FreeIPA
Draft version. Content is hallucinated. Do not use!
user-management

Group Management

Manage user groups including POSIX and non-POSIX groups with support for nested membership. Groups can contain users, other groups, and Kerberos services. Features include external group membership for Active Directory trust integration, group membership managers for delegated administration, automatic GID assignment, and flexible membership management for organizing users and services.

10 commands
user-management
posix membership nested-groups

Overview

Groups in FreeIPA provide flexible mechanisms for organizing users, services, and other groups into logical collections for access control, policy application, and administrative delegation. Groups serve as fundamental building blocks in the IPA authorization model, appearing in HBAC rules, sudo rules, role assignments, and traditional POSIX file permissions.

FreeIPA supports three distinct group types, each serving different use cases within the identity management ecosystem. POSIX groups provide traditional UNIX group functionality with numeric group identifiers for file system permissions and process ownership. Non-POSIX groups offer lightweight organizational containers without file system semantics, useful for policy grouping and IPA-specific authorizations. External groups bridge trust boundaries, allowing users from Active Directory or other trusted domains to be mapped into the local IPA authorization framework.

Groups can contain multiple membership types simultaneously. Direct members include individual user accounts, while nested group membership allows groups to contain other groups, creating hierarchical organizational structures. Service members enable groups to contain Kerberos service principals, useful for managing collections of services with shared access requirements. This flexible membership model supports complex organizational topologies while maintaining clear authorization boundaries.

Group Types and Characteristics

POSIX Groups

POSIX groups represent traditional UNIX groups with numeric group identifiers (GID). These groups appear in file system permissions, process group ownership, and standard UNIX authorization contexts. When IPA clients retrieve user information through SSSD, POSIX group memberships are evaluated and presented to the operating system for access control decisions.

Each POSIX group requires a unique GID number within the IPA domain. IPA automatically assigns GID values from configured ID ranges when not explicitly specified, ensuring uniqueness across the domain. Manual GID assignment is supported for migration scenarios or specific organizational requirements. Changing a group’s GID after creation is possible but requires careful consideration, as existing file system permissions referencing the old GID will not automatically update.

POSIX groups support both direct and nested membership. In traditional POSIX environments, only direct user members are visible through standard system interfaces like getent group. However, IPA’s SSSD integration can optionally resolve nested group membership, making indirect members visible to the operating system based on configuration.

Non-POSIX Groups

Non-POSIX groups provide organizational containers without UNIX group semantics. These groups lack GID numbers and do not appear in traditional file system permissions. Non-POSIX groups are primarily used within IPA’s own authorization model for HBAC rules, sudo rules, role membership, and other IPA-managed policies.

Non-POSIX groups can be converted to POSIX groups using group-mod --posix, which assigns a GID and enables UNIX group functionality. This conversion is one-way; POSIX groups cannot be demoted to non-POSIX status. This design ensures that once a GID is assigned and potentially referenced in file permissions, it remains stable and consistent.

Non-POSIX groups are particularly useful when creating organizational structures that have no file system implications. For example, a “developers” group might be POSIX for file permissions, while a “developers-americas” subgroup might be non-POSIX if it only affects HBAC rules or role assignments.

External Groups

External groups enable integration with Active Directory trusts and other external identity sources. These special groups accept members identified by Security Identifiers (SID) from trusted domains rather than IPA user accounts. External groups must be marked as both non-POSIX and external during creation.

External groups cannot directly participate in POSIX authorization contexts. Instead, they are nested within regular POSIX groups to grant access to trusted domain users. This two-tier model maintains clean separation between external identity sources and local authorization policies. External users authenticate against their home domain but receive authorization through IPA group membership.

When adding external members, FreeIPA accepts several identifier formats: raw SID values, DOMAIN\username format, or username@domain format. IPA attempts to resolve user/group names to SIDs using the trusted domain’s Global Catalog, enabling administrators to use familiar names rather than opaque SID values.

