Welcome to FreeIPA client’s documentation!¶

Installation¶

pip install python-freeipa

Example usage¶

Client using username and password to connect to specific IPA server.

from python_freeipa import ClientMeta
client = ClientMeta('ipa.demo1.freeipa.org')
client.login('admin', 'Secret123')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', o_preferredlanguage='EN')
print(user)

Client using DNS service discovery. By default, we will try to find IPA servers using the FQDN of the host trying to connect to an IPA server. Alternatively you can also manually specify a domain here.

For DNS service discovery, you need to have the srvlookup module installed.

from python_freeipa import ClientMeta
client = ClientMeta(dns_lookup=True)
client.login('admin', 'Secret123')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', o_preferredlanguage='EN')
print(user)

Breaking changes in 1.0 release¶

Previously, Python FreeIPA client covered only small fraction of FreeIPA API calls. By introducing code generator we cover all FreeIPA API calls. By default autogenerated client is used. It has different API signatures. Therefore if you want to preserve old behaviour you should just use ClientLegacy instead of Client. For example:

from python_freeipa import ClientLegacy
client = ClientLegacy('ipa.demo1.freeipa.org', version='2.215')
client.login('admin', 'Secret123')

Contributing¶

The only dependency is Python Requests library (http://docs.python-requests.org/)

See also API documentation: https://ipa.demo1.freeipa.org/ipa/ui/#/p/apibrowser/

Install python-freeipa in development mode along with dependencies:

pip install -e .[tests]

Run tests suite:

python setup.py test

Recreation of MetaClient¶

It is possible to manually recreate the “ClientMeta” class. This might be needed if the IPA/IdM Server you are using is not matching the on that has been used to build the packaged version.

Here is what you need to do:

# fetch code, create virtual environment, and install required packages
git clone git@github.com:opennode/python-freeipa.git
cd python-freeipa
python3 -m venv venv
source venv/bin/activate
pip install requests-kerberos python-freeipa
# recreate the ClientMeta class
contrib/py_ipa_api_recreate --source-url ipa.demo1.freeipa.org --source-url-user admin --source-url-pass Secret123
# move the file where it belongs
mv meta_api.py src/python_freeipa/client_meta.py
# build the python package
python setup.py sdist

This will give you a python package in dist/, which you can install using “pip install”

Base client module¶

Lightweight FreeIPA JSON RPC client.

class python_freeipa.client.AuthenticatedSession(client, *login_arguments, **kwargs)¶

Context manager class that automatically logs out upon exit.

logged_in¶: Returns True if and only if the login attempt succeeded.

login_exception¶: Returns the exception occurred during the login attempt, if any, otherwise None.

logout()¶: Logs out of the current session, if any is active.

class python_freeipa.client.Client(host=None, verify_ssl=True, version=None, dns_discovery=True)¶

Lightweight FreeIPA JSON RPC client.

change_password(username, new_password, old_password)¶

Set the password of a user. (Does not expire)

Parameters:	username (str) – User login (username) new_password (str) – New password for the user old_password (str) – Users old password

current_host¶

dns_discovered¶

log¶

login(username, password)¶

Login to FreeIPA server using username and password.

Parameters:	username (str) – user to connect password (str) – password of the user
Raises:	Unauthorized – raised if credentials are invalid.

login_kerberos()¶

Login to FreeIPA server using existing Kerberos credentials.

In order to use this method, the package `requests_kerberos <https://pypi.org/project/requests-kerberos/>`_ must be installed. There must already be a Kerberos Ticket-Granting Ticket (TGT) cached in a Kerberos credential cache. Whether a TGT is available can be easily determined by running the klist command. If no TGT is available, then it first must be obtained by running the kinit command, or pointing the $KRB5CCNAME environment variable to a credential cache with a valid TGT.

Raises:	Unauthorized – raised if credentials are invalid. ImportError – raised if the `requests_kerberos` module is unavailable.

logout()¶: Logs out of the FreeIPA session.

Autogenerated client module¶

class python_freeipa.client_meta.ClientMeta(host=None, verify_ssl=True, dns_discovery=True)¶

aci_add(a_aciname, o_permissions, o_aciprefix, o_permission=None, o_group=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_test=False, o_all=True, o_raw=False)¶

Create new ACI.

Parameters:

a_aciname (str) – ACI name
o_permission (str) – Permission ACI grants access to
o_group (str) – User group ACI grants access to
o_permissions (str) – Permissions to grant(read, write, add, delete, all)
o_attrs (str) – Attributes
o_type (str, valid values ['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']) – type of IPA object (user, group, host, hostgroup, service, netgroup)
o_memberof (str) – Member of a group
o_filter (str) – Legal LDAP filter (e.g. ou=Engineering)
o_subtree (str) – Subtree to apply ACI to
o_targetgroup (str) – Group to apply ACI to
o_selfaci (bool) – Apply ACI to your own entry (self)
o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)
o_test (bool) – Test the ACI syntax but don’t write anything
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

aci_del(a_aciname, o_aciprefix)¶

Delete ACI.

Parameters:	a_aciname (str) – ACI name o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)

aci_find(a_criteria=None, o_aciname=None, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_aciprefix=None, o_pkey_only=False, o_all=True, o_raw=False)¶

Search for ACIs.

Returns a list of ACIs

EXAMPLES:

To find all ACIs that apply directly to members of the group ipausers:

ipa aci-find –memberof=ipausers

To find all ACIs that grant add access:

ipa aci-find –permissions=add

Note that the find command only looks for the given text in the set of ACIs, it does not evaluate the ACIs to see if something would apply. For example, searching on memberof=ipausers will find all ACIs that have ipausers as a memberof. There may be other ACIs that apply to members of that group indirectly.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_aciname (str) – ACI name
o_permission (str) – Permission ACI grants access to
o_group (str) – User group ACI grants access to
o_permissions (str) – Permissions to grant(read, write, add, delete, all)
o_attrs (str) – Attributes
o_type (str, valid values ['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']) – type of IPA object (user, group, host, hostgroup, service, netgroup)
o_memberof (str) – Member of a group
o_filter (str) – Legal LDAP filter (e.g. ou=Engineering)
o_subtree (str) – Subtree to apply ACI to
o_targetgroup (str) – Group to apply ACI to
o_selfaci (Bool) – Apply ACI to your own entry (self)
o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

aci_mod(a_aciname, o_aciprefix, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_all=True, o_raw=False)¶

Modify ACI.

Parameters:

a_aciname (str) – ACI name
o_permission (str) – Permission ACI grants access to
o_group (str) – User group ACI grants access to
o_permissions (str) – Permissions to grant(read, write, add, delete, all)
o_attrs (str) – Attributes
o_type (str, valid values ['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']) – type of IPA object (user, group, host, hostgroup, service, netgroup)
o_memberof (str) – Member of a group
o_filter (str) – Legal LDAP filter (e.g. ou=Engineering)
o_subtree (str) – Subtree to apply ACI to
o_targetgroup (str) – Group to apply ACI to
o_selfaci (bool) – Apply ACI to your own entry (self)
o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

aci_rename(a_aciname, o_aciprefix, o_newname, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_all=True, o_raw=False)¶

Rename an ACI.

Parameters:

a_aciname (str) – ACI name
o_permission (str) – Permission ACI grants access to
o_group (str) – User group ACI grants access to
o_permissions (str) – Permissions to grant(read, write, add, delete, all)
o_attrs (str) – Attributes
o_type (str, valid values ['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']) – type of IPA object (user, group, host, hostgroup, service, netgroup)
o_memberof (str) – Member of a group
o_filter (str) – Legal LDAP filter (e.g. ou=Engineering)
o_subtree (str) – Subtree to apply ACI to
o_targetgroup (str) – Group to apply ACI to
o_selfaci (bool) – Apply ACI to your own entry (self)
o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)
o_newname (str) – New ACI name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

aci_show(a_aciname, o_aciprefix, o_location=None, o_all=True, o_raw=False)¶

Display a single ACI given an ACI name.

Parameters:

a_aciname (str) – ACI name
o_aciprefix (str, valid values ['permission', 'delegation', 'selfservice', 'none']) – Prefix used to distinguish ACI types (permission, delegation, selfservice, none)
o_location (DNParam) – Location of the ACI
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

adtrust_is_enabled()¶: Determine whether ipa-adtrust-install has been run on this system

automember_add(a_cn, o_type, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add an automember rule.

Parameters:

a_cn (str) – Automember Rule
o_description (str) – A description of this auto member rule
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_add_condition(a_cn, o_key, o_type, o_description=None, o_automemberinclusiveregex=None, o_automemberexclusiveregex=None, o_all=True, o_raw=False)¶

Add conditions to an automember rule.

Parameters:

a_cn (str) – Automember Rule
o_description (str) – A description of this auto member rule
o_automemberinclusiveregex (str) – Inclusive Regex
o_automemberexclusiveregex (str) – Exclusive Regex
o_key (str) – Attribute to filter via regex. For example fqdn for a host, or manager for a user
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_default_group_remove(o_type, o_description=None, o_all=True, o_raw=False)¶

Remove default (fallback) group for all unmatched entries.

Parameters:	o_description (str) – A description of this auto member rule o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_default_group_set(o_automemberdefaultgroup, o_type, o_description=None, o_all=True, o_raw=False)¶

Set default (fallback) group for all unmatched entries.

Parameters:

o_description (str) – A description of this auto member rule
o_automemberdefaultgroup (str) – Default (fallback) group for entries to land
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_default_group_show(o_type, o_all=True, o_raw=False)¶

Display information about the default (fallback) automember groups.

Parameters:	o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_del(a_cn, o_type)¶

Delete an automember rule.

Parameters:	a_cn (str) – Automember Rule o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies

automember_find(o_type, a_criteria=None, o_description=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for automember rules.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_description (str) – A description of this auto member rule
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“automember-rule”)

automember_find_orphans(o_type, a_criteria=None, o_description=None, o_remove=False, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for orphan automember rules. The command might need to be run as a privileged user user to get all orphan rules.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_description (str) – A description of this auto member rule
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_remove (bool) – Remove orphan automember rules
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“automember-rule”)

automember_mod(a_cn, o_type, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify an automember rule.

Parameters:

a_cn (str) – Automember Rule
o_description (str) – A description of this auto member rule
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_rebuild(o_type=None, o_users=None, o_hosts=None, o_no_wait=False, o_all=True, o_raw=False)¶

Rebuild auto membership.

Parameters:

o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_users (str) – Rebuild membership for specified users
o_hosts (str) – Rebuild membership for specified hosts
o_no_wait (bool) – Don’t wait for rebuilding membership
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_remove_condition(a_cn, o_key, o_type, o_description=None, o_automemberinclusiveregex=None, o_automemberexclusiveregex=None, o_all=True, o_raw=False)¶

Remove conditions from an automember rule.

Parameters:

a_cn (str) – Automember Rule
o_description (str) – A description of this auto member rule
o_automemberinclusiveregex (str) – Inclusive Regex
o_automemberexclusiveregex (str) – Exclusive Regex
o_key (str) – Attribute to filter via regex. For example fqdn for a host, or manager for a user
o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automember_show(a_cn, o_type, o_all=True, o_raw=False)¶

Display information about an automember rule.

Parameters:	a_cn (str) – Automember Rule o_type (str, valid values ['group', 'hostgroup']) – Grouping to which the rule applies o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountkey_add(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_automountinformation, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Create a new automount key.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapautomountmapname (IA5Str) – Automount map name.
o_automountkey (IA5Str) – Automount key name.
o_automountinformation (IA5Str) – Mount information
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountkey_del(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_continue=False, o_automountinformation=None)¶

Delete an automount key.

Parameters:	a_automountlocationcn (str) – Automount location name. a_automountmapautomountmapname (IA5Str) – Automount map name. o_continue (bool) – Continuous mode: Don’t stop on errors. o_automountkey (IA5Str) – Automount key name. o_automountinformation (IA5Str) – Mount information

automountkey_find(a_automountlocationcn, a_automountmapautomountmapname, a_criteria=None, o_automountkey=None, o_automountinformation=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False)¶

Search for an automount key.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapautomountmapname (IA5Str) – Automount map name.
a_criteria (str) – A string searched in all relevant object attributes
o_automountkey (IA5Str) – Automount key name.
o_automountinformation (IA5Str) – Mount information
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountkey_mod(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_automountinformation=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_newautomountinformation=None, o_all=True, o_raw=False, o_rename=None)¶

Modify an automount key.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapautomountmapname (IA5Str) – Automount map name.
o_automountkey (IA5Str) – Automount key name.
o_automountinformation (IA5Str) – Mount information
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_newautomountinformation (IA5Str) – New mount information
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the automount key object

automountkey_show(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_rights=False, o_automountinformation=None, o_all=True, o_raw=False)¶

Display an automount key.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapautomountmapname (IA5Str) – Automount map name.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_automountkey (IA5Str) – Automount key name.
o_automountinformation (IA5Str) – Mount information
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountlocation_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Create a new automount location.

Parameters:

a_cn (str) – Automount location name.
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountlocation_del(a_cn, o_continue=False)¶

Delete an automount location.

Parameters:	a_cn (str) – Automount location name. o_continue (bool) – Continuous mode: Don’t stop on errors.

automountlocation_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for an automount location.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Automount location name.
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“location”)

automountlocation_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display an automount location.

Parameters:	a_cn (str) – Automount location name. o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountlocation_tofiles(a_cn)¶

Generate automount files for a specific location.

Parameters:	a_cn (str) – Automount location name.

automountmap_add(a_automountlocationcn, a_automountmapname, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Create a new automount map.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapname (IA5Str) – Automount map name.
o_description (str) – Description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountmap_add_indirect(a_automountlocationcn, a_automountmapname, o_key, o_description=None, o_setattr=None, o_addattr=None, o_parentmap='auto.master', o_all=True, o_raw=False)¶

Create a new indirect mount point.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapname (IA5Str) – Automount map name.
o_description (str) – Description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_key (str) – Mount point
o_parentmap (str) – Name of parent automount map (default: auto.master).
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountmap_del(a_automountlocationcn, a_automountmapname, o_continue=False)¶

Delete an automount map.

Parameters:	a_automountlocationcn (str) – Automount location name. a_automountmapname (IA5Str) – Automount map name. o_continue (bool) – Continuous mode: Don’t stop on errors.

automountmap_find(a_automountlocationcn, a_criteria=None, o_automountmapname=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for an automount map.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_criteria (str) – A string searched in all relevant object attributes
o_automountmapname (IA5Str) – Automount map name.
o_description (str) – Description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“map”)

automountmap_mod(a_automountlocationcn, a_automountmapname, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify an automount map.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapname (IA5Str) – Automount map name.
o_description (str) – Description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

automountmap_show(a_automountlocationcn, a_automountmapname, o_rights=False, o_all=True, o_raw=False)¶

Display an automount map.

Parameters:

a_automountlocationcn (str) – Automount location name.
a_automountmapname (IA5Str) – Automount map name.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

batch(a_methods=None)¶

Make multiple ipa calls via one remote procedure call

Parameters:	a_methods (dict) – Nested Methods to execute

ca_add(a_cn, o_ipacasubjectdn, o_description=None, o_setattr=None, o_addattr=None, o_chain=False, o_all=True, o_raw=False)¶

Create a CA.

Parameters:

a_cn (str) – Name for referencing the CA
o_description (str) – Description of the purpose of the CA
o_ipacasubjectdn (DNParam) – Subject Distinguished Name
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_chain (bool) – Include certificate chain in output
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

ca_del(a_cn, o_continue=False)¶

Delete a CA.

Parameters:	a_cn (str) – Name for referencing the CA o_continue (bool) – Continuous mode: Don’t stop on errors.

ca_disable(a_cn)¶

Disable a CA.

Parameters:	a_cn (str) – Name for referencing the CA

ca_enable(a_cn)¶

Enable a CA.

Parameters:	a_cn (str) – Name for referencing the CA

ca_find(a_criteria=None, o_cn=None, o_description=None, o_ipacaid=None, o_ipacasubjectdn=None, o_ipacaissuerdn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for CAs.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Name for referencing the CA
o_description (str) – Description of the purpose of the CA
o_ipacaid (str) – Dogtag Authority ID
o_ipacasubjectdn (DNParam) – Subject Distinguished Name
o_ipacaissuerdn (DNParam) – Issuer Distinguished Name
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

ca_is_enabled()¶: Checks if any of the servers has the CA service enabled.

ca_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None)¶

Modify CA configuration.

Parameters:

a_cn (str) – Name for referencing the CA
o_description (str) – Description of the purpose of the CA
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the Certificate Authority object

ca_show(a_cn, o_rights=False, o_chain=False, o_all=True, o_raw=False)¶

Display the properties of a CA.

Parameters:

a_cn (str) – Name for referencing the CA
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_chain (bool) – Include certificate chain in output
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

caacl_add(a_cn, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create a new CA ACL.

Parameters:

a_cn (str) – ACL name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_ipacacategory (str, valid values ['all']) – CA category the ACL applies to
o_ipacertprofilecategory (str, valid values ['all']) – Profile category the ACL applies to
o_usercategory (str, valid values ['all']) – User category the ACL applies to
o_hostcategory (str, valid values ['all']) – Host category the ACL applies to
o_servicecategory (str, valid values ['all']) – Service category the ACL applies to
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

caacl_add_ca(a_cn, o_all=True, o_raw=False, o_no_members=False, o_ca=None)¶

Add CAs to a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_ca (str) – Certificate Authorities to add

caacl_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Add target hosts and hostgroups to a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add o_hostgroup (str) – host groups to add

caacl_add_profile(a_cn, o_all=True, o_raw=False, o_no_members=False, o_certprofile=None)¶

Add profiles to a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_certprofile (str) – Certificate Profiles to add

caacl_add_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_service=None)¶

Add services to a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_service (str) – services to add

caacl_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users and groups to a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

caacl_del(a_cn, o_continue=False)¶

Delete a CA ACL.

Parameters:	a_cn (str) – ACL name o_continue (bool) – Continuous mode: Don’t stop on errors.

caacl_disable(a_cn)¶

Disable a CA ACL.

Parameters:	a_cn (str) – ACL name

caacl_enable(a_cn)¶

Enable a CA ACL.

