ipa(1) - c6

1ipa(1)                       FreeIPA Manual Pages                       ipa(1)
2
3
4

NAME

6       ipa - IPA command-line interface
7

SYNOPSIS

9       ipa [options] [-c FILE] [-e KEY=VAL] COMMAND [parameters]
10

DESCRIPTION

12       IPA  is an integrated security information management solution based on
13       389 Directory Server (formerly know as Fedora  Directory  Server),  MIT
14       Kerberos,  Dogtag  Certificate  System,  NTP and DNS. It includes a web
15       interface and command-line administration tools for  managing  identity
16       data.
17
18       This manual page focuses on the ipa script that serves as the main com‐
19       mand-line interface (CLI) for IPA administration.
20
21       More information about the project is available on its homepage located
22       at http://www.freeipa.org.
23

OPTIONS

25       -c FILE
26              Load configuration from FILE.
27
28       -d, --debug
29              Produce full debugging output.
30
31       ---delegate
32              Delegate the user's TGT to the IPA server
33
34       -e KEY=VAL
35              Set  environmental  variable  KEY  to the value VAL. This option
36              overrides configuration files.
37
38       -h, --help
39              Display a help message with a list of options.
40
41       -n, --no-prompt
42              Don't prompt for any parameters of COMMAND,  even  if  they  are
43              required.
44
45       -a, --prompt-all
46              Prompt for all parameters of COMMAND, even if they are optional.
47
48       -f, --no-fallback
49              Don't  fall  back  to  other  IPA servers if the default doesn't
50              work.
51
52       -v, --verbose
53              Produce verbose output. A second -v displays the XML-RPC request
54

COMMANDS

56       The principal function of the CLI is to execute administrative commands
57       specified  by  the  COMMAND argument. The majority of commands are exe‐
58       cuted remotely over XML-RPC on a IPA server listed in the configuration
59       file (see FILES section of this manual page).
60
61       From the implementation perspective, the CLI distinguishes two types of
62       commands - built-ins and plugin provided.
63
64       Built-in commands are static and are all available in all installations
65       of IPA. There are two of them:
66
67       console
68              Start the IPA interactive Python console.
69
70       help [TOPIC | COMMAND | topics | commands]
71              Display help for a command or topic.
72
73              The  help  command  invokes  the  built-in documentation system.
74              Without parameters a list of built-in commands and  help  topics
75              is  displayed.  Help topics are generated from loaded IPA plugin
76              modules. Executing help with the name of an available topic dis‐
77              plays a help message provided by the corresponding plugin module
78              and list of commands it contains.
79
80       Plugin provided commands, as the  name  suggests,  originate  from  IPA
81       plugin modules. The available set may vary depending on your configura‐
82       tion and can be listed using the built-in help command (see above).
83
84       Most plugin provided commands are tied to a certain type of IPA object.
85       IPA  objects  encompass common abstractions such as users (user identi‐
86       ties/accounts), hosts (machine identities),  services,  password  poli‐
87       cies,  etc.  Commands  associated  with an object are easily identified
88       thanks to the enforced naming convention; the command  names  are  com‐
89       posed of two parts separated with a dash: the name of the corresponding
90       IPA object type and the name of action performed on it. For example all
91       commands  used  to  manage  user  identities  start  with "user-" (e.g.
92       user-add, user-del).
93
94       The following actions are available for most IPA object types:
95
96       add [PRIMARYKEY] [options]
97              Create a new object.
98
99       show [PRIMARYKEY] [options]
100              Display an existing object.
101
102       mod [PRIMARYKEY] [options]
103              Modify an existing object.
104
105       del [PRIMARYKEY]
106              Delete an existing object.
107
108       find [CRITERIA] [options]
109              Search for existing objects.
110
111       The above types of commands except find take the  objects  primary  key
112       (e.g.  user  name  for  users) as their only positional argument unless
113       there can be only one object of the given type. They can  also  take  a
114       number  of options (some of which might be required in the case of add)
115       that represent the objects attributes.
116
117       find commands take an optional criteria string as their only positional
118       argument.  If  present, all objects with an attribute that contains the
119       criteria string are displayed. If an option representing  an  attribute
120       is  set,  only object with the attribute exactly matching the specified
121       value are displayed. Options with empty  values  are  ignored.  Without
122       parameters all objects of the corresponding type are displayed.
123
124       For  IPA  objects  with attributes that can contain references to other
125       objects (e.g. groups), the following action are usually available:
126
127       add-member [PRIMARYKEY] [options]
128              Add references to other objects.
129
130       remove-member [PRIMARYKEY] [options]
131              Remove references to other objects.
132
133       The above types of commands take the objects primary key as their  only
134       positional  argument  unless  there can be only one object of the given
135       type. They also take a number of options that represent lists of  other
136       object  primary  keys.  Each  of  these  options  represent one type of
137       object.
138
139       For some types of objects, these commands might need to take more  than
140       one  primary  key. This applies to IPA objects organized in hierarchies
141       where the parent object needs to be identified  first.  Parent  primary
142       keys  are always aligned to the left (higher in the hierarchy = more to
143       the left). For example the automount IPA plugin enables users to manage
144       automount maps per location, as a result all automount commands take an
145       automountlocation primary key as their first positional argument.
146
147       All commands that display objects have three special options  for  con‐
148       trolling output:
149
150       --all  Display  all attributes. Without this option only the most rele‐
151              vant attributes are displayed.
152
153       --raw  Display objects as they are stored in the  backing  store.  Dis‐
154              ables formatting and attribute labels.
155
156       --rights
157              Display  effective  rights  on  all attributes of the entry. You
158              also have to specify --all for this to  work.  User  rights  are
159              returned  as  Python  dictionary  where  index is the name of an
160              attribute and value is a  unicode  string  composed  (hence  the
161              u'xxxx'  format)  of  letters  specified  below.  Note that user
162              rights are primarily used  for  internal  purposes  of  CLI  and
163              WebUI.
164
165              r - read
166              s - search
167              w - write
168              o - obliterate (delete)
169              c - compare
170              W - self-write
171              O - self-obliterate
172
173

