Add FreeIPA User Accounts via CLI or Web Interface

Our previous guide, link provided a stepwise tutorial on how to install and setup FreeIPA server on CentOS 8. As a continuation, this guide will take you through how to add FreeIPA user accounts via CLI or Web interface.

First install and Setup FreeIPA server on CentOS 8 by following the link below;

Install and Setup FreeIPA Server on CentOS 8

Adding FreeIPA User Accounts

There are two ways in which FreeIPA user accounts can be created. That is via command line interface or via the FreeIPA web user interface.

Add FreeIPA User Accounts via CLI

FreeIPA user accounts can be created via the command line using the ipa user-add command.

The command can be run non-interactively or interactively by passing the attributes directly on the command line or entering the attributes interactively respectively.

For example, to create a user called kmibey on the command line using the ipa user-add non-interactively.

ipa user-add kmibey --first=Kip --last=Mibey --password

The command will prompt for the password and create the user account with other account default values.

...
Password: PASSWORD
Enter Password again to verify: RE-ENTER PASSWORD
-------------------
Added user "kmibey"
-------------------
  User login: kmibey
  First name: Kip
  Last name: Mibey
  Full name: Kip Mibey
  Display name: Kip Mibey
  Initials: KM
  Home directory: /home/kmibey
  GECOS: Kip Mibey
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20191018180713Z
  Email address: [email protected]
  UID: 474600001
  GID: 474600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

To interactively create a FreeIPA user account using the ipa user-add command, simply run the command on the terminal as shown below;

ipa user-add --password

When run, you are prompted to provide the required values. Where the default values can be used, press Enter to accept the defaults or enter your values and proceed.

First name: jane
Last name: doe
User login [jdoe]: 
Password: 
Enter Password again to verify: 
-----------------
Added user "jdoe"
-----------------
  User login: jdoe
  First name: jane
  Last name: doe
  Full name: jane doe
  Display name: jane doe
  Initials: jd
  Home directory: /home/jdoe
  GECOS: jane doe
  Login shell: /bin/sh
  Principal name: [email protected]
  Principal alias: [email protected]
  User password expiration: 20191018182043Z
  Email address: [email protected]
  UID: 474600004
  GID: 474600004
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Password provided during account setup is temporary and the user is prompted to change the password on the first login.

You can consult, ipa user-add --help for more information about the command.

List FreeIPA User Accounts

You can list FreeIPA user accounts using the ipa user-find command.

To list all created FreeIPA user accounts, simply run the command;

ipa user-find --all

To list specific user;

ipa user-find USERNAME

For example;

ipa user-find jdoe

Learn more on ipa user-find --help.

Modify FreeIPA User Accounts

To change the attributes of the FreeIPA user account, use the ipa user-mod command.

For example, to change the shell for the user, simply run;

ipa user-mod USERNAME --shell=/bin/bash

Substitute USERNAME with the user’s login ID.

See other options for changing user attributes, ipa user-mod --help.

To delete the user, use the ipa user-del command.

ipa user-del USERNAME

Add FreeIPA User Accounts via Web Interface

To create, view or modify users and their attributes from FreeIPA server web interface, login to FreeIPA as an administrative user.

Once logged in, Under Identity > Users tab, you can see multiple user account management options.

As you can see from the Users tab, there are three types of the user account states;

• Stage users are not allowed to authenticate. Some of the user account properties required for active users might not yet be set.
• Active users are allowed to authenticate. All required user account properties must be set in this state.
• Preserved users are former active users. They are considered inactive and cannot authenticate to IdM. 

To add a user account, click +Add button. This opens up a screen where you can set the user’s username, the first and last names, passwords and other attributes.

Click Add to create the user account. You can click click on other options like Add and Add another to add the user and proceed to add another, Add and Edit to add the edit the user attributes…

To edit FreeIPA user account attributes, click on the user’s username.

Scroll down the screen to see other user’s attributes that can be modified. You can also set user roles, user groups from the same screen.

You can also Delete, Enable or Disable user account.

Other Related guides

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29