Group Naming Constraints

Group names must follow specific formatting rules enforced at creation and modification:

  • Cannot consist solely of numeric digits
  • Must begin with a letter, number, underscore (_), or period (.)
  • May contain letters, numbers, underscores, periods, or hyphens (-)
  • May end with a letter, number, underscore, period, hyphen, or dollar sign ($)

These constraints ensure compatibility with LDAP naming requirements, POSIX group name conventions, and Kerberos principal formatting. Group names are case-sensitive within IPA’s directory but are typically managed in lowercase to avoid confusion.

Group ID (GID) Management

POSIX groups require unique numeric group identifiers. FreeIPA manages GID allocation through configured ID ranges, automatically assigning sequential GID values when not explicitly specified. Manual GID assignment is supported through the --gid option during group creation.

GID changes are supported but have significant implications. File system objects record ownership by numeric GID, not group name. Changing a group’s GID does not update existing file permissions, potentially orphaning files with the old GID. Before modifying a GID, administrators should inventory affected systems and plan permission updates.

IPA enforces GID uniqueness within each ID range. Attempting to create or modify a group with a duplicate GID fails with an error. This ensures that GID-based authorization remains unambiguous across the domain.

Nested Group Membership

Groups can contain other groups as members, creating hierarchical organizational structures. Nested membership enables administrators to build complex authorization topologies while maintaining clear organizational boundaries. For example, “engineering” might contain “developers” and “qa-team” as subgroups, which themselves contain individual user accounts.

In POSIX contexts, nested group resolution behavior depends on SSSD configuration. The ldap_group_nesting_level parameter controls how deeply SSSD resolves nested membership when presenting group information to the operating system. IPA’s HBAC and sudo evaluations always resolve nested groups regardless of SSSD settings.

Circular group membership (A contains B, B contains A) is prevented by IPA’s membership validation logic. Attempting to create circular references fails with an error indicating the membership would create a loop.

Service principals can be group members, enabling administrators to create groups of related services for access control purposes. In POSIX contexts, only user members are visible; service members only affect IPA-specific authorization contexts.

Group Membership Managers

Membership managers enable delegated group administration without granting full group modification privileges. Users or groups designated as membership managers can add or remove members from a specific group but cannot modify other group attributes like description, GID, or group type.

This delegation model supports organizational workflows where team leads manage their team’s membership without requiring full administrative access. For example, a project manager might be designated as membership manager for their project’s group, allowing them to add new team members without involving central IT staff.

Both individual users and groups can be membership managers. Assigning a group as membership manager enables anyone in that manager group to administer the target group’s membership. This creates flexible delegation hierarchies.

Membership managers can add or remove all membership types: users, groups, services, and (for external groups) external SIDs. The membership manager privilege applies uniformly across all member types.

External Group Integration with Active Directory

External groups bridge Active Directory trusts, mapping AD users and groups into IPA’s authorization framework. This integration enables trusted domain users to access IPA-managed resources while maintaining authentication against their home domain.

The typical integration pattern involves three components:

  1. An external non-POSIX group containing AD SIDs
  2. A regular POSIX group for authorization
  3. Nested membership connecting the external group to the POSIX group

When an AD user authenticates, IPA retrieves their SID from the authentication context. If that SID appears in an external group, and that external group is nested within POSIX groups, the user receives the effective permissions of those POSIX groups.

IPA resolves AD user and group names to SIDs using the trusted domain’s Global Catalog. This resolution enables administrators to specify external members using familiar formats (DOMAIN\username or user@domain) rather than opaque SID strings. The resolved SID is stored, ensuring membership remains valid even if the name changes in the trusted domain.

