Product SiteDocumentation Site

5.7. Specifying Default User and Group Settings

FreeIPA uses a template when it creates new entries.
For users, the template is very specific. FreeIPA uses default values for several core attributes for FreeIPA user accounts. These defaults can define actual values for user account attributes (such as the home directory location) or it can define the format of attribute values, such as the username length. These settings also define the object classes assigned to users.
For groups, the template only defines the assigned object classes.
These default definitions are all contained in a single configuration entry for the FreeIPA server, cn=ipaconfig,cn=etc,dc=example,dc=com.
The configuration can be changed using the ipa config-mod command.
Table 5.5. Default User Parameters
Field Command-Line Option Descriptions
Maximum username length --maxusername Sets the maximum number of characters for usernames. The default value is eight.
Root for home directories --homedirectory Sets the default directory to use for user home directories. The default value is /home.
Default shell --defaultshell Sets the default shell to use for users. The default value is /bin/sh.
Default user group --defaultgroup Sets the default group to which all newly created accounts are added. The default value is ipausers, which is automatically created during the FreeIPA server installation process.
Default e-mail domain --emaildomain Sets the email domain to use to create email addressed based on the new accounts. The default is the FreeIPA server domain.
Search time limit --searchtimelimit Sets the maximum amount of time, in seconds, to spend on a search before the server returns results.
Search size limit --searchrecordslimit Sets the maximum number of records to return in a search.
User search fields --usersearch Sets the fields in a user entry that can be used as a search string. Any attribute listed has an index kept for that attribute, so setting too many attributes could affect server performance.
Group search fields --groupsearch Sets the fields in a group entry that can be used as a search string.
Certificate subject base Sets the base DN to use when creating subject DNs for client certificates. This is configured when the server is set up.
Default user object classes --userobjectclasses Sets a list of object classes that are used to create FreeIPA user accounts.
Default group object classes --groupobjectclasses Sets a list of object classes that are used to create FreeIPA group accounts.
Password expiration notification --pwdexpnotify Sets how long, in days, before a password expires for the server to send a notification.
Password plug-in features Sets the format of passwords that are allowed for users.

5.7.1. Viewing the Settings Configuration

5.7.1.1. From the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. The complete configuration entry is shown in three sections, one for all search limits, one for user templates, and one for group templates.

5.7.1.2. From the Command Line

The config-show command shows the current configuration which applies to all new user accounts. By default, only the most common attributes are displayed; use the --all option to show the complete configuration.
# ipa config-show --all

  dn: cn=ipaconfig,cn=etc,dc=example,dc=com
  Max. username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain for new users: example.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Default group objectclasses: top, groupofnames, nestedgroup, ipausergroup, ipaobject
  Default user objectclasses: top, person, organizationalperson, inetorgperson, inetuser, posixaccount,
                              krbprincipalaux, krbticketpolicyaux, ipaobject
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  cn: ipaConfig
  objectclass: nsContainer, top, ipaGuiConfig, ipaConfigObject

5.7.2. Setting Default Search Limits

Search limits set caps on the number of records returned or the time spent searching when querying the database for user or group entries. There are two types of search limits: time limits and size (number) limits.
With the default settings, users are limited to two second searches and no more than 100 records returned per search.

IMPORTANT

Setting search size or time limits too high can negatively affect FreeIPA server performance.

5.7.2.1. With the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the Search Options area.
  4. Change the search limit settings.
    • Search size limit, the maximum number of records to return in a search.
    • Search time limit, the maximum amount of time, in seconds, to spend on a search before the server returns results.

    TIP

    Setting the time limit or size limit value to -1 means that there are no limits on searches.
  5. When the changes are complete, click the Update link at the top of the Configuration page.

5.7.2.2. With the Command Line

The search limits can be changed using the config-mod command.
$ ipa config-mod --searchtimelimit=5 --searchrecordslimit=500

  Max. username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain for new users: rhts.eng.bos.redhat.com
  Search time limit: 5
  Search size limit: 50
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=EXAMPLE.COM
  Password Expiration Notification (days): 4

TIP

Setting the time limit or size limit value to -1 means that there are no limits on searches.

5.7.3. Setting User Search Attributes

A search for users or groups does not automatically search every possible attribute for that attribute. Rather, it searches a specific subset of attributes, and that list is configurable.
When adding attributes to the user or group search fields, make sure that there is a corresponding index within the LDAP directory for that attribute. Searches are performed based on indexes. Most standard LDAP attributes have indexes, but any custom attributes must have indexes created for them. Creating indexes is described in the indexes chapter in the Directory Server Administrator's Guide.

5.7.3.1. From the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the User Options area.
  4. Add any additional search attributes, in a comma-separated list, in the User search fields field.
  5. When the changes are complete, click the Update link at the top of the Configuration page.

5.7.3.2. From the Web UI

To change the search attributes, use the --usersearch option to set the attributes for user searches.
$ ipa config-mod --usersearch=uid,givenname,sn,telephonenumber,ou,title

NOTE

Always give the complete list of search attributes. Whatever values are passed with the configuration argument overwrite the previous settings.

5.7.4. Setting Group Search Attributes

A search for users or groups does not automatically search every possible attribute for that attribute. Rather, it searches a specific subset of attributes, and that list is configurable.
When adding attributes to the user or group search fields, make sure that there is a corresponding index within the LDAP directory for that attribute. Searches are performed based on indexes. Most standard LDAP attributes have indexes, but any custom attributes must have indexes created for them. Creating indexes is described in the indexes chapter in the Directory Server Administrator's Guide.

5.7.4.1. From the Web UI

  1. Open the IPA Server tab.
  2. Select the Configuration subtab.
  3. Scroll to the Group Options area.
  4. Add any additional search attributes, in a comma-separated list, in the Group search fields field.
  5. When the changes are complete, click the Update link at the top of the Configuration page.

5.7.4.2. From the Command Line

To change the search attributes, use the --groupsearch options to set the attributes for group searches.
$ ipa config-mod --groupsearch=cn,description

NOTE

Always give the complete list of search attributes. Whatever values are passed with the configuration argument overwrite the previous settings.