FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networks (essentially an open-source alternative to Active Directory).
Authentication
Before running any ipa commands, you must obtain a Kerberos ticket.
# Login as admin
kinit admin
# Check current Kerberos tickets
klist
# Destroy current tickets (Logout)
kdestroyUser Management
# List all users
ipa user-find
# Show details for a specific user
ipa user-show jdoe
# Add a new user
ipa user-add jdoe --first="John" --last="Doe" --password
# Modify user attributes (e.g., set login shell)
ipa user-mod jdoe --shell=/bin/zsh
# Reset user password
ipa passwd jdoe
# Disable (lock) a user account
ipa user-disable jdoe
# Enable (unlock) a user account
ipa user-enable jdoeGroup Management
# List all groups
ipa group-find
# Create a new group
ipa group-add developers --desc="Development Team"
# Add a user to a group
ipa group-add-member developers --users=jdoe
# Remove a user from a group
ipa group-remove-member developers --users=jdoeHost (Client) Management
# List enrolled hosts
ipa host-find
# Add a host
ipa host-add server01.example.com --ip-address=192.168.1.100
# Remove a host
ipa host-del server01.example.comHBAC (Host-Based Access Control) Policies
HBAC rules determine which users can log into which hosts.
# List HBAC rules
ipa hbacrule-find
# Add a new rule
ipa hbacrule-add allow_dev_ssh
# Add a user group to the rule
ipa hbacrule-add-user allow_dev_ssh --groups=developers
# Add a host group to the rule
ipa hbacrule-add-host allow_dev_ssh --hostgroups=dev_servers
# Add a service (e.g., sshd) to the rule
ipa hbacrule-add-service allow_dev_ssh --hbacsvcs=sshd