Examples

Basic Group Management

Create a new POSIX group with automatic GID assignment:

ipa group-add --desc='Engineering team' engineering

Create a POSIX group with a specific GID (useful for migration scenarios):

ipa group-add --gid=10000 --desc='Legacy application group' legacyapp

Create a non-POSIX group for IPA-only authorization:

ipa group-add --nonposix --desc='Policy group for HBAC' hbac_users

Convert a non-POSIX group to POSIX (one-way operation):

ipa group-mod --posix hbac_users

Delete a group:

ipa group-del engineering

Display comprehensive group information including all members:

ipa group-show engineering --all

Search for groups matching a pattern:

ipa group-find engineering

Search for all POSIX groups:

ipa group-find --posix

Find groups containing a specific user:

ipa group-find --users=jsmith

Membership Management

Add individual users to a group:

ipa group-add-member --users=jsmith engineering

Add multiple users in a single operation:

ipa group-add-member --users=jsmith --users=alee --users=mchen engineering

Create nested group structure (add group to another group):

ipa group-add --desc='Development team' developers
ipa group-add --desc='QA team' qa_team
ipa group-add-member --groups=developers --groups=qa_team engineering

Add service principals to a group for service management:

ipa group-add-member --services=HTTP/web.example.com engineering

Remove a user from a group:

ipa group-remove-member --users=jsmith engineering

Remove multiple members at once:

ipa group-remove-member --users=jsmith --groups=contractors engineering

Membership Manager Delegation

Designate a user as membership manager (can add/remove members but not modify group attributes):

ipa group-add-member-manager --users=teamlead engineering

Designate a group as membership manager (anyone in the manager group can manage membership):

ipa group-add --desc='Engineering managers' eng_managers
ipa group-add-member-manager --groups=eng_managers engineering

Remove membership manager privileges:

ipa group-remove-member-manager --users=teamlead engineering

External Group Integration with Active Directory

Create external group for mapping AD users:

ipa group-add --external --desc='External AD Domain Admins' ad_domain_admins_external

Create corresponding POSIX group for authorization:

ipa group-add --desc='AD Domain Admins' ad_domain_admins

Add AD users/groups by name (IPA resolves to SID):

ipa group-add-member ad_domain_admins_external --external 'AD\Domain Admins'
ipa group-add-member ad_domain_admins_external --external 'AD\alice'
ipa group-add-member ad_domain_admins_external --external 'bob@ad.example.com'

Link external group to POSIX group for effective permissions:

ipa group-add-member ad_domain_admins --groups ad_domain_admins_external

Verify external group membership (shows resolved SIDs):

ipa group-show ad_domain_admins_external --all

Remove external member:

ipa group-remove-member ad_domain_admins_external --external 'AD\alice'

Advanced Group Operations

Modify group description:

ipa group-mod --desc='Updated description' engineering

Change group GID (impacts existing file permissions):

ipa group-mod --gid=10500 engineering

Detach a user’s private group (created automatically with user account):

ipa group-detach jsmith

Rename a group:

ipa group-mod --rename=engineering_team engineering

Search for groups in specific roles:

ipa group-find --in-roles=helpdesk

Find groups used in HBAC rules:

ipa group-find --in-hbacrules=allow_admins

Best Practices

Group Design and Organization

Use POSIX groups for file system permissions: Any group that needs to control access to files, directories, or processes on UNIX systems must be POSIX. Non-POSIX groups are only useful for IPA-internal authorization contexts like HBAC or sudo rules.

Leverage nested groups for organizational hierarchy: Create broad parent groups (e.g., “engineering”) that contain more specific subgroups (e.g., “developers”, “qa_team”). This enables both broad and granular access controls while maintaining clear organizational structure.

Establish consistent naming conventions: Use prefixes or suffixes to indicate group purpose (e.g., “role_”, “team_”, “app_”). This improves searchability and helps administrators quickly understand group function.

Minimize direct user membership in parent groups: Prefer adding users to specific subgroups rather than parent groups. This makes membership more granular and easier to audit. Parent groups should primarily contain other groups.

GID Management

Allow automatic GID assignment: Unless migrating existing groups or integrating with external systems requiring specific GIDs, let IPA automatically assign GID values. This prevents collisions and maintains consistent allocation.

Document manual GID assignments: When manually specifying GIDs, maintain external documentation recording the assignment rationale and any external dependencies. This prevents future conflicts and aids troubleshooting.