Parameters:	a_cn (str) – ACL name

caacl_find(a_criteria=None, o_cn=None, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for CA ACLs.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – ACL name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_ipacacategory (str, valid values ['all']) – CA category the ACL applies to
o_ipacertprofilecategory (str, valid values ['all']) – Profile category the ACL applies to
o_usercategory (str, valid values ['all']) – User category the ACL applies to
o_hostcategory (str, valid values ['all']) – Host category the ACL applies to
o_servicecategory (str, valid values ['all']) – Service category the ACL applies to
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

caacl_mod(a_cn, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify a CA ACL.

Parameters:

a_cn (str) – ACL name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_ipacacategory (str, valid values ['all']) – CA category the ACL applies to
o_ipacertprofilecategory (str, valid values ['all']) – Profile category the ACL applies to
o_usercategory (str, valid values ['all']) – User category the ACL applies to
o_hostcategory (str, valid values ['all']) – Host category the ACL applies to
o_servicecategory (str, valid values ['all']) – Service category the ACL applies to
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

caacl_remove_ca(a_cn, o_all=True, o_raw=False, o_no_members=False, o_ca=None)¶

Remove CAs from a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_ca (str) – Certificate Authorities to remove

caacl_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Remove target hosts and hostgroups from a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove o_hostgroup (str) – host groups to remove

caacl_remove_profile(a_cn, o_all=True, o_raw=False, o_no_members=False, o_certprofile=None)¶

Remove profiles from a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_certprofile (str) – Certificate Profiles to remove

caacl_remove_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_service=None)¶

Remove services from a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_service (str) – services to remove

caacl_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users and groups from a CA ACL.

Parameters:	a_cn (str) – ACL name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

caacl_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display the properties of a CA ACL.

Parameters:

a_cn (str) – ACL name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

cert_find(a_criteria=None, o_certificate=None, o_issuer=None, o_revocation_reason=None, o_cacn=None, o_subject=None, o_min_serial_number=None, o_max_serial_number=None, o_exactly=False, o_validnotafter_from=None, o_validnotafter_to=None, o_validnotbefore_from=None, o_validnotbefore_to=None, o_issuedon_from=None, o_issuedon_to=None, o_revokedon_from=None, o_revokedon_to=None, o_pkey_only=False, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_user=None, o_no_user=None, o_host=None, o_no_host=None, o_service=None, o_no_service=None)¶

Search for existing certificates.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_certificate (Certificate) – Base-64 encoded certificate.
o_issuer (DNParam) – Issuer DN
o_revocation_reason (int, min value 0, max value 10) – Reason for revoking the certificate (0-10). Type “ipa help cert” for revocation reason details.
o_cacn (str) – Name of issuing CA
o_subject (str) – Match cn attribute in subject
o_min_serial_number (int, min value 0, max value 2147483647) – minimum serial number
o_max_serial_number (int, min value 0, max value 2147483647) – maximum serial number
o_exactly (bool) – match the common name exactly
o_validnotafter_from (DateTime) – Valid not after from this date (YYYY-mm- dd)
o_validnotafter_to (DateTime) – Valid not after to this date (YYYY-mm-dd)
o_validnotbefore_from (DateTime) – Valid not before from this date (YYYY- mm-dd)
o_validnotbefore_to (DateTime) – Valid not before to this date (YYYY-mm-dd)
o_issuedon_from (DateTime) – Issued on from this date (YYYY-mm-dd)
o_issuedon_to (DateTime) – Issued on to this date (YYYY-mm-dd)
o_revokedon_from (DateTime) – Revoked on from this date (YYYY-mm-dd)
o_revokedon_to (DateTime) – Revoked on to this date (YYYY-mm-dd)
o_pkey_only (bool) – Results should contain primary key attribute only (“certificate”)
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – Search for certificates with these owner users.
o_no_user (str) – Search for certificates without these owner users.
o_host (str) – Search for certificates with these owner hosts.
o_no_host (str) – Search for certificates without these owner hosts.
o_service (Principal) – Search for certificates with these owner services.
o_no_service (Principal) – Search for certificates without these owner services.

cert_remove_hold(a_serial_number, o_cacn='ipa')¶

Take a revoked certificate off hold.

Parameters:	a_serial_number (int, min value -2147483648, max value 2147483647) – Serial number in decimal or if prefixed with 0x in hexadecimal o_cacn (str) – Name of issuing CA

cert_request(a_csr, o_principal, o_request_type='pkcs10', o_profile_id=None, o_cacn='ipa', o_add=False, o_chain=False, o_all=True, o_raw=False)¶

Submit a certificate signing request.

Parameters:

a_csr (CertificateSigningRequest) – CSR
o_request_type (str) – <request_type>
o_profile_id (str) – Certificate Profile to use
o_cacn (str) – Name of issuing CA
o_principal (Principal) – Principal for this certificate (e.g. HTTP/test.example.com)
o_add (bool) – automatically add the principal if it doesn’t exist (service principals only)
o_chain (bool) – Include certificate chain in output
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

cert_revoke(a_serial_number, o_revocation_reason=0, o_cacn='ipa')¶

Revoke a certificate.

Parameters:	a_serial_number (int, min value -2147483648, max value 2147483647) – Serial number in decimal or if prefixed with 0x in hexadecimal o_revocation_reason (int, min value 0, max value 10) – Reason for revoking the certificate (0-10). Type “ipa help cert” for revocation reason details. o_cacn (str) – Name of issuing CA

cert_show(a_serial_number, o_cacn='ipa', o_out=None, o_chain=False, o_all=True, o_raw=False, o_no_members=False)¶

Retrieve an existing certificate.

Parameters:

a_serial_number (int, min value -2147483648, max value 2147483647) – Serial number in decimal or if prefixed with 0x in hexadecimal
o_cacn (str) – Name of issuing CA
o_out (str) – File to store the certificate in.
o_chain (bool) – Include certificate chain in output
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

cert_status(a_request_id, o_cacn='ipa', o_all=True, o_raw=False)¶

Check the status of a certificate signing request.

Parameters:	a_request_id (int, min value -2147483648, max value 2147483647) – Request id o_cacn (str) – Name of issuing CA o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmap_match(a_certificate, o_all=True, o_raw=False)¶

Search for users matching the provided certificate.

This command relies on SSSD to retrieve the list of matching users and may return cached data. For more information on purging SSSD cache, please refer to sss_cache documentation.

Parameters:	a_certificate (Certificate) – Base-64 encoded user certificate o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmapconfig_mod(o_ipacertmappromptusername=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify Certificate Identity Mapping configuration.

Parameters:

o_ipacertmappromptusername (Bool) – Prompt for the username when multiple identities are mapped to a certificate
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmapconfig_show(o_rights=False, o_all=True, o_raw=False)¶

Show the current Certificate Identity Mapping configuration.

Parameters:	o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmaprule_add(a_cn, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=True, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Create a new Certificate Identity Mapping Rule.

Parameters:

a_cn (str) – Certificate Identity Mapping Rule name
o_description (str) – Certificate Identity Mapping Rule description
o_ipacertmapmaprule (str) – Rule used to map the certificate with a user entry
o_ipacertmapmatchrule (str) – Rule used to check if a certificate can be used for authentication
o_associateddomain (DNSNameParam) – Domain where the user entry will be searched
o_ipacertmappriority (int, min value 0, max value 2147483647) – Priority of the rule (higher number means lower priority
o_ipaenabledflag (bool) – Enabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmaprule_del(a_cn, o_continue=False)¶

Delete a Certificate Identity Mapping Rule.

Parameters:	a_cn (str) – Certificate Identity Mapping Rule name o_continue (bool) – Continuous mode: Don’t stop on errors.

certmaprule_disable(a_cn)¶

Disable a Certificate Identity Mapping Rule.

Parameters:	a_cn (str) – Certificate Identity Mapping Rule name

certmaprule_enable(a_cn)¶

Enable a Certificate Identity Mapping Rule.

Parameters:	a_cn (str) – Certificate Identity Mapping Rule name

certmaprule_find(a_criteria=None, o_cn=None, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=True, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for Certificate Identity Mapping Rules.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Certificate Identity Mapping Rule name
o_description (str) – Certificate Identity Mapping Rule description
o_ipacertmapmaprule (str) – Rule used to map the certificate with a user entry
o_ipacertmapmatchrule (str) – Rule used to check if a certificate can be used for authentication
o_associateddomain (DNSNameParam) – Domain where the user entry will be searched
o_ipacertmappriority (int, min value 0, max value 2147483647) – Priority of the rule (higher number means lower priority
o_ipaenabledflag (Bool) – Enabled
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“rulename”)

certmaprule_mod(a_cn, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=True, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify a Certificate Identity Mapping Rule.

Parameters:

a_cn (str) – Certificate Identity Mapping Rule name
o_description (str) – Certificate Identity Mapping Rule description
o_ipacertmapmaprule (str) – Rule used to map the certificate with a user entry
o_ipacertmapmatchrule (str) – Rule used to check if a certificate can be used for authentication
o_associateddomain (DNSNameParam) – Domain where the user entry will be searched
o_ipacertmappriority (int, min value 0, max value 2147483647) – Priority of the rule (higher number means lower priority
o_ipaenabledflag (bool) – Enabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

certmaprule_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display information about a Certificate Identity Mapping Rule.

Parameters:	a_cn (str) – Certificate Identity Mapping Rule name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

certprofile_del(a_cn, o_continue=False)¶

Delete a Certificate Profile.

Parameters:	a_cn (str) – Profile ID for referring to this profile o_continue (bool) – Continuous mode: Don’t stop on errors.

certprofile_find(a_criteria=None, o_cn=None, o_description=None, o_ipacertprofilestoreissued=True, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for Certificate Profiles.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Profile ID for referring to this profile
o_description (str) – Brief description of this profile
o_ipacertprofilestoreissued (Bool) – Whether to store certs issued using this profile
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“id”)

certprofile_import(a_cn, o_description, o_file, o_ipacertprofilestoreissued=True, o_all=True, o_raw=False)¶

Import a Certificate Profile.

Parameters:

a_cn (str) – Profile ID for referring to this profile
o_description (str) – Brief description of this profile
o_ipacertprofilestoreissued (Bool) – Whether to store certs issued using this profile
o_file (str) – Filename of a raw profile. The XML format is not supported.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

certprofile_mod(a_cn, o_description=None, o_ipacertprofilestoreissued=True, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_file=None, o_all=True, o_raw=False)¶

Modify Certificate Profile configuration.

Parameters:

a_cn (str) – Profile ID for referring to this profile
o_description (str) – Brief description of this profile
o_ipacertprofilestoreissued (Bool) – Whether to store certs issued using this profile
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_file (str) – File containing profile configuration
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

certprofile_show(a_cn, o_rights=False, o_out=None, o_all=True, o_raw=False)¶

Display the properties of a Certificate Profile.

Parameters:

a_cn (str) – Profile ID for referring to this profile
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_out (str) – Write profile configuration to file
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

class_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for classes.

Parameters:	a_criteria (str) – A string searched in all relevant object attributes o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

class_show(a_full_name, o_all=True, o_raw=False)¶

Display information about a class.

Parameters:	a_full_name (str) – Full name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

command_defaults(a_full_name, o_params=None, o_kw=None)¶

Return command defaults

Parameters:	a_full_name (str) – Full name o_params (str) – <params> o_kw (dict) – <kw>

command_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for commands.

Parameters:	a_criteria (str) – A string searched in all relevant object attributes o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

command_show(a_full_name, o_all=True, o_raw=False)¶

Display information about a command.

Parameters:	a_full_name (str) – Full name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

compat_is_enabled()¶: Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups

config_mod(o_ipamaxusernamelength=None, o_ipamaxhostnamelength=None, o_ipahomesrootdir=None, o_ipadefaultloginshell=None, o_ipadefaultprimarygroup=None, o_ipadefaultemaildomain=None, o_ipasearchtimelimit=None, o_ipasearchrecordslimit=None, o_ipausersearchfields=None, o_ipagroupsearchfields=None, o_ipamigrationenabled=None, o_ipagroupobjectclasses=None, o_ipauserobjectclasses=None, o_ipapwdexpadvnotify=None, o_ipaconfigstring=None, o_ipaselinuxusermaporder=None, o_ipaselinuxusermapdefault=None, o_ipakrbauthzdata=None, o_ipauserauthtype=None, o_ca_renewal_master_server=None, o_ipadomainresolutionorder=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify configuration options.

Parameters:

o_ipamaxusernamelength (int, min value 1, max value 255) – Maximum username length
o_ipamaxhostnamelength (int, min value 64, max value 255) – Maximum hostname length
o_ipahomesrootdir (IA5Str) – Default location of home directories
o_ipadefaultloginshell (str) – Default shell for new users
o_ipadefaultprimarygroup (str) – Default group for new users
o_ipadefaultemaildomain (str) – Default e-mail domain
o_ipasearchtimelimit (int, min value -1, max value 2147483647) – Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)
o_ipasearchrecordslimit (int, min value -2147483648, max value 2147483647) – Maximum number of records to search (-1 or 0 is unlimited)
o_ipausersearchfields (IA5Str) – A comma-separated list of fields to search in when searching for users
o_ipagroupsearchfields (IA5Str) – A comma-separated list of fields to search in when searching for groups
o_ipamigrationenabled (Bool) – Enable migration mode
o_ipagroupobjectclasses (str) – Default group objectclasses (comma- separated list)
o_ipauserobjectclasses (str) – Default user objectclasses (comma- separated list)
o_ipapwdexpadvnotify (int, min value 0, max value 2147483647) – Number of days’s notice of impending password expiration
o_ipaconfigstring (list of str, valid values ['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs']) – Extra hashes to generate in password plug-in
o_ipaselinuxusermaporder (str) – Order in increasing priority of SELinux users, delimited by $
o_ipaselinuxusermapdefault (str) – Default SELinux user when no match is found in SELinux map rule
o_ipakrbauthzdata (list of str, valid values [‘MS-PAC’, ‘PAD’, ‘nfs:NONE’]) – Default types of PAC supported for services
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened', 'disabled']) – Default types of supported user authentication
o_ca_renewal_master_server (str) – Renewal master for IPA certificate authority
o_ipadomainresolutionorder (str) – colon-separated list of domains used for short name qualification
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

config_show(o_rights=False, o_all=True, o_raw=False)¶

Show the current configuration.

Parameters:	o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

cosentry_add(a_cn, o_krbpwdpolicyreference, o_cospriority, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add Class of Service entry

Parameters:

a_cn (str) – <cn>
o_krbpwdpolicyreference (DNParam) – <krbpwdpolicyreference>
o_cospriority (int, min value 0, max value 2147483647) – <cospriority>
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

cosentry_del(a_cn, o_continue=False)¶

Delete Class of Service entry

Parameters:	a_cn (str) – <cn> o_continue (bool) – Continuous mode: Don’t stop on errors.

cosentry_find(a_criteria=None, o_cn=None, o_krbpwdpolicyreference=None, o_cospriority=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for Class of Service entry

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – <cn>
o_krbpwdpolicyreference (DNParam) – <krbpwdpolicyreference>
o_cospriority (int, min value 0, max value 2147483647) – <cospriority>
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“cn”)

cosentry_mod(a_cn, o_krbpwdpolicyreference=None, o_cospriority=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify Class of Service entry

Parameters:

a_cn (str) – <cn>
o_krbpwdpolicyreference (DNParam) – <krbpwdpolicyreference>
o_cospriority (int, min value 0, max value 2147483647) – <cospriority>
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

cosentry_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display Class of Service entry

Parameters:	a_cn (str) – <cn> o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

delegation_add(a_aciname, o_attrs, o_memberof, o_group, o_permissions=None, o_all=True, o_raw=False)¶

Add a new delegation.

Parameters:

a_aciname (str) – Delegation name
o_permissions (str) – Permissions to grant (read, write). Default is write.
o_attrs (str) – Attributes to which the delegation applies
o_memberof (str) – User group to apply delegation to
o_group (str) – User group ACI grants access to
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

delegation_del(a_aciname)¶

Delete a delegation.

Parameters:	a_aciname (str) – Delegation name

delegation_find(a_criteria=None, o_aciname=None, o_permissions=None, o_attrs=None, o_memberof=None, o_group=None, o_pkey_only=False, o_all=True, o_raw=False)¶

Search for delegations.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_aciname (str) – Delegation name
o_permissions (str) – Permissions to grant (read, write). Default is write.
o_attrs (str) – Attributes to which the delegation applies
o_memberof (str) – User group to apply delegation to
o_group (str) – User group ACI grants access to
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

delegation_mod(a_aciname, o_permissions=None, o_attrs=None, o_memberof=None, o_group=None, o_all=True, o_raw=False)¶

Modify a delegation.

Parameters:

a_aciname (str) – Delegation name
o_permissions (str) – Permissions to grant (read, write). Default is write.
o_attrs (str) – Attributes to which the delegation applies
o_memberof (str) – User group to apply delegation to
o_group (str) – User group ACI grants access to
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

delegation_show(a_aciname, o_all=True, o_raw=False)¶

Display information about a delegation.

Parameters:	a_aciname (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

dns_is_enabled()¶: Checks if any of the servers has the DNS service enabled.

dns_resolve(a_hostname)¶

Resolve a host name in DNS. (Deprecated)

Parameters:	a_hostname (str) – Hostname (FQDN)

dns_update_system_records(o_dry_run=False, o_all=True, o_raw=False)¶

Update location and IPA server DNS records

Parameters:	o_dry_run (bool) – Do not update records only return expected records o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsconfig_mod(o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnsallowsyncptr=None, o_idnszonerefresh=None, o_ipadnsversion=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify global DNS configuration.

Parameters:

o_idnsforwarders (str) – Global forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Global forwarding policy. Set to “none” to disable any configured global forwarders.
o_idnsallowsyncptr (Bool) – Allow synchronization of forward (A, AAAA) and reverse (PTR) records
o_idnszonerefresh (int, min value 0, max value 2147483647) – An interval between regular polls of the name server for new DNS zones
o_ipadnsversion (int, min value -2147483648, max value 2147483647) – IPA DNS version
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsconfig_show(o_rights=False, o_all=True, o_raw=False)¶

Show the current global DNS configuration.

Parameters:	o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsforwardzone_add(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_skip_overlap_check=False, o_all=True, o_raw=False)¶

Create new DNS forward zone.

Parameters:

a_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_skip_overlap_check (bool) – Force DNS zone creation even if it will overlap with an existing zone.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsforwardzone_add_permission(a_idnsname)¶

Add a permission for per-forward zone access delegation.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnsforwardzone_del(a_idnsname, o_continue=False)¶

Delete DNS forward zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN) o_continue (bool) – Continuous mode: Don’t stop on errors.

dnsforwardzone_disable(a_idnsname)¶

Disable DNS Forward Zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnsforwardzone_enable(a_idnsname)¶

Enable DNS Forward Zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnsforwardzone_find(a_criteria=None, o_idnsname=None, o_name_from_ip=None, o_idnszoneactive=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for DNS forward zones.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnszoneactive (Bool) – Is zone active?
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

dnsforwardzone_mod(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify DNS forward zone.

