Product SiteDocumentation Site

5.2. Managing User Entries

5.2.1. About Username Formats

The default length for usernames is 32 characters.
FreeIPA supports a wide range of username formats, based on this regular expression:


The trailing $ symbol is permitted for Samba 3.x machine support.
Any system limits — such as starting a username with a number on Unix systems — apply to the usernames in FreeIPA.

5.2.2. Adding Users From the Web UI

  1. Open the Identity tab, and select the Users subtab.
  2. Click the Add link at the top of the users list.
  3. Fill in the user's first and last names. The user login (UID) is automatically generated based on the user's full name, but this can be set manually by clicking the Optional field link.
  4. Click the Add and Edit button to go directly to the expanded entry page and fill in more attribute information, as in Section, “From the Web UI”. The user entry is created with some basic information already filled in, based on the given user information and the user entry template. From the Command Line

New user entries are added with the user-add command. Attributes (listed in Table 5.2, “Default FreeIPA User Attributes”) can be added to the entry with specific values or the command can be run with no arguments.
$ ipa user-add [username] [attributes]
When no arguments are used, the command prompts for the required user account information and uses the defaults for the other attributes, with the defaults printed below. For example:
$ ipa user-add
First name: John
Last name: Smith
User login [jsmith]: jsmith
Added user "jsmith"
User login: jsmith
First name: John
Last name: Smith
Home directory: /home/jsmith
GECOS field: jsmith
Login shell: /bin/sh
Kerberos principal: jsmith@EXAMPLE.COM
UID: 387115841
Any of the user attributes can be passed with the command. This will either set values for optional attributes or override the default values for default attributes.
$ ipa user-add jsmith --first=John --last=Smith --manager=bjensen --homedir=/home/work/johns --password


When a user is created without specifying a UID or GID number, then the user account is automatically assigned an ID number that is next available in the server or replica range. (Number ranges are described more in Section 5.7, “Managing Unique UID and GID Number Assignments”.) This means that a user always has a unique number for its UID number and, if configured, for its private group.
If a number is manually assigned to a user entry, the server does not validate that the uidNumber is unique. It will allow duplicate IDs; this is expected (though discouraged) behavior for POSIX entries.
If two entries are assigned the same ID number, only the first entry is returned in a search for that ID number. However, both entries will be returned in searches for other attributes or with ipa user-find --all.

5.2.3. Editing Users From the Web UI

  1. Open the Identity tab, and select the Users subtab.
  2. Click the name of the user to edit.
  3. There are a number of different types of attributes that can be edited for the user. All of the default attributes are listed in Table 5.2, “Default FreeIPA User Attributes”. Most of the attributes in the Identity Settings and Account Settings areas have default values filled in for them, based on the user information or on the user entry template.
  4. Edit the fields or, if necessary, click the Add link by an attribute to create the attribute on the entry.
  5. When the edits are done, click the Update link at the top of the page. From the Command Line

The user-mod command edits user accounts by adding or changing attributes. At its most basic, the user-mod specifies the user account by login ID, the attribute to edit, and the new value:
$ ipa user-mod loginID --attributeName=newValue
For example, to change a user's work title from Editor II to Editor III:
$ ipa user-mod jsmith --title="Editor III"
FreeIPA allows multi-valued attributes, based on attributes in LDAP that are allowed to have multiple values. For example, a person may have two email addresses, one for work and one for personal, that are both stored in the mail attribute. Managing multi-valued attributes can be done using the --addattr option.
If an attribute allows multiple values — like mail — simply using the command-line argument will overwrite the value with the new value. This is also true for using --setattr. However, using --addattr will add a new attribute; for a multi-valued attribute, it adds the new value in addition to any existing values.
Example 5.1. Multiple Mail Attributes
A user is created first using his work email account.
$ ipa user-add jsmith --first=John --last=Smith
Then, his personal email account is added.
$ ipa user-mod jsmith
Both email addresses are listed for the user.
$ ipa user-find jsmith --all
1 user matched
  dn: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
  User login: jsmith
  Email address:,
To set two values at the same time, use the --addattr option twice:
$ ipa user-add jsmith --first=John --last=Smith

5.2.4. Activating and Deactivating User Accounts

User accounts can be deactivated. A deactivated user cannot log into FreeIPA or its related services (like Kerberos) and he cannot perform any tasks. However, the user account still exists within FreeIPA and all of the associated information remains unchanged.


Any existing connections remain valid until the Kerberos TGT and other tickets expire. Once the ticket expires, the user cannot renew the ticket. From the Web UI

  1. Open the Identity tab, and select the Users subtab.
  2. Click the name of the user for whom to deactivate or activate.
  3. Scroll to the Account Settings area.
  4. Click the Deactivate link.
  5. Click the Update link at the top of the page. From the Command Line

Users are activated and disabled using user-enable and user-disable commands. All that is required is the user login. For example:
$ ipa user-disable jsmith

5.2.5. Deleting Users

Deleting a user account permanently removes the user entry and all its information from FreeIPA, including group memberships and passwords. External configuration — like a system account and home directory — will still exist on any server or local machine where they were created, but they cannot be accessed through FreeIPA.
Deleting a user account is permanent. The information cannot be recovered; a new account must be created.


If all admin users are deleted, then you must use the Directory Manager account to create a new administrative user.
Alternatively, any user who belongs in the group management role can also add a new admin user. With the Web UI

  1. Open the Identity tab, and select the Users subtab.
  2. Select the checkboxes by the names of the users to delete.
  3. Click the Delete link at the top of the task area.
  4. When prompted, confirm the delete action. From the Command Line

Users are deleted using the user-del command and then the user login. For example, a single user:
$ ipa user-del jsmith
To delete multiple users, simply list the users, separated by spaces.
$ ipa user-del jsmith bjensen mreynolds cdickens
When deleting multiple users, use the --continue option to force the command to continue regardless of errors. A summary of the successful and failed operations is printed to stdout when the command completes. If --continue is not used, then the command proceeds with deleting users until it encounters an error, and then it exits.