Product SiteDocumentation Site

Chapter 5. Identity: Managing Users and User Groups

5.1. Setting up User Home Directories
5.1.1. About Home Directories
5.1.2. Enabling the PAM Home Directory Module
5.1.3. Manually Mounting Home Directories
5.2. Managing User Entries
5.2.1. About Username Formats
5.2.2. Adding Users
5.2.3. Editing Users
5.2.4. Activating and Deactivating User Accounts
5.2.5. Deleting Users
5.3. Managing Public SSH Keys for Users
5.4. Changing Passwords
5.4.1. From the Web UI
5.4.2. From the Command Line
5.5. Unlocking User Accounts After Password Failures
5.6. Managing User Private Groups
5.6.1. Disabling Private Groups for a Specific User
5.6.2. Disabling Private Groups Globally
5.7. Managing Unique UID and GID Number Assignments
5.7.1. About ID Range Assignments During Installation
5.7.2. Adding New Ranges
5.8. Managing User and Group Schema
5.8.1. About Changing the Default User and Group Schema
5.8.2. Applying Custom Object Classes to New User Entries
5.8.3. Applying Custom Object Classes to New Group Entries
5.9. Managing User Groups
5.9.1. Creating User Groups
5.9.2. Adding Group Members
5.9.3. Deleting User Groups
5.10. Searching for Users and Groups
5.10.1. With the UI
5.10.2. With the Command Line
5.11. Specifying Default User and Group Settings
5.11.1. Viewing Settings from the Web UI
5.11.2. Viewing Settings from the Command Line
Users in FreeIPA are able to access services and servers within the domain through Kerberos authentication. This chapter covers general management tasks for users, groups, password policies, and other configuration for users.

5.1. Setting up User Home Directories

A home directory is required for any FreeIPA user. Without a home directory in the expected location, a user may be unable to log into the domain. While systems administrators can manage home directories outside of FreeIPA, it is also possible to use a PAM module to create home directories automatically on both FreeIPA servers and clients.

5.1.1. About Home Directories

FreeIPA, as part of managing users, can manage user home directories. However, FreeIPA has certain defined parameters for any managed home directories:
  • The default prefix for users' home directories is /home.
  • FreeIPA does not automatically create home directories when users log in. Automatically creating home directories requires either the pam_oddjob_mkhomedir module or the pam_mkhomedir module. This module can be configured as part of client installation or after installation, as described in Section 5.1.2, “Enabling the PAM Home Directory Module”.
    The home directory process for FreeIPA first attempts to use the pam_oddjob_mkhomedir module because this requires fewer user privileges and access to create the home directories, as well as integrating smoothly with SELinux. If this module is not available, then the process falls back to the pam_mkhomedir module.


    On Red Hat Enterprise Linux 5 clients, the client installation script uses the pam_mkhomedir module even if the pam_oddjob_mkhomedir module is available. To use the pam_oddjob_mkhomedir module on Red Hat Enterprise Linux 5, edit the PAM configuration manually.
  • It is possible to use an NFS file server that provides /home that can be made available to all machines in the domain and then automounted on the FreeIPA server.
    There are potential issues when using NFS, such as security issues related to granting root access to the NFS user, performance issues with loading the entire /home tree, and network performance issues for using remote servers for home directories. There are some general guidelines for using NFS with FreeIPA:
    • Use automount to mount only the user's home directory and only when the user logs in, rather than loading the entire /home tree.
    • Use a remote user who has limited permissions to create home directories and mount the share on the FreeIPA server as that user. Since the FreeIPA server runs as an httpd process, it is possible to use sudo or a similar program to grant limited access to the FreeIPA server to create home directories on the NFS server.
    • Use a mechanism, such as the pam_oddjob_mkhomedir module, to create the home directory as that user.
    Using automounts for home directories is described in Section 5.1.3, “Manually Mounting Home Directories”.
  • If a suitable directory and mechanism are not available for to create home directories, users may not be able to log in.

5.1.2. Enabling the PAM Home Directory Module

For a home directory to be created automatically when a user logs in, FreeIPA can use either the pam_oddjob_mkhomedir module or the pam_mkhomedir module. Because it requires fewer permissions and works well with SELinux, FreeIPA preferentially uses the pam_oddjob_mkhomedir module. If that module is not installed, then it falls back to the pam_mkhomedir module.


FreeIPA does not require the pam_oddjob_mkhomedir module or pam_mkhomedir module. This is because the *_mkhomedir module may try to create home directories even when the shared storage is not available. If the module is unable to create the home directory, then users can be blocked from logging into the FreeIPA domain.
The system administrator must activate this module on each client or server as needed.
There are two ways to enable the pam_oddjob_mkhomedir (or pam_mkhomedir) module:
  • The --mkhomedir option can be used with the ipa-client-install command. While this is possible for clients, this option is not available to servers when they are set up.
  • The pam_oddjob_mkhomedir module can be enabled using the system's authconfig command. For example:
    authconfig --enablemkhomedir --update
    This option can be used for both server and client machines post-installation.


On Red Hat Enterprise Linux 5 clients, the client installation script uses the pam_mkhomedir module even if the pam_oddjob_mkhomedir module is available. To use the pam_oddjob_mkhomedir module on Red Hat Enterprise Linux 5, edit the PAM configuration manually.

5.1.3. Manually Mounting Home Directories

While PAM modules can be used to create home directories for users automatically, this may not be desirable behavior in every environment. In that case, home directories can be manually added to the FreeIPA server from separate locations using NFS shares and automount.
  1. Create a new location for the user directory maps:
    $ ipa automountlocation-add userdirs
    Location: userdirs
  2. Add a direct map to the new location's file. In this example, the mount point is /share:
    $ ipa automountkey-add userdirs --key=/share --info="-ro,soft,"
    Key: /share
    Mount information: -ro,soft,
Using automounts with FreeIPA is described in detail in Chapter 10, Policy: Using Automount.