Parameters:

a_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsforwardzone_remove_permission(a_idnsname)¶

Remove a permission for per-forward zone access delegation.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnsforwardzone_show(a_idnsname, o_rights=False, o_all=True, o_raw=False)¶

Display information about a DNS forward zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN) o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsrecord_add(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_a_part_ip_address=None, o_a_extra_create_reverse=False, o_aaaarecord=None, o_aaaa_part_ip_address=None, o_aaaa_extra_create_reverse=False, o_a6record=None, o_a6_part_data=None, o_afsdbrecord=None, o_afsdb_part_subtype=None, o_afsdb_part_hostname=None, o_aplrecord=None, o_certrecord=None, o_cert_part_type=None, o_cert_part_key_tag=None, o_cert_part_algorithm=None, o_cert_part_certificate_or_crl=None, o_cnamerecord=None, o_cname_part_hostname=None, o_dhcidrecord=None, o_dlvrecord=None, o_dlv_part_key_tag=None, o_dlv_part_algorithm=None, o_dlv_part_digest_type=None, o_dlv_part_digest=None, o_dnamerecord=None, o_dname_part_target=None, o_dsrecord=None, o_ds_part_key_tag=None, o_ds_part_algorithm=None, o_ds_part_digest_type=None, o_ds_part_digest=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_kx_part_preference=None, o_kx_part_exchanger=None, o_locrecord=None, o_loc_part_lat_deg=None, o_loc_part_lat_min=None, o_loc_part_lat_sec=None, o_loc_part_lat_dir=None, o_loc_part_lon_deg=None, o_loc_part_lon_min=None, o_loc_part_lon_sec=None, o_loc_part_lon_dir=None, o_loc_part_altitude=None, o_loc_part_size=None, o_loc_part_h_precision=None, o_loc_part_v_precision=None, o_mxrecord=None, o_mx_part_preference=None, o_mx_part_exchanger=None, o_naptrrecord=None, o_naptr_part_order=None, o_naptr_part_preference=None, o_naptr_part_flags=None, o_naptr_part_service=None, o_naptr_part_regexp=None, o_naptr_part_replacement=None, o_nsrecord=None, o_ns_part_hostname=None, o_nsecrecord=None, o_ptrrecord=None, o_ptr_part_hostname=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_srv_part_priority=None, o_srv_part_weight=None, o_srv_part_port=None, o_srv_part_target=None, o_sshfprecord=None, o_sshfp_part_algorithm=None, o_sshfp_part_fp_type=None, o_sshfp_part_fingerprint=None, o_tlsarecord=None, o_tlsa_part_cert_usage=None, o_tlsa_part_selector=None, o_tlsa_part_matching_type=None, o_tlsa_part_cert_association_data=None, o_txtrecord=None, o_txt_part_data=None, o_urirecord=None, o_uri_part_priority=None, o_uri_part_weight=None, o_uri_part_target=None, o_setattr=None, o_addattr=None, o_force=False, o_structured=False, o_all=True, o_raw=False)¶

Add new DNS resource record.

Parameters:

a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN)
a_idnsname (DNSNameParam) – Record name
o_dnsttl (int, min value -2147483648, max value 2147483647) – Time to live
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_arecord (ARecord) – Raw A records
o_a_part_ip_address (str) – A IP Address
o_a_extra_create_reverse (bool) – Create reverse record for this IP Address
o_aaaarecord (AAAARecord) – Raw AAAA records
o_aaaa_part_ip_address (str) – AAAA IP Address
o_aaaa_extra_create_reverse (bool) – Create reverse record for this IP Address
o_a6record (A6Record) – Raw A6 records
o_a6_part_data (str) – A6 Record data
o_afsdbrecord (AFSDBRecord) – Raw AFSDB records
o_afsdb_part_subtype (int, min value 0, max value 65535) – AFSDB Subtype
o_afsdb_part_hostname (DNSNameParam) – AFSDB Hostname
o_aplrecord (APLRecord) – Raw APL records
o_certrecord (CERTRecord) – Raw CERT records
o_cert_part_type (int, min value 0, max value 65535) – CERT Certificate Type
o_cert_part_key_tag (int, min value 0, max value 65535) – CERT Key Tag
o_cert_part_algorithm (int, min value 0, max value 255) – CERT Algorithm
o_cert_part_certificate_or_crl (str) – CERT Certificate/CRL
o_cnamerecord (CNAMERecord) – Raw CNAME records
o_cname_part_hostname (DNSNameParam) – A hostname which this alias hostname points to
o_dhcidrecord (DHCIDRecord) – Raw DHCID records
o_dlvrecord (DLVRecord) – Raw DLV records
o_dlv_part_key_tag (int, min value 0, max value 65535) – DLV Key Tag
o_dlv_part_algorithm (int, min value 0, max value 255) – DLV Algorithm
o_dlv_part_digest_type (int, min value 0, max value 255) – DLV Digest Type
o_dlv_part_digest (str) – DLV Digest
o_dnamerecord (DNAMERecord) – Raw DNAME records
o_dname_part_target (DNSNameParam) – DNAME Target
o_dsrecord (DSRecord) – Raw DS records
o_ds_part_key_tag (int, min value 0, max value 65535) – DS Key Tag
o_ds_part_algorithm (int, min value 0, max value 255) – DS Algorithm
o_ds_part_digest_type (int, min value 0, max value 255) – DS Digest Type
o_ds_part_digest (str) – DS Digest
o_hiprecord (HIPRecord) – Raw HIP records
o_ipseckeyrecord (IPSECKEYRecord) – Raw IPSECKEY records
o_keyrecord (KEYRecord) – Raw KEY records
o_kxrecord (KXRecord) – Raw KX records
o_kx_part_preference (int, min value 0, max value 65535) – Preference given to this exchanger. Lower values are more preferred
o_kx_part_exchanger (DNSNameParam) – A host willing to act as a key exchanger
o_locrecord (LOCRecord) – Raw LOC records
o_loc_part_lat_deg (int, min value 0, max value 90) – LOC Degrees Latitude
o_loc_part_lat_min (int, min value 0, max value 59) – LOC Minutes Latitude
o_loc_part_lat_sec (Decimal) – LOC Seconds Latitude
o_loc_part_lat_dir (str, valid values ['N', 'S']) – LOC Direction Latitude
o_loc_part_lon_deg (int, min value 0, max value 180) – LOC Degrees Longitude
o_loc_part_lon_min (int, min value 0, max value 59) – LOC Minutes Longitude
o_loc_part_lon_sec (Decimal) – LOC Seconds Longitude
o_loc_part_lon_dir (str, valid values ['E', 'W']) – LOC Direction Longitude
o_loc_part_altitude (Decimal) – LOC Altitude
o_loc_part_size (Decimal) – LOC Size
o_loc_part_h_precision (Decimal) – LOC Horizontal Precision
o_loc_part_v_precision (Decimal) – LOC Vertical Precision
o_mxrecord (MXRecord) – Raw MX records
o_mx_part_preference (int, min value 0, max value 65535) – Preference given to this exchanger. Lower values are more preferred
o_mx_part_exchanger (DNSNameParam) – A host willing to act as a mail exchanger
o_naptrrecord (NAPTRRecord) – Raw NAPTR records
o_naptr_part_order (int, min value 0, max value 65535) – NAPTR Order
o_naptr_part_preference (int, min value 0, max value 65535) – NAPTR Preference
o_naptr_part_flags (str) – NAPTR Flags
o_naptr_part_service (str) – NAPTR Service
o_naptr_part_regexp (str) – NAPTR Regular Expression
o_naptr_part_replacement (str) – NAPTR Replacement
o_nsrecord (NSRecord) – Raw NS records
o_ns_part_hostname (DNSNameParam) – NS Hostname
o_nsecrecord (NSECRecord) – Raw NSEC records
o_ptrrecord (PTRRecord) – Raw PTR records
o_ptr_part_hostname (DNSNameParam) – The hostname this reverse record points to
o_rrsigrecord (RRSIGRecord) – Raw RRSIG records
o_rprecord (RPRecord) – Raw RP records
o_sigrecord (SIGRecord) – Raw SIG records
o_spfrecord (SPFRecord) – Raw SPF records
o_srvrecord (SRVRecord) – Raw SRV records
o_srv_part_priority (int, min value 0, max value 65535) – Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.
o_srv_part_weight (int, min value 0, max value 65535) – Relative weight for entries with the same priority.
o_srv_part_port (int, min value 0, max value 65535) – SRV Port
o_srv_part_target (DNSNameParam) – The domain name of the target host or ‘.’ if the service is decidedly not available at this domain
o_sshfprecord (SSHFPRecord) – Raw SSHFP records
o_sshfp_part_algorithm (int, min value 0, max value 255) – SSHFP Algorithm
o_sshfp_part_fp_type (int, min value 0, max value 255) – SSHFP Fingerprint Type
o_sshfp_part_fingerprint (str) – SSHFP Fingerprint
o_tlsarecord (TLSARecord) – Raw TLSA records
o_tlsa_part_cert_usage (int, min value 0, max value 255) – TLSA Certificate Usage
o_tlsa_part_selector (int, min value 0, max value 255) – TLSA Selector
o_tlsa_part_matching_type (int, min value 0, max value 255) – TLSA Matching Type
o_tlsa_part_cert_association_data (str) – TLSA Certificate Association Data
o_txtrecord (TXTRecord) – Raw TXT records
o_txt_part_data (str) – TXT Text Data
o_urirecord (URIRecord) – Raw URI records
o_uri_part_priority (int, min value 0, max value 65535) – Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.
o_uri_part_weight (int, min value 0, max value 65535) – Relative weight for entries with the same priority.
o_uri_part_target (str) – Target Uniform Resource Identifier according to RFC 3986
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_force (bool) – force NS record creation even if its hostname is not in DNS
o_structured (bool) – Parse all raw DNS records and return them in a structured way
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsrecord_del(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_aaaarecord=None, o_a6record=None, o_afsdbrecord=None, o_aplrecord=None, o_certrecord=None, o_cnamerecord=None, o_dhcidrecord=None, o_dlvrecord=None, o_dnamerecord=None, o_dsrecord=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_locrecord=None, o_mxrecord=None, o_naptrrecord=None, o_nsrecord=None, o_nsecrecord=None, o_ptrrecord=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_sshfprecord=None, o_tlsarecord=None, o_txtrecord=None, o_urirecord=None, o_del_all=False, o_structured=False, o_raw=False)¶

Delete DNS resource record.

Parameters:

a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN)
a_idnsname (DNSNameParam) – Record name
o_dnsttl (int, min value -2147483648, max value 2147483647) – Time to live
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_arecord (ARecord) – Raw A records
o_aaaarecord (AAAARecord) – Raw AAAA records
o_a6record (A6Record) – Raw A6 records
o_afsdbrecord (AFSDBRecord) – Raw AFSDB records
o_aplrecord (APLRecord) – Raw APL records
o_certrecord (CERTRecord) – Raw CERT records
o_cnamerecord (CNAMERecord) – Raw CNAME records
o_dhcidrecord (DHCIDRecord) – Raw DHCID records
o_dlvrecord (DLVRecord) – Raw DLV records
o_dnamerecord (DNAMERecord) – Raw DNAME records
o_dsrecord (DSRecord) – Raw DS records
o_hiprecord (HIPRecord) – Raw HIP records
o_ipseckeyrecord (IPSECKEYRecord) – Raw IPSECKEY records
o_keyrecord (KEYRecord) – Raw KEY records
o_kxrecord (KXRecord) – Raw KX records
o_locrecord (LOCRecord) – Raw LOC records
o_mxrecord (MXRecord) – Raw MX records
o_naptrrecord (NAPTRRecord) – Raw NAPTR records
o_nsrecord (NSRecord) – Raw NS records
o_nsecrecord (NSECRecord) – Raw NSEC records
o_ptrrecord (PTRRecord) – Raw PTR records
o_rrsigrecord (RRSIGRecord) – Raw RRSIG records
o_rprecord (RPRecord) – Raw RP records
o_sigrecord (SIGRecord) – Raw SIG records
o_spfrecord (SPFRecord) – Raw SPF records
o_srvrecord (SRVRecord) – Raw SRV records
o_sshfprecord (SSHFPRecord) – Raw SSHFP records
o_tlsarecord (TLSARecord) – Raw TLSA records
o_txtrecord (TXTRecord) – Raw TXT records
o_urirecord (URIRecord) – Raw URI records
o_del_all (bool) – Delete all associated records
o_structured (bool) – Parse all raw DNS records and return them in a structured way
o_raw (bool) – <raw>

dnsrecord_delentry(a_dnszoneidnsname, a_idnsname, o_continue=False)¶

Delete DNS record entry.

Parameters:	a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN) a_idnsname (DNSNameParam) – Record name o_continue (bool) – Continuous mode: Don’t stop on errors.

dnsrecord_find(a_dnszoneidnsname, a_criteria=None, o_idnsname=None, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_aaaarecord=None, o_a6record=None, o_afsdbrecord=None, o_aplrecord=None, o_certrecord=None, o_cnamerecord=None, o_dhcidrecord=None, o_dlvrecord=None, o_dnamerecord=None, o_dsrecord=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_locrecord=None, o_mxrecord=None, o_naptrrecord=None, o_nsrecord=None, o_nsecrecord=None, o_ptrrecord=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_sshfprecord=None, o_tlsarecord=None, o_txtrecord=None, o_urirecord=None, o_timelimit=None, o_sizelimit=None, o_structured=False, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for DNS resources.

Parameters:

a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN)
a_criteria (str) – A string searched in all relevant object attributes
o_idnsname (DNSNameParam) – Record name
o_dnsttl (int, min value -2147483648, max value 2147483647) – Time to live
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_arecord (ARecord) – Raw A records
o_aaaarecord (AAAARecord) – Raw AAAA records
o_a6record (A6Record) – Raw A6 records
o_afsdbrecord (AFSDBRecord) – Raw AFSDB records
o_aplrecord (APLRecord) – Raw APL records
o_certrecord (CERTRecord) – Raw CERT records
o_cnamerecord (CNAMERecord) – Raw CNAME records
o_dhcidrecord (DHCIDRecord) – Raw DHCID records
o_dlvrecord (DLVRecord) – Raw DLV records
o_dnamerecord (DNAMERecord) – Raw DNAME records
o_dsrecord (DSRecord) – Raw DS records
o_hiprecord (HIPRecord) – Raw HIP records
o_ipseckeyrecord (IPSECKEYRecord) – Raw IPSECKEY records
o_keyrecord (KEYRecord) – Raw KEY records
o_kxrecord (KXRecord) – Raw KX records
o_locrecord (LOCRecord) – Raw LOC records
o_mxrecord (MXRecord) – Raw MX records
o_naptrrecord (NAPTRRecord) – Raw NAPTR records
o_nsrecord (NSRecord) – Raw NS records
o_nsecrecord (NSECRecord) – Raw NSEC records
o_ptrrecord (PTRRecord) – Raw PTR records
o_rrsigrecord (RRSIGRecord) – Raw RRSIG records
o_rprecord (RPRecord) – Raw RP records
o_sigrecord (SIGRecord) – Raw SIG records
o_spfrecord (SPFRecord) – Raw SPF records
o_srvrecord (SRVRecord) – Raw SRV records
o_sshfprecord (SSHFPRecord) – Raw SSHFP records
o_tlsarecord (TLSARecord) – Raw TLSA records
o_txtrecord (TXTRecord) – Raw TXT records
o_urirecord (URIRecord) – Raw URI records
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_structured (bool) – Parse all raw DNS records and return them in a structured way
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

dnsrecord_mod(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_a_part_ip_address=None, o_aaaarecord=None, o_aaaa_part_ip_address=None, o_a6record=None, o_a6_part_data=None, o_afsdbrecord=None, o_afsdb_part_subtype=None, o_afsdb_part_hostname=None, o_aplrecord=None, o_certrecord=None, o_cert_part_type=None, o_cert_part_key_tag=None, o_cert_part_algorithm=None, o_cert_part_certificate_or_crl=None, o_cnamerecord=None, o_cname_part_hostname=None, o_dhcidrecord=None, o_dlvrecord=None, o_dlv_part_key_tag=None, o_dlv_part_algorithm=None, o_dlv_part_digest_type=None, o_dlv_part_digest=None, o_dnamerecord=None, o_dname_part_target=None, o_dsrecord=None, o_ds_part_key_tag=None, o_ds_part_algorithm=None, o_ds_part_digest_type=None, o_ds_part_digest=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_kx_part_preference=None, o_kx_part_exchanger=None, o_locrecord=None, o_loc_part_lat_deg=None, o_loc_part_lat_min=None, o_loc_part_lat_sec=None, o_loc_part_lat_dir=None, o_loc_part_lon_deg=None, o_loc_part_lon_min=None, o_loc_part_lon_sec=None, o_loc_part_lon_dir=None, o_loc_part_altitude=None, o_loc_part_size=None, o_loc_part_h_precision=None, o_loc_part_v_precision=None, o_mxrecord=None, o_mx_part_preference=None, o_mx_part_exchanger=None, o_naptrrecord=None, o_naptr_part_order=None, o_naptr_part_preference=None, o_naptr_part_flags=None, o_naptr_part_service=None, o_naptr_part_regexp=None, o_naptr_part_replacement=None, o_nsrecord=None, o_ns_part_hostname=None, o_nsecrecord=None, o_ptrrecord=None, o_ptr_part_hostname=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_srv_part_priority=None, o_srv_part_weight=None, o_srv_part_port=None, o_srv_part_target=None, o_sshfprecord=None, o_sshfp_part_algorithm=None, o_sshfp_part_fp_type=None, o_sshfp_part_fingerprint=None, o_tlsarecord=None, o_tlsa_part_cert_usage=None, o_tlsa_part_selector=None, o_tlsa_part_matching_type=None, o_tlsa_part_cert_association_data=None, o_txtrecord=None, o_txt_part_data=None, o_urirecord=None, o_uri_part_priority=None, o_uri_part_weight=None, o_uri_part_target=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_structured=False, o_all=True, o_raw=False, o_rename=None)¶

Modify a DNS resource record.

