configuration changes. Use version control to track intended configuration state. For critical changes, consider maintenance windows and communication to users.

Default Shell Modification Affects System Security Posture

Changing default shell with --defaultshell affects all new user accounts. Setting permissive shells like /bin/bash when /bin/rbash (restricted bash) is required by policy creates security gaps. Conversely, overly restrictive shells may break legitimate automation. Incorrect shell settings can grant or deny inappropriate access levels.

Document organizational shell policy and ensure --defaultshell aligns with security requirements. Review shell settings during security audits. For high-security environments, use restricted shells and grant full shells only by exception. Verify shell is in /etc/shells on client systems. Audit existing users when changing default shell: new default does not affect existing accounts. Consider separate shell defaults for different user classes if policies vary.

Extended Username Length Enables Enumeration and Confusion

Increasing maximum username length with --maxusername beyond 32 characters allows email addresses or very descriptive identifiers as usernames. This increases username enumeration attack surface and can create confusion when usernames become too similar. Long usernames may cause display issues in legacy applications or reporting tools with fixed-width fields.

Set --maxusername to minimum value supporting organizational naming conventions. Avoid email addresses as usernames if possible; use separate email field. Implement username format validation at user creation time. Monitor for username collision attempts (similar names differing only in non-visible characters). Test extended username lengths with all integrated applications before deployment. Document username standards including maximum practical length.

Home Directory Base Misconfiguration Causes Permission Issues

Incorrect home directory base setting with --homedirectory can create security issues when home directories are created on wrong filesystems or with inappropriate permissions. Home directories under /tmp or other world-writable locations create privilege escalation risks. Automount integration depends on correct home directory paths.

Validate home directory base points to dedicated filesystem with appropriate mount options (nosuid, nodev recommended). Ensure automount or local filesystem creation procedures align with configured base. Test home directory creation for new users before rolling out changes. Audit existing home directory locations when changing base: existing users are not affected. Coordinate home directory changes with storage and automount teams. Document home directory structure in operational runbooks.

SELinux User Map Order Affects Multi-Level Security

Incorrect SELinux user map order configuration with --ipaselinuxusermaporder can cause users to receive inappropriate security contexts, either too permissive or too restrictive. Wrong SELinux context assignment can prevent legitimate access or allow unauthorized privilege escalation in MLS/MCS environments. Syntax errors in the order specification can cause SELinux mapping failures.

Validate SELinux user map order syntax before applying: format is user:level$user:level. Test SELinux context assignment for sample users after changes: ssh user@host id -Z. Document which user groups should receive which SELinux contexts. Coordinate SELinux configuration changes with security team. Monitor for SELinux denials correlating with configuration changes: ausearch -m AVC. Maintain backup of working SELinux configuration. Test in non-production environment first.

Email Domain Configuration Enables Spoofing Scenarios

Setting default email domain with --emaildomain automatically generates email addresses for users. If the domain does not match organization’s actual email infrastructure, users receive invalid email addresses. In some scenarios, this could enable email spoofing if external domains are configured. Incorrect email domain complicates password reset and notification workflows.

Ensure --emaildomain matches organization’s authoritative email domain. Validate email addresses are actually created in email system when users are provisioned. For multi-domain organizations, consider not setting default domain and requiring explicit email entry. Implement email address validation checking addresses resolve before use. Monitor for email delivery failures to auto-generated addresses. Coordinate email domain configuration with email administrators.

Configuration Viewing Exposes Operational Details

The config-show --all command displays all IPA configuration including internal operational details, LDAP search bases, and system architecture information. This information disclosure allows reconnaissance of IPA deployment structure. Unauthorized users with read access to configuration can gather intelligence for targeted attacks.

Implement access controls restricting config-show to administrative users. Audit who has permissions to view configuration: ipa permission-show 'System: Read Global Configuration'. Monitor execution of config-show commands especially from non-administrative accounts. Sanitize configuration output before sharing with third parties or external support. Review default permission grants during security audits.

Maximum Hostname Length Affects Certificate Validation

Allowing extended hostname lengths with --maxhostname=255 enables enrollment of hosts with very long FQDNs. Long hostnames may exceed certificate subject or SAN length limits in some PKI implementations. DNS resolution of extremely long hostnames may fail in some environments. Some applications have hostname length limits shorter than 255 characters.

Test certificate issuance for maximum-length hostnames before increasing limit: ipa cert-request. Verify DNS supports configured hostname length: some DNS implementations have practical limits below 255. Test integrated applications with long hostnames to verify compatibility. Document maximum practical hostname length based on testing. Consider organizational naming standards limiting hostname length below technical maximum.

