I have a FreeIPA server with the following information:
- FreeIPA server:
utility.lab.example.com - FreeIPA realm:
LAB.EXAMPLE.COM - FreeIPA domain:
lab.example.com
I want to add 2 normal users:
- User Login: rhvadmin, First Name: RHV, Last Name: Admin, Password: CentOS123^
- User Login: normaluser, First Name: Normal, Last Name: User, Password: CentOS123^
[root@utility ~]# ipa user-add rhvadmin --first RHV --last Admin --password
Password: CentOS123^
Enter Password again to verify: CentOS123^
---------------------
Added user "rhvadmin"
---------------------
User login: rhvadmin
First name: RHV
Last name: Admin
Full name: RHV Admin
Display name: RHV Admin
Initials: RA
Home directory: /home/rhvadmin
GECOS: RHV Admin
Login shell: /bin/sh
Principal name: rhvadmin@LAB.EXAMPLE.COM
Principal alias: rhvadmin@LAB.EXAMPLE.COM
User password expiration: 20201204121711Z
Email address: rhvadmin@lab.example.com
UID: 1829600001
GID: 1829600001
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@utility ~]# ipa user-add normaluser \
> --first Normal --last User --password
Password: CentOS123^
Enter Password again to verify: CentOS123^
...
The rhvadmin will be asked to change the password on its first login. To prevent this from happening, we can change the user’s password with kpasswd util.
[root@utility ~]# kpasswd rhvadmin
Password for rhvadmin@LAB.EXAMPLE.COM: CentOS123^
Enter new password: CentOS123^
Enter it again: CentOS123^
Password changed.
Yes, you can re-use the same password here. (Not recommended in the production environment.)
Sometimes we need to get the DN (distinguished name) of an existing user. Here is one way to do this from the command line.
[root@utility ~]# ipa user-find rhvadmin --all --raw | grep dn:
dn: uid=rhvadmin,cn=users,cn=accounts,dc=lab,dc=example,dc=com