Parameters:

a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN)
a_idnsname (DNSNameParam) – Record name
o_dnsttl (int, min value -2147483648, max value 2147483647) – Time to live
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_arecord (ARecord) – Raw A records
o_a_part_ip_address (str) – A IP Address
o_aaaarecord (AAAARecord) – Raw AAAA records
o_aaaa_part_ip_address (str) – AAAA IP Address
o_a6record (A6Record) – Raw A6 records
o_a6_part_data (str) – A6 Record data
o_afsdbrecord (AFSDBRecord) – Raw AFSDB records
o_afsdb_part_subtype (int, min value 0, max value 65535) – AFSDB Subtype
o_afsdb_part_hostname (DNSNameParam) – AFSDB Hostname
o_aplrecord (APLRecord) – Raw APL records
o_certrecord (CERTRecord) – Raw CERT records
o_cert_part_type (int, min value 0, max value 65535) – CERT Certificate Type
o_cert_part_key_tag (int, min value 0, max value 65535) – CERT Key Tag
o_cert_part_algorithm (int, min value 0, max value 255) – CERT Algorithm
o_cert_part_certificate_or_crl (str) – CERT Certificate/CRL
o_cnamerecord (CNAMERecord) – Raw CNAME records
o_cname_part_hostname (DNSNameParam) – A hostname which this alias hostname points to
o_dhcidrecord (DHCIDRecord) – Raw DHCID records
o_dlvrecord (DLVRecord) – Raw DLV records
o_dlv_part_key_tag (int, min value 0, max value 65535) – DLV Key Tag
o_dlv_part_algorithm (int, min value 0, max value 255) – DLV Algorithm
o_dlv_part_digest_type (int, min value 0, max value 255) – DLV Digest Type
o_dlv_part_digest (str) – DLV Digest
o_dnamerecord (DNAMERecord) – Raw DNAME records
o_dname_part_target (DNSNameParam) – DNAME Target
o_dsrecord (DSRecord) – Raw DS records
o_ds_part_key_tag (int, min value 0, max value 65535) – DS Key Tag
o_ds_part_algorithm (int, min value 0, max value 255) – DS Algorithm
o_ds_part_digest_type (int, min value 0, max value 255) – DS Digest Type
o_ds_part_digest (str) – DS Digest
o_hiprecord (HIPRecord) – Raw HIP records
o_ipseckeyrecord (IPSECKEYRecord) – Raw IPSECKEY records
o_keyrecord (KEYRecord) – Raw KEY records
o_kxrecord (KXRecord) – Raw KX records
o_kx_part_preference (int, min value 0, max value 65535) – Preference given to this exchanger. Lower values are more preferred
o_kx_part_exchanger (DNSNameParam) – A host willing to act as a key exchanger
o_locrecord (LOCRecord) – Raw LOC records
o_loc_part_lat_deg (int, min value 0, max value 90) – LOC Degrees Latitude
o_loc_part_lat_min (int, min value 0, max value 59) – LOC Minutes Latitude
o_loc_part_lat_sec (Decimal) – LOC Seconds Latitude
o_loc_part_lat_dir (str, valid values ['N', 'S']) – LOC Direction Latitude
o_loc_part_lon_deg (int, min value 0, max value 180) – LOC Degrees Longitude
o_loc_part_lon_min (int, min value 0, max value 59) – LOC Minutes Longitude
o_loc_part_lon_sec (Decimal) – LOC Seconds Longitude
o_loc_part_lon_dir (str, valid values ['E', 'W']) – LOC Direction Longitude
o_loc_part_altitude (Decimal) – LOC Altitude
o_loc_part_size (Decimal) – LOC Size
o_loc_part_h_precision (Decimal) – LOC Horizontal Precision
o_loc_part_v_precision (Decimal) – LOC Vertical Precision
o_mxrecord (MXRecord) – Raw MX records
o_mx_part_preference (int, min value 0, max value 65535) – Preference given to this exchanger. Lower values are more preferred
o_mx_part_exchanger (DNSNameParam) – A host willing to act as a mail exchanger
o_naptrrecord (NAPTRRecord) – Raw NAPTR records
o_naptr_part_order (int, min value 0, max value 65535) – NAPTR Order
o_naptr_part_preference (int, min value 0, max value 65535) – NAPTR Preference
o_naptr_part_flags (str) – NAPTR Flags
o_naptr_part_service (str) – NAPTR Service
o_naptr_part_regexp (str) – NAPTR Regular Expression
o_naptr_part_replacement (str) – NAPTR Replacement
o_nsrecord (NSRecord) – Raw NS records
o_ns_part_hostname (DNSNameParam) – NS Hostname
o_nsecrecord (NSECRecord) – Raw NSEC records
o_ptrrecord (PTRRecord) – Raw PTR records
o_ptr_part_hostname (DNSNameParam) – The hostname this reverse record points to
o_rrsigrecord (RRSIGRecord) – Raw RRSIG records
o_rprecord (RPRecord) – Raw RP records
o_sigrecord (SIGRecord) – Raw SIG records
o_spfrecord (SPFRecord) – Raw SPF records
o_srvrecord (SRVRecord) – Raw SRV records
o_srv_part_priority (int, min value 0, max value 65535) – Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.
o_srv_part_weight (int, min value 0, max value 65535) – Relative weight for entries with the same priority.
o_srv_part_port (int, min value 0, max value 65535) – SRV Port
o_srv_part_target (DNSNameParam) – The domain name of the target host or ‘.’ if the service is decidedly not available at this domain
o_sshfprecord (SSHFPRecord) – Raw SSHFP records
o_sshfp_part_algorithm (int, min value 0, max value 255) – SSHFP Algorithm
o_sshfp_part_fp_type (int, min value 0, max value 255) – SSHFP Fingerprint Type
o_sshfp_part_fingerprint (str) – SSHFP Fingerprint
o_tlsarecord (TLSARecord) – Raw TLSA records
o_tlsa_part_cert_usage (int, min value 0, max value 255) – TLSA Certificate Usage
o_tlsa_part_selector (int, min value 0, max value 255) – TLSA Selector
o_tlsa_part_matching_type (int, min value 0, max value 255) – TLSA Matching Type
o_tlsa_part_cert_association_data (str) – TLSA Certificate Association Data
o_txtrecord (TXTRecord) – Raw TXT records
o_txt_part_data (str) – TXT Text Data
o_urirecord (URIRecord) – Raw URI records
o_uri_part_priority (int, min value 0, max value 65535) – Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.
o_uri_part_weight (int, min value 0, max value 65535) – Relative weight for entries with the same priority.
o_uri_part_target (str) – Target Uniform Resource Identifier according to RFC 3986
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_structured (bool) – Parse all raw DNS records and return them in a structured way
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (DNSNameParam) – Rename the DNS resource record object

dnsrecord_show(a_dnszoneidnsname, a_idnsname, o_rights=False, o_structured=False, o_all=True, o_raw=False)¶

Display DNS resource.

Parameters:

a_dnszoneidnsname (DNSNameParam) – Zone name (FQDN)
a_idnsname (DNSNameParam) – Record name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_structured (bool) – Parse all raw DNS records and return them in a structured way
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsrecord_split_parts(a_name, a_value)¶

Split DNS record to parts

Parameters:	a_name (str) – <name> a_value (str) – <value>

dnsserver_find(a_criteria=None, o_idnsserverid=None, o_idnssoamname=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for DNS servers.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_idnsserverid (str) – DNS Server name
o_idnssoamname (DNSNameParam) – SOA mname (authoritative server) override
o_idnsforwarders (str) – Per-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“hostname”)

dnsserver_mod(a_idnsserverid, o_idnssoamname=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify DNS server configuration

Parameters:

a_idnsserverid (str) – DNS Server name
o_idnssoamname (DNSNameParam) – SOA mname (authoritative server) override
o_idnsforwarders (str) – Per-server forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-server conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnsserver_show(a_idnsserverid, o_rights=False, o_all=True, o_raw=False)¶

Display configuration of a DNS server.

Parameters:	a_idnsserverid (str) – DNS Server name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnszone_add(a_idnsname, o_idnssoaserial, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname='', o_idnssoarefresh=3600, o_idnssoaretry=900, o_idnssoaexpire=1209600, o_idnssoaminimum=3600, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=False, o_idnsallowquery='any;', o_idnsallowtransfer='none;', o_idnsallowsyncptr=None, o_idnssecinlinesigning=False, o_nsec3paramrecord=None, o_setattr=None, o_addattr=None, o_skip_overlap_check=False, o_force=False, o_skip_nameserver_check=False, o_ip_address=None, o_all=True, o_raw=False)¶

Create new DNS zone (SOA record).

Parameters:

a_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_idnssoamname (DNSNameParam) – Authoritative nameserver domain name
o_idnssoarname (DNSNameParam) – Administrator e-mail address
o_idnssoaserial (int, min value 1, max value 4294967295) – SOA record serial number
o_idnssoarefresh (int, min value 0, max value 2147483647) – SOA record refresh time
o_idnssoaretry (int, min value 0, max value 2147483647) – SOA record retry time
o_idnssoaexpire (int, min value 0, max value 2147483647) – SOA record expire time
o_idnssoaminimum (int, min value 0, max value 2147483647) – How long should negative responses be cached
o_dnsttl (int, min value 0, max value 2147483647) – Time to live for records at zone apex
o_dnsdefaultttl (int, min value 0, max value 2147483647) – Time to live for records without explicit TTL definition
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_idnsupdatepolicy (str) – BIND update policy
o_idnsallowdynupdate (Bool) – Allow dynamic updates.
o_idnsallowquery (str) – Semicolon separated list of IP addresses or networks which are allowed to issue queries
o_idnsallowtransfer (str) – Semicolon separated list of IP addresses or networks which are allowed to transfer the zone
o_idnsallowsyncptr (Bool) – Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
o_idnssecinlinesigning (Bool) – Allow inline DNSSEC signing of records in the zone
o_nsec3paramrecord (str) – NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_skip_overlap_check (bool) – Force DNS zone creation even if it will overlap with an existing zone.
o_force (bool) – Force DNS zone creation even if nameserver is not resolvable. (Deprecated)
o_skip_nameserver_check (bool) – Force DNS zone creation even if nameserver is not resolvable.
o_ip_address (str) – <ip_address>
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnszone_add_permission(a_idnsname)¶

Add a permission for per-zone access delegation.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnszone_del(a_idnsname, o_continue=False)¶

Delete DNS zone (SOA record).

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN) o_continue (bool) – Continuous mode: Don’t stop on errors.

dnszone_disable(a_idnsname)¶

Disable DNS Zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnszone_enable(a_idnsname)¶

Enable DNS Zone.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnszone_find(a_criteria=None, o_idnsname=None, o_name_from_ip=None, o_idnszoneactive=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname='', o_idnssoaserial=None, o_idnssoarefresh=3600, o_idnssoaretry=900, o_idnssoaexpire=1209600, o_idnssoaminimum=3600, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=False, o_idnsallowquery='any;', o_idnsallowtransfer='none;', o_idnsallowsyncptr=None, o_idnssecinlinesigning=False, o_nsec3paramrecord=None, o_timelimit=None, o_sizelimit=None, o_forward_only=False, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for DNS zones (SOA records).

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnszoneactive (Bool) – Is zone active?
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_idnssoamname (DNSNameParam) – Authoritative nameserver domain name
o_idnssoarname (DNSNameParam) – Administrator e-mail address
o_idnssoaserial (int, min value 1, max value 4294967295) – SOA record serial number
o_idnssoarefresh (int, min value 0, max value 2147483647) – SOA record refresh time
o_idnssoaretry (int, min value 0, max value 2147483647) – SOA record retry time
o_idnssoaexpire (int, min value 0, max value 2147483647) – SOA record expire time
o_idnssoaminimum (int, min value 0, max value 2147483647) – How long should negative responses be cached
o_dnsttl (int, min value 0, max value 2147483647) – Time to live for records at zone apex
o_dnsdefaultttl (int, min value 0, max value 2147483647) – Time to live for records without explicit TTL definition
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_idnsupdatepolicy (str) – BIND update policy
o_idnsallowdynupdate (Bool) – Allow dynamic updates.
o_idnsallowquery (str) – Semicolon separated list of IP addresses or networks which are allowed to issue queries
o_idnsallowtransfer (str) – Semicolon separated list of IP addresses or networks which are allowed to transfer the zone
o_idnsallowsyncptr (Bool) – Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
o_idnssecinlinesigning (Bool) – Allow inline DNSSEC signing of records in the zone
o_nsec3paramrecord (str) – NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_forward_only (bool) – Search for forward zones only
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

dnszone_mod(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname='', o_idnssoaserial=None, o_idnssoarefresh=3600, o_idnssoaretry=900, o_idnssoaexpire=1209600, o_idnssoaminimum=3600, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=False, o_idnsallowquery='any;', o_idnsallowtransfer='none;', o_idnsallowsyncptr=None, o_idnssecinlinesigning=False, o_nsec3paramrecord=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_force=False, o_all=True, o_raw=False)¶

Modify DNS zone (SOA record).

Parameters:

a_idnsname (DNSNameParam) – Zone name (FQDN)
o_name_from_ip (str) – IP network to create reverse zone name from
o_idnsforwarders (str) – Per-zone forwarders. A custom port can be specified for each forwarder using a standard format “IP_ADDRESS port PORT”
o_idnsforwardpolicy (str, valid values ['only', 'first', 'none']) – Per-zone conditional forwarding policy. Set to “none” to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.
o_idnssoamname (DNSNameParam) – Authoritative nameserver domain name
o_idnssoarname (DNSNameParam) – Administrator e-mail address
o_idnssoaserial (int, min value 1, max value 4294967295) – SOA record serial number
o_idnssoarefresh (int, min value 0, max value 2147483647) – SOA record refresh time
o_idnssoaretry (int, min value 0, max value 2147483647) – SOA record retry time
o_idnssoaexpire (int, min value 0, max value 2147483647) – SOA record expire time
o_idnssoaminimum (int, min value 0, max value 2147483647) – How long should negative responses be cached
o_dnsttl (int, min value 0, max value 2147483647) – Time to live for records at zone apex
o_dnsdefaultttl (int, min value 0, max value 2147483647) – Time to live for records without explicit TTL definition
o_dnsclass (str, valid values ['IN', 'CS', 'CH', 'HS']) – <dnsclass>
o_idnsupdatepolicy (str) – BIND update policy
o_idnsallowdynupdate (Bool) – Allow dynamic updates.
o_idnsallowquery (str) – Semicolon separated list of IP addresses or networks which are allowed to issue queries
o_idnsallowtransfer (str) – Semicolon separated list of IP addresses or networks which are allowed to transfer the zone
o_idnsallowsyncptr (Bool) – Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone
o_idnssecinlinesigning (Bool) – Allow inline DNSSEC signing of records in the zone
o_nsec3paramrecord (str) – NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_force (bool) – Force nameserver change even if nameserver not in DNS
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

dnszone_remove_permission(a_idnsname)¶

Remove a permission for per-zone access delegation.

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN)

dnszone_show(a_idnsname, o_rights=False, o_all=True, o_raw=False)¶

Display information about a DNS zone (SOA record).

Parameters:	a_idnsname (DNSNameParam) – Zone name (FQDN) o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

domainlevel_get()¶: Query current Domain Level.

domainlevel_set(a_ipadomainlevel)¶

Change current Domain Level.

Parameters:	a_ipadomainlevel (int, min value 1, max value 2147483647) – Domain Level

env(o_server=False, o_all=True)¶

Show environment variables.

Parameters:	o_server (bool) – Forward to server instead of running locally o_all (bool) – retrieve and print all attributes from the server. Affects command output.

group_add(a_cn, o_description=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_nonposix=False, o_external=False, o_all=True, o_raw=False, o_no_members=False)¶

Create a new group.

Parameters:

a_cn (str) – Group name
o_description (str) – Group description
o_gidnumber (int, min value 1, max value 2147483647) – GID (use this option to set it manually)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_nonposix (bool) – Create as a non-POSIX group
o_external (bool) – Allow adding external non-IPA members from trusted domains
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

group_add_member(a_cn, o_ipaexternalmember=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_service=None)¶

Add members to a group.

Parameters:

a_cn (str) – Group name
o_ipaexternalmember (str) – Members of a trusted domain in DOMname or name@domain form
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_service (str) – services to add

group_add_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users that can manage members of this group.

Parameters:	a_cn (str) – Group name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

group_del(a_cn, o_continue=False)¶

Delete group.

Parameters:	a_cn (str) – Group name o_continue (bool) – Continuous mode: Don’t stop on errors.

group_detach(a_cn)¶

Detach a managed group from a user.

Parameters:	a_cn (str) – Group name

group_find(a_criteria=None, o_cn=None, o_description=None, o_gidnumber=None, o_timelimit=None, o_sizelimit=None, o_private=False, o_posix=False, o_external=False, o_nonposix=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_user=None, o_no_user=None, o_group=None, o_no_group=None, o_service=None, o_no_service=None, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_membermanager_user=None, o_not_membermanager_user=None, o_membermanager_group=None, o_not_membermanager_group=None)¶

Search for groups.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Group name
o_description (str) – Group description
o_gidnumber (int, min value 1, max value 2147483647) – GID (use this option to set it manually)
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_private (bool) – search for private groups
o_posix (bool) – search for POSIX groups
o_external (bool) – search for groups with support of external non-IPA members from trusted domains
o_nonposix (bool) – search for non-POSIX groups
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“group-name”)
o_user (str) – Search for groups with these member users.
o_no_user (str) – Search for groups without these member users.
o_group (str) – Search for groups with these member groups.
o_no_group (str) – Search for groups without these member groups.
o_service (Principal) – Search for groups with these member services.
o_no_service (Principal) – Search for groups without these member services.
o_in_group (str) – Search for groups with these member of groups.
o_not_in_group (str) – Search for groups without these member of groups.
o_in_netgroup (str) – Search for groups with these member of netgroups.
o_not_in_netgroup (str) – Search for groups without these member of netgroups.
o_in_role (str) – Search for groups with these member of roles.
o_not_in_role (str) – Search for groups without these member of roles.
o_in_hbacrule (str) – Search for groups with these member of HBAC rules.
o_not_in_hbacrule (str) – Search for groups without these member of HBAC rules.
o_in_sudorule (str) – Search for groups with these member of sudo rules.
o_not_in_sudorule (str) – Search for groups without these member of sudo rules.
o_membermanager_user (str) – Search for groups with these group membership managed by users.
o_not_membermanager_user (str) – Search for groups without these group membership managed by users.
o_membermanager_group (str) – Search for groups with these group membership managed by groups.
o_not_membermanager_group (str) – Search for groups without these group membership managed by groups.

group_mod(a_cn, o_description=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_posix=False, o_external=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a group.

