I have a FreeIPA server with the following information:

  • FreeIPA server: utility.lab.example.com
  • FreeIPA realm: LAB.EXAMPLE.COM
  • FreeIPA domain: lab.example.com

I want to add 2 normal users:

  1. User Login: rhvadmin, First Name: RHV, Last Name: Admin, Password: CentOS123^
  2. User Login: normaluser, First Name: Normal, Last Name: User, Password: CentOS123^

[root@utility ~]# ipa user-add rhvadmin --first RHV --last Admin --password
Password: CentOS123^
Enter Password again to verify: CentOS123^
Added user "rhvadmin"
  User login: rhvadmin
  First name: RHV
  Last name: Admin
  Full name: RHV Admin
  Display name: RHV Admin
  Initials: RA
  Home directory: /home/rhvadmin
  GECOS: RHV Admin
  Login shell: /bin/sh
  Principal name: rhvadmin@LAB.EXAMPLE.COM
  Principal alias: rhvadmin@LAB.EXAMPLE.COM
  User password expiration: 20201204121711Z
  Email address: rhvadmin@lab.example.com
  UID: 1829600001
  GID: 1829600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@utility ~]# ipa user-add normaluser \
> --first Normal --last User --password
Password: CentOS123^
Enter Password again to verify: CentOS123^

The rhvadmin will be asked to change the password on its first login. To prevent this from happening, we can change the user’s password with kpasswd util.

[root@utility ~]# kpasswd rhvadmin
Password for rhvadmin@LAB.EXAMPLE.COM: CentOS123^
Enter new password: CentOS123^
Enter it again: CentOS123^
Password changed.

Yes, you can re-use the same password here. (Not recommended in the production environment.)

Sometimes we need to get the DN (distinguished name) of an existing user. Here is one way to do this from the command line.

[root@utility ~]# ipa user-find rhvadmin --all --raw | grep dn:
  dn: uid=rhvadmin,cn=users,cn=accounts,dc=lab,dc=example,dc=com