Read-Only Configuration Fields Reveal Installation Details

Configuration fields marked read-only (certificate subject base, password plugin features) reveal information about IPA installation and architecture. Certificate subject base discloses organizational DN structure. Password plugin features expose which password hash algorithms are in use, informing password cracking strategies.

Accept that some configuration details are inherently visible to authenticated users. Focus security on access control preventing unauthorized authentication. Use strong password policies and MFA to prevent credential compromise. Monitor for unauthorized authentication attempts and configuration viewing. Consider security through depth rather than obscurity: assume attackers know configuration details.

Group Object Class Configuration Impacts LDAP Compatibility

While typically configured during installation, group object class settings affect LDAP schema compliance and compatibility with external systems. Incorrect object classes can cause group replication failures, integration issues with Active Directory trusts, or problems with legacy LDAP clients.

Avoid modifying group object class configuration after deployment unless specifically directed by Red Hat support. Test LDAP schema changes in non-production environment. Verify AD trust compatibility after any schema modifications. Monitor LDAP replication for errors after configuration changes. Maintain documentation of any customizations to default schema. Consult with identity architects before modifying object class settings.

Password Expiration Notification Setting Not Enforced

The --pwdexpnotify setting configures when users should be notified of upcoming password expiration, but this feature is not currently enforced by IPA. Administrators may incorrectly believe password expiration notifications are active, creating false security confidence. Users will not receive expected advance warning of password expiration.

Do not rely on --pwdexpnotify for password expiration notifications. Implement separate password expiration notification mechanism using scripts checking password expiration dates. Use ipa user-find --pkey-only --all to extract password expiration timestamps, then send notifications via external tools. Document that built-in notification is not functional. Monitor password expiration dates and proactively contact users before expiration.

Configuration Modification Without Testing Causes Production Issues

IPA configuration changes take effect immediately across all replicated servers without staging or gradual rollout capability. Testing configuration changes in production carries risk of widespread disruption. Some configuration changes cannot be easily rolled back.

Maintain non-production IPA environment mirroring production for testing configuration changes. Export configuration before changes for rollback reference: ipa config-show --all > pre-change-config.txt. Implement configuration change procedures requiring testing sign-off. Schedule configuration changes during maintenance windows when possible. Have rollback procedures documented and ready. Monitor key metrics after configuration changes to detect issues early.

Troubleshooting

Configuration Changes Not Replicating to All Servers

Symptom: Configuration modification with config-mod succeeds but some IPA replicas show old configuration values when running config-show.

Diagnosis: Check replication status: ipa-replica-manage list and look for replication errors. Verify configuration on each server: ipa config-show | grep "setting" on each replica. Review replication agreements: ipa-replica-manage list --verbose. Check for replication lag in monitoring.

Resolution: Force replication synchronization: ipa-replica-manage force-sync --from=master.example.com. Restart IPA services on affected replica: ipactl restart. Check for LDAP replication conflicts: ldapsearch -Y GSSAPI -b "dc=example,dc=com" "(nsds5ReplConflict=*)". Resolve any conflicts found. Verify network connectivity and firewall rules between replicas. If replication continues failing, re-initialize replica: ipa-replica-manage re-initialize --from=master.example.com.

Search Limit Changes Not Affecting Query Results

Symptom: After increasing search limits with --searchtimelimit or --searchrecordslimit, queries still timeout or return “size limit exceeded” errors with same number of results as before change.

Diagnosis: Verify configuration change applied: ipa config-show | grep limit. Check if client has cached old configuration: SSSD caches may need refresh. Review if queries are hitting per-user limits vs global limits. Check LDAP server limits separately from IPA config limits.

Resolution: Restart SSSD on client systems: systemctl restart sssd. Clear SSSD cache: sss_cache -E. Verify user is not hitting separate per-user LDAP limits. Check Directory Server configuration for separate size and time limits: review /etc/dirsrv/slapd-REALM/dse.ldif for nsslapd-sizelimit and nsslapd-timelimit. Restart Directory Server if needed: systemctl restart dirsrv@REALM.service. Use --sizelimit and --timelimit flags on individual commands to override defaults.

Migration Mode Enable Fails with Permission Error

Symptom: Attempting to enable migration mode with ipa config-mod --enable-migration=TRUE fails with “Insufficient access” or permission denied errors.