Parameters:

a_cn (str) – Group name
o_description (str) – Group description
o_gidnumber (int, min value 1, max value 2147483647) – GID (use this option to set it manually)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_posix (bool) – change to a POSIX group
o_external (bool) – change to support external non-IPA members from trusted domains
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the group object

group_remove_member(a_cn, o_ipaexternalmember=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_service=None)¶

Remove members from a group.

Parameters:

a_cn (str) – Group name
o_ipaexternalmember (str) – Members of a trusted domain in DOMname or name@domain form
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_service (str) – services to remove

group_remove_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users that can manage members of this group.

Parameters:	a_cn (str) – Group name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

group_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a named group.

Parameters:

a_cn (str) – Group name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacrule_add(a_cn, o_accessruletype='allow', o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create a new HBAC rule.

Parameters:

a_cn (str) – Rule name
o_accessruletype (str, valid values ['allow', 'deny']) – Rule type (allow)
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_sourcehostcategory (str, valid values ['all']) – Source host category the rule applies to
o_servicecategory (str, valid values ['all']) – Service category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_externalhost (str) – External host
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacrule_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Add target hosts and hostgroups to an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add o_hostgroup (str) – host groups to add

hbacrule_add_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, o_hbacsvcgroup=None)¶

Add services to an HBAC rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_hbacsvc (str) – HBAC services to add
o_hbacsvcgroup (str) – HBAC service groups to add

hbacrule_add_sourcehost(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Add source hosts and hostgroups to an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add o_hostgroup (str) – host groups to add

hbacrule_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users and groups to an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

hbacrule_del(a_cn, o_continue=False)¶

Delete an HBAC rule.

Parameters:	a_cn (str) – Rule name o_continue (bool) – Continuous mode: Don’t stop on errors.

hbacrule_disable(a_cn)¶

Disable an HBAC rule.

Parameters:	a_cn (str) – Rule name

hbacrule_enable(a_cn)¶

Enable an HBAC rule.

Parameters:	a_cn (str) – Rule name

hbacrule_find(a_criteria=None, o_cn=None, o_accessruletype='allow', o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for HBAC rules.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Rule name
o_accessruletype (str, valid values ['allow', 'deny']) – Rule type (allow)
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_sourcehostcategory (str, valid values ['all']) – Source host category the rule applies to
o_servicecategory (str, valid values ['all']) – Service category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_externalhost (str) – External host
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

hbacrule_mod(a_cn, o_accessruletype='allow', o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify an HBAC rule.

Parameters:

a_cn (str) – Rule name
o_accessruletype (str, valid values ['allow', 'deny']) – Rule type (allow)
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_sourcehostcategory (str, valid values ['all']) – Source host category the rule applies to
o_servicecategory (str, valid values ['all']) – Service category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_externalhost (str) – External host
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the HBAC rule object

hbacrule_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Remove target hosts and hostgroups from an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove o_hostgroup (str) – host groups to remove

hbacrule_remove_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, o_hbacsvcgroup=None)¶

Remove service and service groups from an HBAC rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_hbacsvc (str) – HBAC services to remove
o_hbacsvcgroup (str) – HBAC service groups to remove

hbacrule_remove_sourcehost(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Remove source hosts and hostgroups from an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove o_hostgroup (str) – host groups to remove

hbacrule_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users and groups from an HBAC rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

hbacrule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display the properties of an HBAC rule.

Parameters:

a_cn (str) – Rule name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvc_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new HBAC service.

Parameters:

a_cn (str) – HBAC service
o_description (str) – HBAC service description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvc_del(a_cn, o_continue=False)¶

Delete an existing HBAC service.

Parameters:	a_cn (str) – HBAC service o_continue (bool) – Continuous mode: Don’t stop on errors.

hbacsvc_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for HBAC services.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – HBAC service
o_description (str) – HBAC service description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“service”)

hbacsvc_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify an HBAC service.

Parameters:

a_cn (str) – HBAC service
o_description (str) – HBAC service description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvc_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about an HBAC service.

Parameters:

a_cn (str) – HBAC service
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvcgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new HBAC service group.

Parameters:

a_cn (str) – Service group name
o_description (str) – HBAC service group description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvcgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None)¶

Add members to an HBAC service group.

Parameters:	a_cn (str) – Service group name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_hbacsvc (str) – HBAC services to add

hbacsvcgroup_del(a_cn, o_continue=False)¶

Delete an HBAC service group.

Parameters:	a_cn (str) – Service group name o_continue (bool) – Continuous mode: Don’t stop on errors.

hbacsvcgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for an HBAC service group.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Service group name
o_description (str) – HBAC service group description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

hbacsvcgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify an HBAC service group.

Parameters:

a_cn (str) – Service group name
o_description (str) – HBAC service group description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbacsvcgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None)¶

Remove members from an HBAC service group.

Parameters:	a_cn (str) – Service group name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_hbacsvc (str) – HBAC services to remove

hbacsvcgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about an HBAC service group.

Parameters:

a_cn (str) – Service group name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hbactest(o_user, o_targethost, o_service, o_sourcehost=None, o_rules=None, o_nodetail=False, o_enabled=False, o_disabled=False, o_sizelimit=None)¶

Simulate use of Host-based access controls

Parameters:

o_user (str) – User name
o_sourcehost (str) – Source host
o_targethost (str) – Target host
o_service (str) – Service
o_rules (str) – Rules to test. If not specified, –enabled is assumed
o_nodetail (bool) – Hide details which rules are matched, not matched, or invalid
o_enabled (bool) – Include all enabled IPA rules into test [default]
o_disabled (bool) – Include all disabled IPA rules into test
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of rules to process when no –rules is specified

host_add(a_fqdn, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_userpassword=None, o_random=False, o_usercertificate=None, o_macaddress=None, o_ipasshpubkey=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_force=False, o_no_reverse=False, o_ip_address=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new host.

Parameters:

a_fqdn (str) – Host name
o_description (str) – A description of this host
o_l (str) – Host locality (e.g. “Baltimore, MD”)
o_nshostlocation (str) – Host location (e.g. “Lab 2”)
o_nshardwareplatform (str) – Host hardware platform (e.g. “Lenovo T61”)
o_nsosversion (str) – Host operating system and version (e.g. “Fedora 9”)
o_userpassword (HostPassword) – Password used in bulk enrollment
o_random (bool) – Generate a random password to be used in bulk enrollment
o_usercertificate (Certificate) – Base-64 encoded host certificate
o_macaddress (str) – Hardware MAC address(es) on this host
o_ipasshpubkey (str) – SSH public key
o_userclass (str) – Host category (semantics placed on this attribute are for local interpretation)
o_ipaassignedidview (str) – Assigned ID View
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_ipakrbrequirespreauth (Bool) – Pre-authentication is required for the service
o_ipakrbokasdelegate (Bool) – Client credentials may be delegated to the service
o_ipakrboktoauthasdelegate (Bool) – The service is allowed to authenticate on behalf of a client
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_force (bool) – force host name even if not in DNS
o_no_reverse (bool) – skip reverse DNS detection
o_ip_address (str) – Add the host to DNS with this IP address
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

host_add_cert(a_fqdn, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Add certificates to host entry

Parameters:	a_fqdn (str) – Host name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded host certificate

host_add_managedby(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_host=None)¶

Add hosts that can manage this host.

Parameters:	a_fqdn (str) – Host name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add

host_add_principal(a_fqdn, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Add new principal alias to host entry

Parameters:	a_fqdn (str) – Host name a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

host_allow_create_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Allow users, groups, hosts or host groups to create a keytab of this host.

Parameters:

a_fqdn (str) – Host name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add

host_allow_retrieve_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Allow users, groups, hosts or host groups to retrieve a keytab of this host.

Parameters:

a_fqdn (str) – Host name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add

host_del(a_fqdn, o_continue=False, o_updatedns=False)¶

Delete a host.

Parameters:	a_fqdn (str) – Host name o_continue (bool) – Continuous mode: Don’t stop on errors. o_updatedns (bool) – Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS

host_disable(a_fqdn)¶

Disable the Kerberos key, SSL certificate and all services of a host.

Parameters:	a_fqdn (str) – Host name

host_disallow_create_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Disallow users, groups, hosts or host groups to create a keytab of this host.

Parameters:

a_fqdn (str) – Host name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove

host_disallow_retrieve_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Disallow users, groups, hosts or host groups to retrieve a keytab of this host.

Parameters:

a_fqdn (str) – Host name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove

host_find(a_criteria=None, o_fqdn=None, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_usercertificate=None, o_macaddress=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_hostgroup=None, o_not_in_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_enroll_by_user=None, o_not_enroll_by_user=None, o_man_by_host=None, o_not_man_by_host=None, o_man_host=None, o_not_man_host=None)¶

Search for hosts.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_fqdn (str) – Host name
o_description (str) – A description of this host
o_l (str) – Host locality (e.g. “Baltimore, MD”)
o_nshostlocation (str) – Host location (e.g. “Lab 2”)
o_nshardwareplatform (str) – Host hardware platform (e.g. “Lenovo T61”)
o_nsosversion (str) – Host operating system and version (e.g. “Fedora 9”)
o_usercertificate (Certificate) – Base-64 encoded host certificate
o_macaddress (str) – Hardware MAC address(es) on this host
o_userclass (str) – Host category (semantics placed on this attribute are for local interpretation)
o_ipaassignedidview (str) – Assigned ID View
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“hostname”)
o_in_hostgroup (str) – Search for hosts with these member of host groups.
o_not_in_hostgroup (str) – Search for hosts without these member of host groups.
o_in_netgroup (str) – Search for hosts with these member of netgroups.
o_not_in_netgroup (str) – Search for hosts without these member of netgroups.
o_in_role (str) – Search for hosts with these member of roles.
o_not_in_role (str) – Search for hosts without these member of roles.
o_in_hbacrule (str) – Search for hosts with these member of HBAC rules.
o_not_in_hbacrule (str) – Search for hosts without these member of HBAC rules.
o_in_sudorule (str) – Search for hosts with these member of sudo rules.
o_not_in_sudorule (str) – Search for hosts without these member of sudo rules.
o_enroll_by_user (str) – Search for hosts with these enrolled by users.
o_not_enroll_by_user (str) – Search for hosts without these enrolled by users.
o_man_by_host (str) – Search for hosts with these managed by hosts.
o_not_man_by_host (str) – Search for hosts without these managed by hosts.
o_man_host (str) – Search for hosts with these managing hosts.
o_not_man_host (str) – Search for hosts without these managing hosts.

host_mod(a_fqdn, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_userpassword=None, o_random=False, o_usercertificate=None, o_krbprincipalname=None, o_macaddress=None, o_ipasshpubkey=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_updatedns=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify information about a host.

Parameters:

a_fqdn (str) – Host name
o_description (str) – A description of this host
o_l (str) – Host locality (e.g. “Baltimore, MD”)
o_nshostlocation (str) – Host location (e.g. “Lab 2”)
o_nshardwareplatform (str) – Host hardware platform (e.g. “Lenovo T61”)
o_nsosversion (str) – Host operating system and version (e.g. “Fedora 9”)
o_userpassword (HostPassword) – Password used in bulk enrollment
o_random (bool) – Generate a random password to be used in bulk enrollment
o_usercertificate (Certificate) – Base-64 encoded host certificate
o_krbprincipalname (Principal) – Principal alias
o_macaddress (str) – Hardware MAC address(es) on this host
o_ipasshpubkey (str) – SSH public key
o_userclass (str) – Host category (semantics placed on this attribute are for local interpretation)
o_ipaassignedidview (str) – Assigned ID View
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_ipakrbrequirespreauth (Bool) – Pre-authentication is required for the service
o_ipakrbokasdelegate (Bool) – Client credentials may be delegated to the service
o_ipakrboktoauthasdelegate (Bool) – The service is allowed to authenticate on behalf of a client
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_updatedns (bool) – Update DNS entries
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

host_remove_cert(a_fqdn, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Remove certificates from host entry

Parameters:	a_fqdn (str) – Host name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded host certificate

host_remove_managedby(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_host=None)¶

Remove hosts that can manage this host.

Parameters:	a_fqdn (str) – Host name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove

host_remove_principal(a_fqdn, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Remove principal alias from a host entry

Parameters:	a_fqdn (str) – Host name a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

host_show(a_fqdn, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a host.

Parameters:

a_fqdn (str) – Host name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_out (str) – file to store certificate in
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hostgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new hostgroup.

Parameters:

a_cn (str) – Name of host-group
o_description (str) – A description of this host-group
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hostgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Add members to a hostgroup.

Parameters:	a_cn (str) – Name of host-group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add o_hostgroup (str) – host groups to add

hostgroup_add_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users that can manage members of this hostgroup.

Parameters:	a_cn (str) – Name of host-group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

hostgroup_del(a_cn, o_continue=False)¶

Delete a hostgroup.

Parameters:	a_cn (str) – Name of host-group o_continue (bool) – Continuous mode: Don’t stop on errors.

hostgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_host=None, o_no_host=None, o_hostgroup=None, o_no_hostgroup=None, o_in_hostgroup=None, o_not_in_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_membermanager_user=None, o_not_membermanager_user=None, o_membermanager_group=None, o_not_membermanager_group=None)¶

Search for hostgroups.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Name of host-group
o_description (str) – A description of this host-group
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“hostgroup-name”)
o_host (str) – Search for host groups with these member hosts.
o_no_host (str) – Search for host groups without these member hosts.
o_hostgroup (str) – Search for host groups with these member host groups.
o_no_hostgroup (str) – Search for host groups without these member host groups.
o_in_hostgroup (str) – Search for host groups with these member of host groups.
o_not_in_hostgroup (str) – Search for host groups without these member of host groups.
o_in_netgroup (str) – Search for host groups with these member of netgroups.
o_not_in_netgroup (str) – Search for host groups without these member of netgroups.
o_in_hbacrule (str) – Search for host groups with these member of HBAC rules.
o_not_in_hbacrule (str) – Search for host groups without these member of HBAC rules.
o_in_sudorule (str) – Search for host groups with these member of sudo rules.
o_not_in_sudorule (str) – Search for host groups without these member of sudo rules.
o_membermanager_user (str) – Search for host groups with these group membership managed by users.
o_not_membermanager_user (str) – Search for host groups without these group membership managed by users.
o_membermanager_group (str) – Search for host groups with these group membership managed by groups.
o_not_membermanager_group (str) – Search for host groups without these group membership managed by groups.

hostgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify a hostgroup.

Parameters:

a_cn (str) – Name of host-group
o_description (str) – A description of this host-group
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

hostgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Remove members from a hostgroup.

Parameters:	a_cn (str) – Name of host-group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove o_hostgroup (str) – host groups to remove

hostgroup_remove_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users that can manage members of this hostgroup.

Parameters:	a_cn (str) – Name of host-group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

hostgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a hostgroup.

Parameters:

a_cn (str) – Name of host-group
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

i18n_messages()¶: Internationalization messages

idoverridegroup_add(a_idviewcn, a_ipaanchoruuid, o_description=None, o_cn=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Add a new Group ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_cn (str) – Group name
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idoverridegroup_del(a_idviewcn, a_ipaanchoruuid, o_continue=False, o_fallback_to_ldap=False)¶

Delete an Group ID override.

Parameters:	a_idviewcn (str) – ID View Name a_ipaanchoruuid (str) – Anchor to override o_continue (bool) – Continuous mode: Don’t stop on errors. o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.

idoverridegroup_find(a_idviewcn, a_criteria=None, o_ipaanchoruuid=None, o_description=None, o_cn=None, o_gidnumber=None, o_timelimit=None, o_sizelimit=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for an Group ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_criteria (str) – A string searched in all relevant object attributes
o_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_cn (str) – Group name
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“anchor”)

idoverridegroup_mod(a_idviewcn, a_ipaanchoruuid, o_description=None, o_cn=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_rename=None)¶

Modify an Group ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_cn (str) – Group name
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the Group ID override object

idoverridegroup_show(a_idviewcn, a_ipaanchoruuid, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Display information about an Group ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idoverrideuser_add(a_idviewcn, a_ipaanchoruuid, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_ipasshpubkey=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Add a new User ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_uid (str) – User login
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number
o_gecos (str) – GECOS
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_homedirectory (str) – Home directory
o_loginshell (str) – Login shell
o_ipaoriginaluid (str) – <ipaoriginaluid>
o_ipasshpubkey (str) – SSH public key
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idoverrideuser_add_cert(a_idviewcn, a_ipaanchoruuid, o_usercertificate, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Add one or more certificates to the idoverrideuser entry

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_usercertificate (Certificate) – Base-64 encoded user certificate

idoverrideuser_del(a_idviewcn, a_ipaanchoruuid, o_continue=False, o_fallback_to_ldap=False)¶

Delete an User ID override.

Parameters:	a_idviewcn (str) – ID View Name a_ipaanchoruuid (str) – Anchor to override o_continue (bool) – Continuous mode: Don’t stop on errors. o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.

idoverrideuser_find(a_idviewcn, a_criteria=None, o_ipaanchoruuid=None, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_timelimit=None, o_sizelimit=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for an User ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_criteria (str) – A string searched in all relevant object attributes
o_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_uid (str) – User login
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number
o_gecos (str) – GECOS
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_homedirectory (str) – Home directory
o_loginshell (str) – Login shell
o_ipaoriginaluid (str) – <ipaoriginaluid>
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“anchor”)

idoverrideuser_mod(a_idviewcn, a_ipaanchoruuid, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_ipasshpubkey=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_rename=None)¶

Modify an User ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_description (str) – Description
o_uid (str) – User login
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number
o_gecos (str) – GECOS
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_homedirectory (str) – Home directory
o_loginshell (str) – Login shell
o_ipaoriginaluid (str) – <ipaoriginaluid>
o_ipasshpubkey (str) – SSH public key
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the User ID override object

idoverrideuser_remove_cert(a_idviewcn, a_ipaanchoruuid, o_usercertificate, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Remove one or more certificates to the idoverrideuser entry

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_usercertificate (Certificate) – Base-64 encoded user certificate

idoverrideuser_show(a_idviewcn, a_ipaanchoruuid, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False)¶

Display information about an User ID override.