Avoid changing GIDs on active groups: GID changes do not update existing file permissions. If a GID change is necessary, plan for comprehensive permission audits and updates across all systems. Consider creating a new group instead.

Reserve GID ranges for different purposes: If your organization has multiple group categories (e.g., departmental, application, role-based), consider using separate GID ranges to improve organization and prevent future conflicts.

Membership Management

Use membership managers for delegation: Rather than granting full administrative access, designate team leads or managers as membership managers for their groups. This distributes administrative load while maintaining security boundaries.

Audit nested group relationships regularly: Deep or complex nesting can make effective permissions difficult to understand. Periodically review group hierarchies and flatten where possible to improve clarity.

Limit service principal membership: While services can be group members, excessive service membership in user groups can complicate access control logic. Consider separate groups for services unless there’s clear authorization overlap.

Document external group mappings: When integrating Active Directory trusts, maintain clear documentation mapping external groups to POSIX groups. This aids troubleshooting and prevents orphaned external memberships.

Security and Access Control

Minimize membership in privileged groups: Groups like “admins” or those with broad HBAC/sudo access should have minimal membership. Use nested groups to grant privilege selectively rather than adding users directly to high-privilege groups.

Regularly audit group membership: Implement periodic reviews of group membership, especially for groups controlling access to sensitive resources. Remove users who no longer require access.

Use non-POSIX groups for policy-only contexts: If a group only affects HBAC rules, sudo rules, or IPA role membership, make it non-POSIX. This prevents inadvertent file system permission implications.

Protect membership manager privileges: Membership managers have significant control over group composition. Designate managers carefully and review manager assignments regularly.

Integration and Automation

Leverage automember rules: For groups with consistent membership patterns (e.g., all users in a specific department), use automember rules to maintain membership automatically. This reduces administrative overhead and ensures consistency.

Integrate group management with HR systems: Consider scripting group membership updates based on HR system data. This ensures group membership reflects current organizational structure and reduces manual tracking.

Monitor external group SID resolution: When using external groups with AD trusts, periodically verify that SID resolution still functions correctly. Broken trust relationships can cause external members to become orphaned.

Plan for group lifecycle: Establish processes for archiving or removing obsolete groups. Unused groups clutter the directory and can complicate access control audits.

Integration with Other IPA Components

HBAC Rules

Groups appear as user and host categories in HBAC rules, controlling which users can access which hosts and services. Both POSIX and non-POSIX groups function equivalently in HBAC contexts. Nested group membership is fully resolved during HBAC evaluation.

Sudo Rules

Sudo rules reference groups to determine which users can execute privileged commands on which hosts. As with HBAC, nested groups are resolved during sudo policy evaluation, enabling flexible privilege delegation hierarchies.

Role-Based Access Control (RBAC)

IPA roles can have group members, granting all members of the group the role’s privileges. This enables efficient privilege management for teams or departments.

Automember Rules

Automember rules automatically populate group membership based on user or host attributes. For example, all users with a specific department attribute can automatically become members of the department’s group.

User Private Groups

Each user automatically receives a private group with the same name as their username. These groups can be detached using group-detach if organizational policy requires shared primary groups.

Host Groups

While user groups and host groups are separate entities, they follow similar conceptual models. Both support nesting and appear in HBAC/sudo rules, creating parallel organizational structures for users and systems.

Commands

Command Description

group-add Create a new group.

group-add-member Add members to a group.

group-add-member-manager Add users that can manage members of this group.

group-del Delete group.

group-detach Detach a managed group from a user.

group-find Search for groups.

group-mod Modify a group.

group-remove-member Remove members from a group.

group-remove-member-manager Remove users that can manage members of this group.

group-show Display information about a named group.

group-add

Usage: ipa [global-options] group-add GROUP-NAME [options]

Create a new group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--desc DESC Group description

--gid GID GID (use this option to set it manually)

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--nonposix Create as a non-POSIX group