Diagnosis: Verify user permissions: ipa user-show $(ipa env user | awk '{print $2}') and check group memberships. Confirm user is member of admins group or has appropriate role. Check if custom permissions or roles have modified default config modification rights.

Resolution: Ensure user is member of admins group: ipa group-show admins to verify membership. Add user to admins: ipa group-add-member admins --users=username. Alternatively, verify user has System: Modify Configuration permission. Use admin account for testing: kinit admin and retry. Review custom permission modifications: ipa permission-show 'System: Modify Configuration'. Check for SELinux denials: ausearch -m AVC -ts recent | grep config.

Email Domain Not Being Used for New Users

Symptom: After setting default email domain with --emaildomain=example.com, newly created users do not have email addresses auto-generated.

Diagnosis: Verify email domain is configured: ipa config-show | grep "Default e-mail domain". Check if email address is explicitly provided during user creation (explicit value overrides default). Review user creation command syntax. Verify email attribute is not being set to empty string.

Resolution: Confirm configuration: ipa config-show --all | grep email. When creating users, do not specify --email flag to allow auto-generation: ipa user-add jsmith --first=John --last=Smith (omit —email). If email specified as empty: --email="", auto-generation is bypassed. Verify user was created after email domain configuration was set. Test user creation: ipa user-add testuser --first=Test --last=User && ipa user-show testuser | grep Email.

Home Directory Template Not Applied to Existing Users

Symptom: Changed home directory base with --homedirectory but existing users still have old home directory paths.

Diagnosis: Understand that configuration changes only affect new user creation. Review existing user home directories: ipa user-show username | grep "Home directory". Check when configuration was changed relative to user creation dates.

Resolution: Accept that home directory base changes only apply to new users. For existing users, modify individually: ipa user-mod username --homedir=/new/home/path/username. For bulk changes, script the updates:

ipa user-find --pkey-only | grep "User login" | awk '{print $3}' | while read user; do
  ipa user-mod $user --homedir=/new/home/path/$user
done

Update automount configuration if home directories are automounted. Coordinate with storage team for actual home directory creation/migration.

Default Shell Not Appearing for New Users

Symptom: Set default shell with --defaultshell=/bin/bash but new users created have different shells or no shell set.

Diagnosis: Verify configuration: ipa config-show | grep "Default shell". Check if shell is being explicitly specified during user creation (overrides default). Verify shell exists in /etc/shells on IPA server. Review user creation command for --shell flag.

Resolution: Confirm shell configured: ipa config-show --all | grep shell. When creating users, omit --shell flag to use default: ipa user-add testuser --first=Test --last=User. If shell explicitly set to empty, default is not used. Verify shell path is valid and exists on client systems: shell must be in /etc/shells. Test with new user: ipa user-add shelltest --first=Shell --last=Test && ipa user-show shelltest | grep shell.

Configuration Shows Read-Only Fields That Cannot Be Modified

Symptom: Attempting to modify certificate subject base or other fields with config-mod fails with errors indicating field is read-only.

Diagnosis: Review config-show --all output and identify which fields are marked as read-only. Check documentation for specific field to confirm if modifiable. Common read-only fields: Certificate Subject base, Password plug-in features.

Resolution: Accept that some configuration fields cannot be changed after installation. Certificate subject base is set during ipa-server-install and cannot be modified afterward. To change certificate subject base, requires complete IPA reinstallation. For other read-only fields, consult IPA documentation for workarounds or alternatives. Review installation planning to ensure critical settings are configured correctly during initial install.

SELinux User Map Order Syntax Errors

Symptom: Setting SELinux user map order with --ipaselinuxusermaporder fails with syntax errors or validation failures.

Diagnosis: Review syntax requirements: format is user:level$user:level with dollar signs separating entries. Check for special character escaping issues. Verify SELinux user names and levels are valid. Common error: shell interpreting special characters.

Resolution: Quote the entire value to prevent shell interpretation: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023'. Use single quotes to prevent variable expansion. Verify SELinux user names exist: semanage user -l. Validate MLS/MCS level syntax for your SELinux policy. Test each component individually if complex. Copy working examples from documentation rather than typing manually.

Maximum Username Length Cannot Be Decreased

Symptom: Attempting to decrease maximum username length with --maxusername fails or has no effect on existing long usernames.

Diagnosis: Check if existing usernames exceed new proposed limit: ipa user-find --all | grep "User login" | awk '{print length($3), $3}' | sort -n. Verify current maximum: ipa config-show | grep "Maximum username length". Understand decreasing limit only affects new users.