Parameters:

a_idviewcn (str) – ID View Name
a_ipaanchoruuid (str) – Anchor to override
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_fallback_to_ldap (bool) – Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idrange_add(a_cn, o_ipabaseid, o_ipaidrangesize, o_ipabaserid=None, o_ipasecondarybaserid=None, o_ipanttrusteddomainsid=None, o_ipanttrusteddomainname=None, o_iparangetype=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add new ID range.

To add a new ID range you always have to specify

–base-id –range-size

Additionally

–rid-base –secondary-rid-base

may be given for a new ID range for the local domain while

–rid-base –dom-sid

must be given to add a new range for a trusted AD domain.

WARNING:

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range. =======

Parameters:

a_cn (str) – Range name
o_ipabaseid (int, min value -2147483648, max value 2147483647) – First Posix ID of the range
o_ipaidrangesize (int, min value -2147483648, max value 2147483647) – Number of IDs in the range
o_ipabaserid (int, min value -2147483648, max value 2147483647) – First RID of the corresponding RID range
o_ipasecondarybaserid (int, min value -2147483648, max value 2147483647) – First RID of the secondary RID range
o_ipanttrusteddomainsid (str) – Domain SID of the trusted domain
o_ipanttrusteddomainname (str) – Name of the trusted domain
o_iparangetype (str, valid values ['ipa-ad-trust', 'ipa-ad-trust-posix', 'ipa-local']) – ID range type, one of allowed values
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idrange_del(a_cn, o_continue=False)¶

Delete an ID range.

Parameters:	a_cn (str) – Range name o_continue (bool) – Continuous mode: Don’t stop on errors.

idrange_find(a_criteria=None, o_cn=None, o_ipabaseid=None, o_ipaidrangesize=None, o_ipabaserid=None, o_ipasecondarybaserid=None, o_ipanttrusteddomainsid=None, o_iparangetype=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for ranges.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Range name
o_ipabaseid (int, min value -2147483648, max value 2147483647) – First Posix ID of the range
o_ipaidrangesize (int, min value -2147483648, max value 2147483647) – Number of IDs in the range
o_ipabaserid (int, min value -2147483648, max value 2147483647) – First RID of the corresponding RID range
o_ipasecondarybaserid (int, min value -2147483648, max value 2147483647) – First RID of the secondary RID range
o_ipanttrusteddomainsid (str) – Domain SID of the trusted domain
o_iparangetype (str, valid values ['ipa-ad-trust', 'ipa-ad-trust-posix', 'ipa-local']) – ID range type, one of allowed values
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

idrange_mod(a_cn, o_ipabaseid=None, o_ipaidrangesize=None, o_ipabaserid=None, o_ipasecondarybaserid=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_ipanttrusteddomainsid=None, o_ipanttrusteddomainname=None, o_all=True, o_raw=False)¶

Modify ID range.

WARNING:

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range. =======

Parameters:

a_cn (str) – Range name
o_ipabaseid (int, min value -2147483648, max value 2147483647) – First Posix ID of the range
o_ipaidrangesize (int, min value -2147483648, max value 2147483647) – Number of IDs in the range
o_ipabaserid (int, min value -2147483648, max value 2147483647) – First RID of the corresponding RID range
o_ipasecondarybaserid (int, min value -2147483648, max value 2147483647) – First RID of the secondary RID range
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_ipanttrusteddomainsid (str) – Domain SID of the trusted domain
o_ipanttrusteddomainname (str) – Name of the trusted domain
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idrange_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display information about a range.

Parameters:	a_cn (str) – Range name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

idview_add(a_cn, o_description=None, o_ipadomainresolutionorder=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new ID View.

Parameters:

a_cn (str) – ID View Name
o_description (str) – Description
o_ipadomainresolutionorder (str) – colon-separated list of domains used for short name qualification
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idview_apply(a_cn, o_host=None, o_hostgroup=None)¶

Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.

Parameters:	a_cn (str) – ID View Name o_host (str) – Hosts to apply the ID View to o_hostgroup (str) – Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.

idview_del(a_cn, o_continue=False)¶

Delete an ID View.

Parameters:	a_cn (str) – ID View Name o_continue (bool) – Continuous mode: Don’t stop on errors.

idview_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for an ID View.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – ID View Name
o_description (str) – Description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

idview_mod(a_cn, o_description=None, o_ipadomainresolutionorder=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None)¶

Modify an ID View.

Parameters:

a_cn (str) – ID View Name
o_description (str) – Description
o_ipadomainresolutionorder (str) – colon-separated list of domains used for short name qualification
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the ID View object

idview_show(a_cn, o_rights=False, o_show_hosts=False, o_all=True, o_raw=False)¶

Display information about an ID View.

Parameters:

a_cn (str) – ID View Name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_show_hosts (bool) – Enumerate all the hosts the view applies to.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

idview_unapply(o_host=None, o_hostgroup=None)¶

Clears ID View from specified hosts or current members of specified hostgroups.

Parameters:	o_host (str) – Hosts to clear (any) ID View from. o_hostgroup (str) – Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.

join(a_cn, o_realm, o_nshardwareplatform=None, o_nsosversion=None)¶

Join an IPA domain

Parameters:	a_cn (str) – The hostname to register as o_realm (str) – The IPA realm o_nshardwareplatform (str) – Hardware platform of the host (e.g. Lenovo T61) o_nsosversion (str) – Operating System and version of the host (e.g. Fedora 9)

json_metadata(a_objname=None, a_methodname=None, o_object=None, o_method=None, o_command=None)¶

Export plugin meta-data for the webUI.

Parameters:	a_objname (str) – Name of object to export a_methodname (str) – Name of method to export o_object (str) – Name of object to export o_method (str) – Name of method to export o_command (str) – Name of command to export

kra_is_enabled()¶: Checks if any of the servers has the KRA service enabled

krbtpolicy_mod(a_uid=None, o_krbmaxticketlife=None, o_krbmaxrenewableage=None, o_krbauthindmaxticketlife_otp=None, o_krbauthindmaxrenewableage_otp=None, o_krbauthindmaxticketlife_radius=None, o_krbauthindmaxrenewableage_radius=None, o_krbauthindmaxticketlife_pkinit=None, o_krbauthindmaxrenewableage_pkinit=None, o_krbauthindmaxticketlife_hardened=None, o_krbauthindmaxrenewableage_hardened=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify Kerberos ticket policy.

Parameters:

a_uid (str) – Manage ticket policy for specific user
o_krbmaxticketlife (int, min value 1, max value 2147483647) – Maximum ticket life (seconds)
o_krbmaxrenewableage (int, min value 1, max value 2147483647) – Maximum renewable age (seconds)
o_krbauthindmaxticketlife_otp (int, min value 1, max value 2147483647) – OTP token maximum ticket life (seconds)
o_krbauthindmaxrenewableage_otp (int, min value 1, max value 2147483647) – OTP token ticket maximum renewable age (seconds)
o_krbauthindmaxticketlife_radius (int, min value 1, max value 2147483647) – RADIUS maximum ticket life (seconds)
o_krbauthindmaxrenewableage_radius (int, min value 1, max value 2147483647) – RADIUS ticket maximum renewable age (seconds)
o_krbauthindmaxticketlife_pkinit (int, min value 1, max value 2147483647) – PKINIT maximum ticket life (seconds)
o_krbauthindmaxrenewableage_pkinit (int, min value 1, max value 2147483647) – PKINIT ticket maximum renewable age (seconds)
o_krbauthindmaxticketlife_hardened (int, min value 1, max value 2147483647) – Hardened ticket maximum ticket life (seconds)
o_krbauthindmaxrenewableage_hardened (int, min value 1, max value 2147483647) – Hardened ticket maximum renewable age (seconds)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

krbtpolicy_reset(a_uid=None, o_all=True, o_raw=False)¶

Reset Kerberos ticket policy to the default values.

Parameters:	a_uid (str) – Manage ticket policy for specific user o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

krbtpolicy_show(a_uid=None, o_rights=False, o_all=True, o_raw=False)¶

Display the current Kerberos ticket policy.

Parameters:	a_uid (str) – Manage ticket policy for specific user o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

location_add(a_idnsname, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new IPA location.

Parameters:

a_idnsname (DNSNameParam) – IPA location name
o_description (str) – IPA Location description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

location_del(a_idnsname, o_continue=False)¶

Delete an IPA location.

Parameters:	a_idnsname (DNSNameParam) – IPA location name o_continue (bool) – Continuous mode: Don’t stop on errors.

location_find(a_criteria=None, o_idnsname=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for IPA locations.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_idnsname (DNSNameParam) – IPA location name
o_description (str) – IPA Location description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

location_mod(a_idnsname, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify information about an IPA location.

Parameters:

a_idnsname (DNSNameParam) – IPA location name
o_description (str) – IPA Location description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

location_show(a_idnsname, o_rights=False, o_all=True, o_raw=False)¶

Display information about an IPA location.

Parameters:	a_idnsname (DNSNameParam) – IPA location name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

migrate_ds(a_ldapuri, a_bindpw, o_binddn='cn=directory manager', o_usercontainer='ou=people', o_groupcontainer='ou=groups', o_userobjectclass=None, o_groupobjectclass=None, o_userignoreobjectclass=None, o_userignoreattribute=None, o_groupignoreobjectclass=None, o_groupignoreattribute=None, o_groupoverwritegid=False, o_schema='RFC2307bis', o_continue=False, o_basedn=None, o_compat=False, o_cacertfile=None, o_use_def_group=True, o_scope='onelevel', o_exclude_users=None, o_exclude_groups=None)¶

Migrate users and groups from DS to IPA.

Parameters:

a_ldapuri (str) – LDAP URI of DS server to migrate from
a_bindpw (Password) – bind password
o_binddn (DNParam) – Bind DN
o_usercontainer (DNParam) – DN of container for users in DS relative to base DN
o_groupcontainer (DNParam) – DN of container for groups in DS relative to base DN
o_userobjectclass (str) – Objectclasses used to search for user entries in DS
o_groupobjectclass (str) – Objectclasses used to search for group entries in DS
o_userignoreobjectclass (str) – Objectclasses to be ignored for user entries in DS
o_userignoreattribute (str) – Attributes to be ignored for user entries in DS
o_groupignoreobjectclass (str) – Objectclasses to be ignored for group entries in DS
o_groupignoreattribute (str) – Attributes to be ignored for group entries in DS
o_groupoverwritegid (bool) – When migrating a group already existing in IPA domain overwrite the group GID and report as success
o_schema (str, valid values ['RFC2307bis', 'RFC2307']) – The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis
o_continue (bool) – Continuous operation mode. Errors are reported but the process continues
o_basedn (DNParam) – Base DN on remote LDAP server
o_compat (bool) – Allows migration despite the usage of compat plugin
o_cacertfile (str) – Load CA certificate of LDAP server from FILE
o_use_def_group (Bool) – Add migrated users without a group to a default group (default: true)
o_scope (str, valid values ['base', 'onelevel', 'subtree']) – LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel
o_exclude_users (str) – users to exclude from migration
o_exclude_groups (str) – groups to exclude from migration

netgroup_add(a_cn, o_description=None, o_nisdomainname=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new netgroup.

Parameters:

a_cn (str) – Netgroup name
o_description (str) – Netgroup description
o_nisdomainname (str) – NIS domain name
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_externalhost (str) – External host
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

netgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_netgroup=None)¶

Add members to a netgroup.

Parameters:

a_cn (str) – Netgroup name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add
o_netgroup (str) – netgroups to add

netgroup_del(a_cn, o_continue=False)¶

Delete a netgroup.

Parameters:	a_cn (str) – Netgroup name o_continue (bool) – Continuous mode: Don’t stop on errors.

netgroup_find(a_criteria=None, o_cn=None, o_description=None, o_nisdomainname=None, o_ipauniqueid=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_timelimit=None, o_sizelimit=None, o_private=False, o_managed=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_netgroup=None, o_no_netgroup=None, o_user=None, o_no_user=None, o_group=None, o_no_group=None, o_host=None, o_no_host=None, o_hostgroup=None, o_no_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None)¶

Search for a netgroup.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Netgroup name
o_description (str) – Netgroup description
o_nisdomainname (str) – NIS domain name
o_ipauniqueid (str) – IPA unique ID
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_externalhost (str) – External host
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_private (bool) – <private>
o_managed (bool) – search for managed groups
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)
o_netgroup (str) – Search for netgroups with these member netgroups.
o_no_netgroup (str) – Search for netgroups without these member netgroups.
o_user (str) – Search for netgroups with these member users.
o_no_user (str) – Search for netgroups without these member users.
o_group (str) – Search for netgroups with these member groups.
o_no_group (str) – Search for netgroups without these member groups.
o_host (str) – Search for netgroups with these member hosts.
o_no_host (str) – Search for netgroups without these member hosts.
o_hostgroup (str) – Search for netgroups with these member host groups.
o_no_hostgroup (str) – Search for netgroups without these member host groups.
o_in_netgroup (str) – Search for netgroups with these member of netgroups.
o_not_in_netgroup (str) – Search for netgroups without these member of netgroups.

netgroup_mod(a_cn, o_description=None, o_nisdomainname=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify a netgroup.

Parameters:

a_cn (str) – Netgroup name
o_description (str) – Netgroup description
o_nisdomainname (str) – NIS domain name
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_externalhost (str) – External host
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

netgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_netgroup=None)¶

Remove members from a netgroup.

Parameters:

a_cn (str) – Netgroup name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove
o_netgroup (str) – netgroups to remove

netgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a netgroup.

Parameters:

a_cn (str) – Netgroup name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

otpconfig_mod(o_ipatokentotpauthwindow=None, o_ipatokentotpsyncwindow=None, o_ipatokenhotpauthwindow=None, o_ipatokenhotpsyncwindow=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify OTP configuration options.

Parameters:

o_ipatokentotpauthwindow (int, min value 5, max value 2147483647) – TOTP authentication time variance (seconds)
o_ipatokentotpsyncwindow (int, min value 5, max value 2147483647) – TOTP synchronization time variance (seconds)
o_ipatokenhotpauthwindow (int, min value 1, max value 2147483647) – HOTP authentication skip-ahead
o_ipatokenhotpsyncwindow (int, min value 1, max value 2147483647) – HOTP synchronization skip-ahead
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

otpconfig_show(o_rights=False, o_all=True, o_raw=False)¶

Show the current OTP configuration.

Parameters:	o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

otptoken_add(a_ipatokenuniqueid=None, o_type='totp', o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_ipatokenotpkey=None, o_ipatokenotpalgorithm='sha1', o_ipatokenotpdigits=6, o_ipatokentotpclockoffset=0, o_ipatokentotptimestep=30, o_ipatokenhotpcounter=0, o_setattr=None, o_addattr=None, o_qrcode=False, o_no_qrcode=False, o_all=True, o_raw=False, o_no_members=False)¶

Add a new OTP token.

Parameters:

a_ipatokenuniqueid (str) – Unique ID
o_type (str, valid values ['totp', 'hotp', 'TOTP', 'HOTP']) – Type of the token
o_description (str) – Token description (informational only)
o_ipatokenowner (str) – Assigned user of the token (default: self)
o_ipatokendisabled (Bool) – Mark the token as disabled (default: false)
o_ipatokennotbefore (DateTime) – First date/time the token can be used
o_ipatokennotafter (DateTime) – Last date/time the token can be used
o_ipatokenvendor (str) – Token vendor name (informational only)
o_ipatokenmodel (str) – Token model (informational only)
o_ipatokenserial (str) – Token serial (informational only)
o_ipatokenotpkey (OTPTokenKey) – Token secret (Base32; default: random)
o_ipatokenotpalgorithm (str, valid values ['sha1', 'sha256', 'sha384', 'sha512']) – Token hash algorithm
o_ipatokenotpdigits (int, valid values ['6', '8']) – Number of digits each token code will have
o_ipatokentotpclockoffset (int, min value -2147483648, max value 2147483647) – TOTP token / FreeIPA server time difference
o_ipatokentotptimestep (int, min value 5, max value 2147483647) – Length of TOTP token code validity
o_ipatokenhotpcounter (int, min value 0, max value 2147483647) – Initial counter for the HOTP token
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_qrcode (bool) – (deprecated)
o_no_qrcode (bool) – Do not display QR code
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

otptoken_add_managedby(a_ipatokenuniqueid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Add users that can manage this token.

Parameters:	a_ipatokenuniqueid (str) – Unique ID o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add

otptoken_del(a_ipatokenuniqueid, o_continue=False)¶

Delete an OTP token.

Parameters:	a_ipatokenuniqueid (str) – Unique ID o_continue (bool) – Continuous mode: Don’t stop on errors.

otptoken_find(a_criteria=None, o_ipatokenuniqueid=None, o_type='totp', o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_ipatokenotpalgorithm='sha1', o_ipatokenotpdigits=6, o_ipatokentotpclockoffset=0, o_ipatokentotptimestep=30, o_ipatokenhotpcounter=0, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for OTP token.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_ipatokenuniqueid (str) – Unique ID
o_type (str, valid values ['totp', 'hotp', 'TOTP', 'HOTP']) – Type of the token
o_description (str) – Token description (informational only)
o_ipatokenowner (str) – Assigned user of the token (default: self)
o_ipatokendisabled (Bool) – Mark the token as disabled (default: false)
o_ipatokennotbefore (DateTime) – First date/time the token can be used
o_ipatokennotafter (DateTime) – Last date/time the token can be used
o_ipatokenvendor (str) – Token vendor name (informational only)
o_ipatokenmodel (str) – Token model (informational only)
o_ipatokenserial (str) – Token serial (informational only)
o_ipatokenotpalgorithm (str, valid values ['sha1', 'sha256', 'sha384', 'sha512']) – Token hash algorithm
o_ipatokenotpdigits (int, valid values ['6', '8']) – Number of digits each token code will have
o_ipatokentotpclockoffset (int, min value -2147483648, max value 2147483647) – TOTP token / FreeIPA server time difference
o_ipatokentotptimestep (int, min value 5, max value 2147483647) – Length of TOTP token code validity
o_ipatokenhotpcounter (int, min value 0, max value 2147483647) – Initial counter for the HOTP token
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“id”)

otptoken_mod(a_ipatokenuniqueid, o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a OTP token.