--external Allow adding external non-IPA members from trusted domains

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

group-add-member

Usage: ipa [global-options] group-add-member GROUP-NAME [options]

Add members to a group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--external EXTERNAL Members of a trusted domain in DOM\name or name@domain form

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

--services SERVICES services to add

--idoverrideusers IDOVERRIDEUSERS User ID overrides to add

group-add-member-manager

Usage: ipa [global-options] group-add-member-manager GROUP-NAME [options]

Add users that can manage members of this group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to add

--groups GROUPS groups to add

group-del

Usage: ipa [global-options] group-del GROUP-NAME [options]

Delete group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

group-detach

Usage: ipa [global-options] group-detach GROUP-NAME [options]

Detach a managed group from a user.

Arguments

Argument Required Description

GROUP-NAME yes Group name

group-find

Usage: ipa [global-options] group-find [CRITERIA] [options]

Search for groups.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--group-name GROUP-NAME Group name

--desc DESC Group description

--gid GID GID (use this option to set it manually)

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--private search for private groups

--posix search for POSIX groups

--external search for groups with support of external non-IPA members from trusted domains

--nonposix search for non-POSIX groups

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“group-name”)

--users USERS Search for groups with these member users.

--no-users NO-USERS Search for groups without these member users.

--groups GROUPS Search for groups with these member groups.

--no-groups NO-GROUPS Search for groups without these member groups.

--services SERVICES Search for groups with these member services.

--no-services NO-SERVICES Search for groups without these member services.

--idoverrideusers IDOVERRIDEUSERS Search for groups with these member User ID overrides.

--no-idoverrideusers NO-IDOVERRIDEUSERS Search for groups without these member User ID overrides.

--in-groups IN-GROUPS Search for groups with these member of groups.

--not-in-groups NOT-IN-GROUPS Search for groups without these member of groups.

--in-netgroups IN-NETGROUPS Search for groups with these member of netgroups.

--not-in-netgroups NOT-IN-NETGROUPS Search for groups without these member of netgroups.

--in-roles IN-ROLES Search for groups with these member of roles.

--not-in-roles NOT-IN-ROLES Search for groups without these member of roles.

--in-hbacrules IN-HBACRULES Search for groups with these member of HBAC rules.

--not-in-hbacrules NOT-IN-HBACRULES Search for groups without these member of HBAC rules.

--in-sudorules IN-SUDORULES Search for groups with these member of sudo rules.

--not-in-sudorules NOT-IN-SUDORULES Search for groups without these member of sudo rules.

--membermanager-users MEMBERMANAGER-USERS Search for groups with these group membership managed by users.

--not-membermanager-users NOT-MEMBERMANAGER-USERS Search for groups without these group membership managed by users.

--membermanager-groups MEMBERMANAGER-GROUPS Search for groups with these group membership managed by groups.

--not-membermanager-groups NOT-MEMBERMANAGER-GROUPS Search for groups without these group membership managed by groups.

group-mod

Usage: ipa [global-options] group-mod GROUP-NAME [options]

Modify a group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--desc DESC Group description

--gid GID GID (use this option to set it manually)

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--delattr DELATTR Delete an attribute/value pair. The option will be evaluated

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--posix change to a POSIX group

--external change to support external non-IPA members from trusted domains

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--rename RENAME Rename the group object

group-remove-member

Usage: ipa [global-options] group-remove-member GROUP-NAME [options]

Remove members from a group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--external EXTERNAL Members of a trusted domain in DOM\name or name@domain form

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

--services SERVICES services to remove

--idoverrideusers IDOVERRIDEUSERS User ID overrides to remove

group-remove-member-manager

Usage: ipa [global-options] group-remove-member-manager GROUP-NAME [options]

Remove users that can manage members of this group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--users USERS users to remove

--groups GROUPS groups to remove

group-show

Usage: ipa [global-options] group-show GROUP-NAME [options]

Display information about a named group.

Arguments

Argument Required Description

GROUP-NAME yes Group name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

Related Topics

user hostgroup automember