EXAMPLES

175       ipa help commands
176              Display a list of available commands ipa help topics Display a
177              high-level list of help topics ipa help user Display documenta‐
178              tion and list of commands in the "user" topic.
179
180       ipa env
181              List IPA environmental variables and their values.
182
183       ipa user-add foo --first foo --last bar
184              Create a new user with username "foo", first name "foo" and last
185              name "bar".
186
187       ipa group-add bar --desc "this is an example group"
188              Create a new group with name "bar" and description "this is an
189              example group".
190
191       ipa group-add-member bar --users=admin,foo
192              Add users "admin" and "foo" to the group "bar".
193
194       ipa user-show foo --raw
195              Display user "foo" as (s)he is stored on the server.
196
197       ipa group-show bar --all
198              Display group "bar" and all of its attributes.
199
200       ipa config-mod --maxusername 20
201              Set maximum user name length to 20 characters.
202
203       ipa user-find foo
204              Search for all users with "foo" in either uid, first name, last
205              name, full name, etc. A user with uid "foobar" would match the
206              search criteria.
207
208       ipa user-find foo --first bar
209              Same as the previous example, except this time the users first
210              name has to be exactly "bar". A user with uid "foobar" and first
211              name "bar" would match the search criteria.
212
213       ipa user-find foo --first bar --last foo
214              A user with uid "foobar", first name "bar" and last name "foo"
215              would match the search criteria.
216
217       ipa user-find --uuid 936407bd-da9b-11de-9abd-54520012e7cd
218              Only the user with the specified IPA unique ID would match the
219              search criteria.
220
221       ipa user-find
222              All users would match the search criteria (as there are none).
223

SERVERS

225       The ipa client will determine which server to connect to in this order:
226
227
228       1. The server configured in /etc/ipa/default.conf in the xmlrpc_uri
229       directive.
230
231       2. An unordered list of servers from the ldap DNS SRV records.
232
233
234       If a kerberos error is raised by any of the requests then it will stop
235       processing and display the error message.
236

FILES

238       /etc/ipa/default.conf
239              IPA default configuration file.
240

EXIT STATUS

242       0 if the command was successful
243
244       1 if an error occurred
245
246       2 If an entry is not found
247