Parameters:

a_ipatokenuniqueid (str) – Unique ID
o_description (str) – Token description (informational only)
o_ipatokenowner (str) – Assigned user of the token (default: self)
o_ipatokendisabled (Bool) – Mark the token as disabled (default: false)
o_ipatokennotbefore (DateTime) – First date/time the token can be used
o_ipatokennotafter (DateTime) – Last date/time the token can be used
o_ipatokenvendor (str) – Token vendor name (informational only)
o_ipatokenmodel (str) – Token model (informational only)
o_ipatokenserial (str) – Token serial (informational only)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the OTP token object

otptoken_remove_managedby(a_ipatokenuniqueid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Remove users that can manage this token.

Parameters:	a_ipatokenuniqueid (str) – Unique ID o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove

otptoken_show(a_ipatokenuniqueid, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about an OTP token.

Parameters:

a_ipatokenuniqueid (str) – Unique ID
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

output_find(a_commandfull_name, a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for command outputs.

Parameters:

a_commandfull_name (str) – Full name
a_criteria (str) – A string searched in all relevant object attributes
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

output_show(a_commandfull_name, a_name, o_all=True, o_raw=False)¶

Display information about a command output.

Parameters:	a_commandfull_name (str) – Full name a_name (str) – Name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

param_find(a_metaobjectfull_name, a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search command parameters.

Parameters:

a_metaobjectfull_name (str) – Full name
a_criteria (str) – A string searched in all relevant object attributes
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

param_show(a_metaobjectfull_name, a_name, o_all=True, o_raw=False)¶

Display information about a command parameter.

Parameters:	a_metaobjectfull_name (str) – Full name a_name (str) – Name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

passwd(a_principal, a_password, a_current_password, o_otp=None)¶

Set a user’s password.

Parameters:	a_principal (Principal) – User name a_password (Password) – New Password a_current_password (Password) – Current Password o_otp (Password) – One Time Password

permission_add(a_cn, o_ipapermright=None, o_attrs=None, o_ipapermbindruletype='permission', o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new permission.

Parameters:

a_cn (str) – Permission name
o_ipapermright (list of str, valid values ['read', 'search', 'compare', 'write', 'add', 'delete', 'all']) – Rights to grant (read, search, compare, write, add, delete, all)
o_attrs (str) – All attributes to which the permission applies
o_ipapermbindruletype (str, valid values ['permission', 'all', 'anonymous']) – Bind rule type
o_ipapermlocation (DNOrURL) – Subtree to apply permissions to
o_extratargetfilter (str) – Extra target filter
o_ipapermtargetfilter (str) – All target filters, including those implied by type and memberof
o_ipapermtarget (DNParam) – Optional DN to apply the permission to (must be in the subtree, but may not yet exist)
o_ipapermtargetto (DNParam) – Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)
o_ipapermtargetfrom (DNParam) – Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)
o_memberof (str) – Target members of a group (sets memberOf targetfilter)
o_targetgroup (str) – User group to apply permissions to (sets target)
o_type (str) – Type of IPA object (sets subtree and objectClass targetfilter)
o_permissions (str) – Deprecated; use ipapermright
o_filter (str) – Deprecated; use extratargetfilter
o_subtree (str) – Deprecated; use ipapermlocation
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

permission_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None)¶

Add members to a permission.

Parameters:	a_cn (str) – Permission name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_privilege (str) – privileges to add

permission_add_noaci(a_cn, o_ipapermissiontype, o_all=True, o_raw=False, o_no_members=False)¶

Add a system permission without an ACI (internal command)

Parameters:	a_cn (str) – Permission name o_ipapermissiontype (str) – Permission flags o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

permission_del(a_cn, o_continue=False, o_force=False)¶

Delete a permission.

Parameters:	a_cn (str) – Permission name o_continue (bool) – Continuous mode: Don’t stop on errors. o_force (bool) – force delete of SYSTEM permissions

permission_find(a_criteria=None, o_cn=None, o_ipapermright=None, o_attrs=None, o_ipapermincludedattr=None, o_ipapermexcludedattr=None, o_ipapermdefaultattr=None, o_ipapermbindruletype='permission', o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for permissions.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Permission name
o_ipapermright (list of str, valid values ['read', 'search', 'compare', 'write', 'add', 'delete', 'all']) – Rights to grant (read, search, compare, write, add, delete, all)
o_attrs (str) – All attributes to which the permission applies
o_ipapermincludedattr (str) – User-specified attributes to which the permission applies
o_ipapermexcludedattr (str) – User-specified attributes to which the permission explicitly does not apply
o_ipapermdefaultattr (str) – Attributes to which the permission applies by default
o_ipapermbindruletype (str, valid values ['permission', 'all', 'anonymous']) – Bind rule type
o_ipapermlocation (DNOrURL) – Subtree to apply permissions to
o_extratargetfilter (str) – Extra target filter
o_ipapermtargetfilter (str) – All target filters, including those implied by type and memberof
o_ipapermtarget (DNParam) – Optional DN to apply the permission to (must be in the subtree, but may not yet exist)
o_ipapermtargetto (DNParam) – Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)
o_ipapermtargetfrom (DNParam) – Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)
o_memberof (str) – Target members of a group (sets memberOf targetfilter)
o_targetgroup (str) – User group to apply permissions to (sets target)
o_type (str) – Type of IPA object (sets subtree and objectClass targetfilter)
o_permissions (str) – Deprecated; use ipapermright
o_filter (str) – Deprecated; use extratargetfilter
o_subtree (str) – Deprecated; use ipapermlocation
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

permission_mod(a_cn, o_ipapermright=None, o_attrs=None, o_ipapermincludedattr=None, o_ipapermexcludedattr=None, o_ipapermbindruletype='permission', o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a permission.

Parameters:

a_cn (str) – Permission name
o_ipapermright (list of str, valid values ['read', 'search', 'compare', 'write', 'add', 'delete', 'all']) – Rights to grant (read, search, compare, write, add, delete, all)
o_attrs (str) – All attributes to which the permission applies
o_ipapermincludedattr (str) – User-specified attributes to which the permission applies
o_ipapermexcludedattr (str) – User-specified attributes to which the permission explicitly does not apply
o_ipapermbindruletype (str, valid values ['permission', 'all', 'anonymous']) – Bind rule type
o_ipapermlocation (DNOrURL) – Subtree to apply permissions to
o_extratargetfilter (str) – Extra target filter
o_ipapermtargetfilter (str) – All target filters, including those implied by type and memberof
o_ipapermtarget (DNParam) – Optional DN to apply the permission to (must be in the subtree, but may not yet exist)
o_ipapermtargetto (DNParam) – Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)
o_ipapermtargetfrom (DNParam) – Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)
o_memberof (str) – Target members of a group (sets memberOf targetfilter)
o_targetgroup (str) – User group to apply permissions to (sets target)
o_type (str) – Type of IPA object (sets subtree and objectClass targetfilter)
o_permissions (str) – Deprecated; use ipapermright
o_filter (str) – Deprecated; use extratargetfilter
o_subtree (str) – Deprecated; use ipapermlocation
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the permission object

permission_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None)¶

Remove members from a permission.

Parameters:	a_cn (str) – Permission name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_privilege (str) – privileges to remove

permission_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a permission.

Parameters:

a_cn (str) – Permission name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

ping()¶: Ping a remote server.

pkinit_status(a_criteria=None, o_server_server=None, o_status=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False)¶

Report PKINIT status on the IPA masters

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_server_server (str) – IPA server hostname
o_status (str, valid values ['enabled', 'disabled']) – Whether PKINIT is enabled or disabled
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

plugins(o_server=False, o_all=True)¶

Show all loaded plugins.

Parameters:	o_server (bool) – Forward to server instead of running locally o_all (bool) – retrieve and print all attributes from the server. Affects command output.

privilege_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new privilege.

Parameters:

a_cn (str) – Privilege name
o_description (str) – Privilege description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

privilege_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_role=None)¶

Add members to a privilege.

Parameters:	a_cn (str) – Privilege name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_role (str) – roles to add

privilege_add_permission(a_cn, o_all=True, o_raw=False, o_no_members=False, o_permission=None)¶

Add permissions to a privilege.

Parameters:	a_cn (str) – Privilege name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_permission (str) – permissions

privilege_del(a_cn, o_continue=False)¶

Delete a privilege.

Parameters:	a_cn (str) – Privilege name o_continue (bool) – Continuous mode: Don’t stop on errors.

privilege_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for privileges.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Privilege name
o_description (str) – Privilege description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

privilege_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a privilege.

Parameters:

a_cn (str) – Privilege name
o_description (str) – Privilege description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the privilege object

privilege_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_role=None)¶

Remove members from a privilege

Parameters:	a_cn (str) – Privilege name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_role (str) – roles to remove

privilege_remove_permission(a_cn, o_all=True, o_raw=False, o_no_members=False, o_permission=None)¶

Remove permissions from a privilege.

Parameters:	a_cn (str) – Privilege name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_permission (str) – permissions

privilege_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a privilege.

Parameters:

a_cn (str) – Privilege name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

pwpolicy_add(a_cn, o_cospriority, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new group password policy.

Parameters:

a_cn (str) – Manage password policy for specific group
o_krbmaxpwdlife (int, min value 0, max value 20000) – Maximum password lifetime (in days)
o_krbminpwdlife (int, min value 0, max value 2147483647) – Minimum password lifetime (in hours)
o_krbpwdhistorylength (int, min value 0, max value 2147483647) – Password history size
o_krbpwdmindiffchars (int, min value 0, max value 5) – Minimum number of character classes
o_krbpwdminlength (int, min value 0, max value 2147483647) – Minimum length of password
o_cospriority (int, min value 0, max value 2147483647) – Priority of the policy (higher number means lower priority
o_krbpwdmaxfailure (int, min value 0, max value 2147483647) – Consecutive failures before lockout
o_krbpwdfailurecountinterval (int, min value 0, max value 2147483647) – Period after which failure count will be reset (seconds)
o_krbpwdlockoutduration (int, min value 0, max value 2147483647) – Period for which lockout is enforced (seconds)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

pwpolicy_del(a_cn, o_continue=False)¶

Delete a group password policy.

Parameters:	a_cn (str) – Manage password policy for specific group o_continue (bool) – Continuous mode: Don’t stop on errors.

pwpolicy_find(a_criteria=None, o_cn=None, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_cospriority=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for group password policies.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Manage password policy for specific group
o_krbmaxpwdlife (int, min value 0, max value 20000) – Maximum password lifetime (in days)
o_krbminpwdlife (int, min value 0, max value 2147483647) – Minimum password lifetime (in hours)
o_krbpwdhistorylength (int, min value 0, max value 2147483647) – Password history size
o_krbpwdmindiffchars (int, min value 0, max value 5) – Minimum number of character classes
o_krbpwdminlength (int, min value 0, max value 2147483647) – Minimum length of password
o_cospriority (int, min value 0, max value 2147483647) – Priority of the policy (higher number means lower priority
o_krbpwdmaxfailure (int, min value 0, max value 2147483647) – Consecutive failures before lockout
o_krbpwdfailurecountinterval (int, min value 0, max value 2147483647) – Period after which failure count will be reset (seconds)
o_krbpwdlockoutduration (int, min value 0, max value 2147483647) – Period for which lockout is enforced (seconds)
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“group”)

pwpolicy_mod(a_cn=None, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_cospriority=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify a group password policy.

Parameters:

a_cn (str) – Manage password policy for specific group
o_krbmaxpwdlife (int, min value 0, max value 20000) – Maximum password lifetime (in days)
o_krbminpwdlife (int, min value 0, max value 2147483647) – Minimum password lifetime (in hours)
o_krbpwdhistorylength (int, min value 0, max value 2147483647) – Password history size
o_krbpwdmindiffchars (int, min value 0, max value 5) – Minimum number of character classes
o_krbpwdminlength (int, min value 0, max value 2147483647) – Minimum length of password
o_cospriority (int, min value 0, max value 2147483647) – Priority of the policy (higher number means lower priority
o_krbpwdmaxfailure (int, min value 0, max value 2147483647) – Consecutive failures before lockout
o_krbpwdfailurecountinterval (int, min value 0, max value 2147483647) – Period after which failure count will be reset (seconds)
o_krbpwdlockoutduration (int, min value 0, max value 2147483647) – Period for which lockout is enforced (seconds)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

pwpolicy_show(a_cn=None, o_rights=False, o_user=None, o_all=True, o_raw=False)¶

Display information about password policy.

Parameters:

a_cn (str) – Manage password policy for specific group
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_user (str) – Display effective policy for a specific user
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

radiusproxy_add(a_cn, o_ipatokenradiusserver, o_ipatokenradiussecret, o_description=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new RADIUS proxy server.

Parameters:

a_cn (str) – RADIUS proxy server name
o_description (str) – A description of this RADIUS proxy server
o_ipatokenradiusserver (str) – The hostname or IP (with or without port)
o_ipatokenradiussecret (Password) – The secret used to encrypt data
o_ipatokenradiustimeout (int, min value 1, max value 2147483647) – The total timeout across all retries (in seconds)
o_ipatokenradiusretries (int, min value 0, max value 10) – The number of times to retry authentication
o_ipatokenusermapattribute (str) – The username attribute on the user object
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

radiusproxy_del(a_cn, o_continue=False)¶

Delete a RADIUS proxy server.

Parameters:	a_cn (str) – RADIUS proxy server name o_continue (bool) – Continuous mode: Don’t stop on errors.

radiusproxy_find(a_criteria=None, o_cn=None, o_description=None, o_ipatokenradiusserver=None, o_ipatokenradiussecret=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for RADIUS proxy servers.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – RADIUS proxy server name
o_description (str) – A description of this RADIUS proxy server
o_ipatokenradiusserver (str) – The hostname or IP (with or without port)
o_ipatokenradiussecret (Password) – The secret used to encrypt data
o_ipatokenradiustimeout (int, min value 1, max value 2147483647) – The total timeout across all retries (in seconds)
o_ipatokenradiusretries (int, min value 0, max value 10) – The number of times to retry authentication
o_ipatokenusermapattribute (str) – The username attribute on the user object
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

radiusproxy_mod(a_cn, o_description=None, o_ipatokenradiusserver=None, o_ipatokenradiussecret=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None)¶

Modify a RADIUS proxy server.

Parameters:

a_cn (str) – RADIUS proxy server name
o_description (str) – A description of this RADIUS proxy server
o_ipatokenradiusserver (str) – The hostname or IP (with or without port)
o_ipatokenradiussecret (Password) – The secret used to encrypt data
o_ipatokenradiustimeout (int, min value 1, max value 2147483647) – The total timeout across all retries (in seconds)
o_ipatokenradiusretries (int, min value 0, max value 10) – The number of times to retry authentication
o_ipatokenusermapattribute (str) – The username attribute on the user object
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_rename (str) – Rename the RADIUS proxy server object

radiusproxy_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display information about a RADIUS proxy server.

Parameters:	a_cn (str) – RADIUS proxy server name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

realmdomains_mod(o_associateddomain=None, o_add_domain=None, o_del_domain=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_force=False, o_all=True, o_raw=False)¶

Modify realm domains

DNS check: When manually adding a domain to the list, a DNS check is performed by default. It ensures that the domain is associated with the IPA realm, by checking whether the domain has a _kerberos TXT record containing the IPA realm name. This check can be skipped by specifying –force option.

Removal: when a realm domain which has a matching DNS zone managed by IPA is being removed, a corresponding _kerberos TXT record in the zone is removed automatically as well. Other records in the zone or the zone itself are not affected.

Parameters:

o_associateddomain (str) – Domain
o_add_domain (str) – Add domain
o_del_domain (str) – Delete domain
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_force (bool) – Force adding domain even if not in DNS
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

realmdomains_show(o_rights=False, o_all=True, o_raw=False)¶

Display the list of realm domains.

Parameters:	o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

role_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new role.

Parameters:

a_cn (str) – Role name
o_description (str) – A description of this role-group
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

role_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_service=None)¶

Add members to a role.

Parameters:

a_cn (str) – Role name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add
o_service (str) – services to add

role_add_privilege(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None)¶

Add privileges to a role.

Parameters:	a_cn (str) – Role name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_privilege (str) – privileges

role_del(a_cn, o_continue=False)¶

Delete a role.

Parameters:	a_cn (str) – Role name o_continue (bool) – Continuous mode: Don’t stop on errors.

role_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for roles.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Role name
o_description (str) – A description of this role-group
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

role_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a role.

Parameters:

a_cn (str) – Role name
o_description (str) – A description of this role-group
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the role object

role_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_service=None)¶

Remove members from a role.

Parameters:

a_cn (str) – Role name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove
o_service (str) – services to remove

role_remove_privilege(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None)¶

Remove privileges from a role.

Parameters:	a_cn (str) – Role name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_privilege (str) – privileges

role_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a role.

Parameters:

a_cn (str) – Role name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

schema(o_known_fingerprints=None)¶

Store and provide schema for commands and topics

Parameters:	o_known_fingerprints (str) – Fingerprint of schema cached by client

selfservice_add(a_aciname, o_attrs, o_permissions=None, o_all=True, o_raw=False)¶

Add a new self-service permission.

Parameters:	a_aciname (str) – Self-service name o_permissions (str) – Permissions to grant (read, write). Default is write. o_attrs (str) – Attributes to which the permission applies. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

selfservice_del(a_aciname)¶

Delete a self-service permission.

Parameters:	a_aciname (str) – Self-service name

selfservice_find(a_criteria=None, o_aciname=None, o_permissions=None, o_attrs=None, o_pkey_only=False, o_all=True, o_raw=False)¶

Search for a self-service permission.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_aciname (str) – Self-service name
o_permissions (str) – Permissions to grant (read, write). Default is write.
o_attrs (str) – Attributes to which the permission applies.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

selfservice_mod(a_aciname, o_permissions=None, o_attrs=None, o_all=True, o_raw=False)¶

Modify a self-service permission.

Parameters:	a_aciname (str) – Self-service name o_permissions (str) – Permissions to grant (read, write). Default is write. o_attrs (str) – Attributes to which the permission applies. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

selfservice_show(a_aciname, o_all=True, o_raw=False)¶

Display information about a self-service permission.

Parameters:	a_aciname (str) – Self-service name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

selinuxusermap_add(a_cn, o_ipaselinuxuser, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create a new SELinux User Map.

Parameters:

a_cn (str) – Rule name
o_ipaselinuxuser (str) – SELinux User
o_seealso (str) – HBAC Rule that defines the users, groups and hostgroups
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

selinuxusermap_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Add target hosts and hostgroups to an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add o_hostgroup (str) – host groups to add

selinuxusermap_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users and groups to an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

selinuxusermap_del(a_cn, o_continue=False)¶

Delete a SELinux User Map.