Resolution: Cannot decrease maximum username length below longest existing username. Identify users with long names: ipa user-find --all | grep -E '.{33,}' (for names > 32 chars). Either keep higher limit or migrate long usernames to shorter alternatives first. Consider organizational impact of username changes (email, home directories, file ownership). For new deployment, set conservative limit initially. Document why higher limit is required if cannot be reduced.

Configuration Modification Timestamp Not Updating

Symptom: Making configuration changes but modification timestamp shown in config-show --all does not update or shows incorrect time.

Diagnosis: Verify changes are actually being saved: export config before and after change and diff. Check if system time is correct: date on IPA server. Review if changes are being made on correct server (verify not reading from different replica). Check LDAP attribute: ldapsearch -Y GSSAPI -b "cn=ipaConfig,cn=etc,dc=example,dc=com" modifyTimestamp.

Resolution: Ensure system clocks are synchronized via NTP: systemctl status chronyd. Force time synchronization: chronyc makestep. Verify changes are persisted: ldapsearch -Y GSSAPI -b "cn=ipaConfig,cn=etc,dc=example,dc=com" and review attributes. If timestamps incorrect across all replicas, investigate time synchronization issues. Check for LDAP replication conflicts affecting config entry. Consult /var/log/dirsrv/slapd-REALM/errors for any LDAP modification errors.

Cannot View Full Configuration with config-show

Symptom: Running ipa config-show shows basic configuration but config-show --all fails with errors or shows same output as without --all.

Diagnosis: Verify command syntax: ipa config-show --all (double dash). Check permissions: ensure user can read extended attributes. Review if output is being truncated by terminal or less. Test output redirection: ipa config-show --all > /tmp/full-config.txt.

Resolution: Use correct double-dash syntax: --all not -all. Ensure adequate terminal size for full output: export COLUMNS=200. Redirect to file for complete output: ipa config-show --all > config.txt then review file. Verify user permissions: ipa permission-show 'System: Read Global Configuration'. If permission denied, add user to appropriate role. Use admin account for testing: kinit admin. Check for locale or encoding issues affecting output display.

Changes Immediately Affect All Servers Without Gradual Rollout

Symptom: Configuration change made on one IPA server immediately affects all replicas without ability to test on subset first.

Diagnosis: Understand this is expected IPA behavior - configuration is global and replicates immediately. Review replication status to see how fast changes propagate: ipa-replica-manage list. Check configuration timestamp across servers to verify sync.

Resolution: This is by design - IPA configuration is global across entire deployment. Test configuration changes in separate non-production IPA environment before production deployment. Plan configuration changes during maintenance windows when impact can be controlled. Export configuration before changes for rollback: ipa config-show --all > backup.txt. Document change procedures including rollback steps. For critical changes, consider temporary firewall rules preventing replication during change window (not recommended, but possible for emergency). Monitor services after configuration changes to detect issues quickly.

Maximum Hostname Length Change Rejected

Symptom: Attempting to set maximum hostname length with --maxhostname fails with validation error or has no effect.

Diagnosis: Check current value: ipa config-show | grep "Maximum hostname length". Verify requested value is within valid range (1-255). Check if existing hosts exceed new proposed limit. Review error message for specific validation failure reason.

Resolution: Ensure value is between 1 and 255: ipa config-mod --maxhostname=255. Cannot decrease below longest existing hostname: query for long hostnames: ipa host-find --all | grep "Host name". If decreasing, rename or remove hosts with too-long names first. For security, do not set unnecessarily high values - use 64 (Linux default) unless multi-platform environment requires higher. Verify change applied: ipa config-show | grep "Maximum hostname length". Test host enrollment with new maximum length before relying on it.

Password Expiration Notification Days Setting Has No Effect

Symptom: Set password expiration notification with --pwdexpnotify but users are not receiving expiration warnings.

Diagnosis: Review IPA documentation confirming this feature is not currently enforced. Check configuration: ipa config-show --all | grep pwdexpnotify. Understand this setting stores value in LDAP for potential future use but does not activate notifications.

Resolution: Accept that built-in password expiration notification is not currently functional in IPA. Implement external notification mechanism using scripts. Create monitoring script checking password expiration dates: ipa user-find --all --raw and parse krbPasswordExpiration attribute. Calculate days until expiration and send email notifications via separate system. Schedule script via cron for daily execution. Consider third-party tools or PAM modules for client-side notifications. Document workaround procedure in operational runbooks.

Related Topics