Parameters:	a_cn (str) – Rule name o_continue (bool) – Continuous mode: Don’t stop on errors.

selinuxusermap_disable(a_cn)¶

Disable an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name

selinuxusermap_enable(a_cn)¶

Enable an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name

selinuxusermap_find(a_criteria=None, o_cn=None, o_ipaselinuxuser=None, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for SELinux User Maps.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Rule name
o_ipaselinuxuser (str) – SELinux User
o_seealso (str) – HBAC Rule that defines the users, groups and hostgroups
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

selinuxusermap_mod(a_cn, o_ipaselinuxuser=None, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify a SELinux User Map.

Parameters:

a_cn (str) – Rule name
o_ipaselinuxuser (str) – SELinux User
o_seealso (str) – HBAC Rule that defines the users, groups and hostgroups
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

selinuxusermap_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None)¶

Remove target hosts and hostgroups from an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove o_hostgroup (str) – host groups to remove

selinuxusermap_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users and groups from an SELinux User Map rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

selinuxusermap_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display the properties of a SELinux User Map rule.

Parameters:

a_cn (str) – Rule name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

server_conncheck(a_cn, a_remote_cn)¶

Check connection to remote IPA server.

Parameters:	a_cn (str) – IPA server hostname a_remote_cn (str) – Remote IPA server hostname

server_del(a_cn, o_continue=False, o_ignore_topology_disconnect=False, o_ignore_last_of_role=False, o_force=False)¶

Delete IPA server.

Parameters:	a_cn (str) – IPA server hostname o_continue (bool) – Continuous mode: Don’t stop on errors. o_ignore_topology_disconnect (bool) – Ignore topology connectivity problems after removal o_ignore_last_of_role (bool) – Skip a check whether the last CA master or DNS server is removed o_force (bool) – Force server removal even if it does not exist

server_find(a_criteria=None, o_cn=None, o_ipamindomainlevel=None, o_ipamaxdomainlevel=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_topologysuffix=None, o_no_topologysuffix=None, o_in_location=None, o_not_in_location=None, o_servrole=None)¶

Search for IPA servers.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – IPA server hostname
o_ipamindomainlevel (int, min value -2147483648, max value 2147483647) – Minimum domain level
o_ipamaxdomainlevel (int, min value -2147483648, max value 2147483647) – Maximum domain level
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)
o_topologysuffix (str) – Search for servers with these managed suffixes.
o_no_topologysuffix (str) – Search for servers without these managed suffixes.
o_in_location (DNSNameParam) – Search for servers with these ipa locations.
o_not_in_location (DNSNameParam) – Search for servers without these ipa locations.
o_servrole (str) – Search for servers with these enabled roles.

server_mod(a_cn, o_ipalocation_location=None, o_ipaserviceweight=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify information about an IPA server.

Parameters:

a_cn (str) – IPA server hostname
o_ipalocation_location (DNSNameParam) – Server location
o_ipaserviceweight (int, min value 0, max value 65535) – Weight for server services
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

server_role_find(a_criteria=None, o_server_server=None, o_role_servrole=None, o_status='enabled', o_timelimit=None, o_sizelimit=None, o_include_master=False, o_all=True, o_raw=False)¶

Find a server role on a server(s)

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_server_server (str) – IPA server hostname
o_role_servrole (str) – IPA server role name
o_status (str, valid values ['enabled', 'configured', 'hidden', 'absent']) – Status of the role
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_include_master (bool) – Include IPA master entries
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

server_role_show(a_server_server, a_role_servrole, o_all=True, o_raw=False)¶

Show role status on a server

Parameters:	a_server_server (str) – IPA server hostname a_role_servrole (str) – IPA server role name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

server_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Show IPA server.

Parameters:

a_cn (str) – IPA server hostname
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

server_state(a_cn, o_state)¶

Set enabled/hidden state of a server.

Parameters:	a_cn (str) – IPA server hostname o_state (str, valid values ['enabled', 'hidden']) – Server state

service_add(a_krbcanonicalname, o_usercertificate=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_force=False, o_skip_host_check=False, o_all=True, o_raw=False, o_no_members=False)¶

Add a new IPA service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_usercertificate (Certificate) – Base-64 encoded service certificate
o_ipakrbauthzdata (list of str, valid values ['MS-PAC', 'PAD', 'NONE']) – Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_ipakrbrequirespreauth (Bool) – Pre-authentication is required for the service
o_ipakrbokasdelegate (Bool) – Client credentials may be delegated to the service
o_ipakrboktoauthasdelegate (Bool) – The service is allowed to authenticate on behalf of a client
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_force (bool) – force principal name even if host not in DNS
o_skip_host_check (bool) – force service to be created even when host object does not exist to manage it
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

service_add_cert(a_krbcanonicalname, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Add new certificates to a service

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_usercertificate (Certificate) – Base-64 encoded service certificate

service_add_host(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_host=None)¶

Add hosts that can manage this service.

Parameters:	a_krbcanonicalname (Principal) – Service principal o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to add

service_add_principal(a_krbcanonicalname, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Add new principal alias to a service

Parameters:	a_krbcanonicalname (Principal) – Service principal a_krbprincipalname (Principal) – Service principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

service_add_smb(a_fqdn, a_ipantflatname=None, o_setattr=None, o_addattr=None, o_usercertificate=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new SMB service.

Parameters:

a_fqdn (str) – Host name
a_ipantflatname (str) – SMB service NetBIOS name
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_usercertificate (Certificate) – Base-64 encoded service certificate
o_ipakrbokasdelegate (Bool) – Client credentials may be delegated to the service
o_ipakrboktoauthasdelegate (Bool) – The service is allowed to authenticate on behalf of a client
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

service_allow_create_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Allow users, groups, hosts or host groups to create a keytab of this service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add

service_allow_retrieve_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Allow users, groups, hosts or host groups to retrieve a keytab of this service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add

service_del(a_krbcanonicalname, o_continue=False)¶

Delete an IPA service.

Parameters:	a_krbcanonicalname (Principal) – Service principal o_continue (bool) – Continuous mode: Don’t stop on errors.

service_disable(a_krbcanonicalname)¶

Disable the Kerberos key and SSL certificate of a service.

Parameters:	a_krbcanonicalname (Principal) – Service principal

service_disallow_create_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Disallow users, groups, hosts or host groups to create a keytab of this service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove

service_disallow_retrieve_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None)¶

Disallow users, groups, hosts or host groups to retrieve a keytab of this service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove

service_find(a_criteria=None, o_krbcanonicalname=None, o_krbprincipalname=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_man_by_host=None, o_not_man_by_host=None)¶

Search for IPA services.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_krbcanonicalname (Principal) – Service principal
o_krbprincipalname (Principal) – Service principal alias
o_ipakrbauthzdata (list of str, valid values ['MS-PAC', 'PAD', 'NONE']) – Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“canonical-principal”)
o_man_by_host (str) – Search for services with these managed by hosts.
o_not_man_by_host (str) – Search for services without these managed by hosts.

service_mod(a_krbcanonicalname, o_krbprincipalname=None, o_usercertificate=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify an existing IPA service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_krbprincipalname (Principal) – Service principal alias
o_usercertificate (Certificate) – Base-64 encoded service certificate
o_ipakrbauthzdata (list of str, valid values ['MS-PAC', 'PAD', 'NONE']) – Override default list of supported PAC types. Use ‘NONE’ to disable PAC support for this service, e.g. this might be necessary for NFS services.
o_krbprincipalauthind (list of str, valid values ['radius', 'otp', 'pkinit', 'hardened']) – Defines a whitelist for Authentication Indicators. Use ‘otp’ to allow OTP-based 2FA authentications. Use ‘radius’ to allow RADIUS-based 2FA authentications. Use ‘pkinit’ to allow PKINIT-based 2FA authentications. Use ‘hardened’ to allow brute- force hardened password authentication by SPAKE or FAST. With no indicator specified, all authentication mechanisms are allowed.
o_ipakrbrequirespreauth (Bool) – Pre-authentication is required for the service
o_ipakrbokasdelegate (Bool) – Client credentials may be delegated to the service
o_ipakrboktoauthasdelegate (Bool) – The service is allowed to authenticate on behalf of a client
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

service_remove_cert(a_krbcanonicalname, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Remove certificates from a service

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_usercertificate (Certificate) – Base-64 encoded service certificate

service_remove_host(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_host=None)¶

Remove hosts that can manage this service.

Parameters:	a_krbcanonicalname (Principal) – Service principal o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_host (str) – hosts to remove

service_remove_principal(a_krbcanonicalname, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Remove principal alias from a service

Parameters:	a_krbcanonicalname (Principal) – Service principal a_krbprincipalname (Principal) – Service principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

service_show(a_krbcanonicalname, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False)¶

Display information about an IPA service.

Parameters:

a_krbcanonicalname (Principal) – Service principal
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_out (str) – file to store certificate in
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

servicedelegationrule_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create a new service delegation rule.

Parameters:

a_cn (str) – Delegation name
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

servicedelegationrule_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_principal=None)¶

Add member to a named service delegation rule.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_principal (str) – principal to add

servicedelegationrule_add_target(a_cn, o_all=True, o_raw=False, o_no_members=False, o_servicedelegationtarget=None)¶

Add target to a named service delegation rule.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_servicedelegationtarget (str) – service delegation targets to add

servicedelegationrule_del(a_cn, o_continue=False)¶

Delete service delegation.

Parameters:	a_cn (str) – Delegation name o_continue (bool) – Continuous mode: Don’t stop on errors.

servicedelegationrule_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for service delegations rule.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Delegation name
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“delegation-name”)

servicedelegationrule_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_principal=None)¶

Remove member from a named service delegation rule.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_principal (str) – principal to remove

servicedelegationrule_remove_target(a_cn, o_all=True, o_raw=False, o_no_members=False, o_servicedelegationtarget=None)¶

Remove target from a named service delegation rule.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_servicedelegationtarget (str) – service delegation targets to remove

servicedelegationrule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a named service delegation rule.

Parameters:

a_cn (str) – Delegation name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

servicedelegationtarget_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Create a new service delegation target.

Parameters:

a_cn (str) – Delegation name
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

servicedelegationtarget_add_member(a_cn, o_all=True, o_raw=False, o_principal=None)¶

Add member to a named service delegation target.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_principal (str) – principal to add

servicedelegationtarget_del(a_cn, o_continue=False)¶

Delete service delegation target.

Parameters:	a_cn (str) – Delegation name o_continue (bool) – Continuous mode: Don’t stop on errors.

servicedelegationtarget_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for service delegation target.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Delegation name
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“delegation-name”)

servicedelegationtarget_remove_member(a_cn, o_all=True, o_raw=False, o_principal=None)¶

Remove member from a named service delegation target.

Parameters:	a_cn (str) – Delegation name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_principal (str) – principal to remove

servicedelegationtarget_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display information about a named service delegation target.

Parameters:	a_cn (str) – Delegation name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

session_logout()¶: RPC command used to log the current user out of their session.

sidgen_was_run()¶: Determine whether ipa-adtrust-install has been run with sidgen task

stageuser_activate(a_uid, o_all=True, o_raw=False, o_no_members=False)¶

Activate a stage user.

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

stageuser_add(a_uid, o_givenname, o_sn, o_cn, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_from_delete=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a new stage user.

Parameters:

a_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_random (bool) – Generate a random user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipasshpubkey (str) – SSH public key
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_from_delete (Bool) – Create Stage user in from a delete user
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

stageuser_add_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Add one or more certificates to the stageuser entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded user certificate

stageuser_add_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False)¶

Add one or more certificate mappings to the stage user entry.

Parameters:

a_uid (str) – User login
a_ipacertmapdata (str) – Certificate mapping data
o_issuer (DNParam) – Issuer of the certificate
o_subject (DNParam) – Subject of the certificate
o_certificate (Certificate) – Base-64 encoded user certificate
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

stageuser_add_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Add a manager to the stage user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add

stageuser_add_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Add new principal alias to the stageuser entry

Parameters:	a_uid (str) – User login a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

stageuser_del(a_uid, o_continue=False)¶

Delete a stage user.

Parameters:	a_uid (str) – User login o_continue (bool) – Continuous mode: Don’t stop on errors.

stageuser_find(a_criteria=None, o_uid=None, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectoryrive=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None)¶

Search for stage users.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_ipantlogonscript (str) – SMB logon script path
o_ipantprofilepath (str) – SMB profile path
o_ipanthomedirectory (str) – SMB Home Directory
o_ipanthomedirectoryrive (str, valid values ['A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:']) – SMB Home Directory Drive
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“login”)
o_in_group (str) – Search for stage users with these member of groups.
o_not_in_group (str) – Search for stage users without these member of groups.
o_in_netgroup (str) – Search for stage users with these member of netgroups.
o_not_in_netgroup (str) – Search for stage users without these member of netgroups.
o_in_role (str) – Search for stage users with these member of roles.
o_not_in_role (str) – Search for stage users without these member of roles.
o_in_hbacrule (str) – Search for stage users with these member of HBAC rules.
o_not_in_hbacrule (str) – Search for stage users without these member of HBAC rules.
o_in_sudorule (str) – Search for stage users with these member of sudo rules.
o_not_in_sudorule (str) – Search for stage users without these member of sudo rules.

stageuser_mod(a_uid, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectoryrive=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a stage user.

Parameters:

a_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_random (bool) – Generate a random user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipasshpubkey (str) – SSH public key
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_ipantlogonscript (str) – SMB logon script path
o_ipantprofilepath (str) – SMB profile path
o_ipanthomedirectory (str) – SMB Home Directory
o_ipanthomedirectoryrive (str, valid values ['A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:']) – SMB Home Directory Drive
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the stage user object

stageuser_remove_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Remove one or more certificates to the stageuser entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded user certificate

stageuser_remove_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False)¶

Remove one or more certificate mappings from the stage user entry.

Parameters:

a_uid (str) – User login
a_ipacertmapdata (str) – Certificate mapping data
o_issuer (DNParam) – Issuer of the certificate
o_subject (DNParam) – Subject of the certificate
o_certificate (Certificate) – Base-64 encoded user certificate
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

stageuser_remove_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Remove a manager to the stage user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove

stageuser_remove_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Remove principal alias from the stageuser entry

Parameters:	a_uid (str) – User login a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

stageuser_show(a_uid, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a stage user.

Parameters:

a_uid (str) – User login
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmd_add(a_sudocmd, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create new Sudo Command.

Parameters:

a_sudocmd (str) – Sudo Command
o_description (str) – A description of this command
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmd_del(a_sudocmd, o_continue=False)¶

Delete Sudo Command.

Parameters:	a_sudocmd (str) – Sudo Command o_continue (bool) – Continuous mode: Don’t stop on errors.

sudocmd_find(a_criteria=None, o_sudocmd=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for Sudo Commands.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_sudocmd (str) – Sudo Command
o_description (str) – A description of this command
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“command”)

sudocmd_mod(a_sudocmd, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify Sudo Command.

Parameters:

a_sudocmd (str) – Sudo Command
o_description (str) – A description of this command
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmd_show(a_sudocmd, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display Sudo Command.

Parameters:

a_sudocmd (str) – Sudo Command
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmdgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create new Sudo Command Group.

Parameters:

a_cn (str) – Sudo Command Group
o_description (str) – Group description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmdgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None)¶

Add members to Sudo Command Group.

Parameters:	a_cn (str) – Sudo Command Group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_sudocmd (str) – sudo commands to add

sudocmdgroup_del(a_cn, o_continue=False)¶

Delete Sudo Command Group.

Parameters:	a_cn (str) – Sudo Command Group o_continue (bool) – Continuous mode: Don’t stop on errors.

sudocmdgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for Sudo Command Groups.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Sudo Command Group
o_description (str) – Group description
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“sudocmdgroup-name”)

sudocmdgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Modify Sudo Command Group.

Parameters:

a_cn (str) – Sudo Command Group
o_description (str) – Group description
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudocmdgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None)¶

Remove members from Sudo Command Group.

Parameters:	a_cn (str) – Sudo Command Group o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_sudocmd (str) – sudo commands to remove

sudocmdgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display Sudo Command Group.

Parameters:

a_cn (str) – Sudo Command Group
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudorule_add(a_cn, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=0, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False)¶

Create new Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_cmdcategory (str, valid values ['all']) – Command category the rule applies to
o_ipasudorunasusercategory (str, valid values ['all']) – RunAs User category the rule applies to
o_ipasudorunasgroupcategory (str, valid values ['all']) – RunAs Group category the rule applies to
o_sudoorder (int, min value 0, max value 2147483647) – integer to order the Sudo rules
o_externaluser (str) – External User the rule applies to (sudorule- find only)
o_externalhost (str) – External host
o_ipasudorunasextuser (str) – External User the commands can run as (sudorule-find only)
o_ipasudorunasextgroup (str) – External Group the commands can run as (sudorule-find only)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

sudorule_add_allow_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None)¶

Add commands and sudo command groups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_sudocmd (str) – sudo commands to add
o_sudocmdgroup (str) – sudo command groups to add

sudorule_add_deny_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None)¶

Add commands and sudo command groups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_sudocmd (str) – sudo commands to add
o_sudocmdgroup (str) – sudo command groups to add

sudorule_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, o_hostmask=None)¶

Add hosts and hostgroups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_host (str) – hosts to add
o_hostgroup (str) – host groups to add
o_hostmask (str) – host masks of allowed hosts

sudorule_add_option(a_cn, o_ipasudoopt, o_all=True, o_raw=False, o_no_members=False)¶

Add an option to the Sudo Rule.

Parameters:	a_cn (str) – Rule name o_ipasudoopt (str) – Sudo Option o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

sudorule_add_runasgroup(a_cn, o_all=True, o_raw=False, o_no_members=False, o_group=None)¶

Add group for Sudo to execute as.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_group (str) – groups to add

sudorule_add_runasuser(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users and groups for Sudo to execute as.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

sudorule_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Add users and groups affected by Sudo Rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add o_group (str) – groups to add

sudorule_del(a_cn, o_continue=False)¶

Delete Sudo Rule.

Parameters:	a_cn (str) – Rule name o_continue (bool) – Continuous mode: Don’t stop on errors.

sudorule_disable(a_cn)¶

Disable a Sudo Rule.

Parameters:	a_cn (str) – Rule name

sudorule_enable(a_cn)¶

Enable a Sudo Rule.

Parameters:	a_cn (str) – Rule name

sudorule_find(a_criteria=None, o_cn=None, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=0, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for Sudo Rule.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Rule name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_cmdcategory (str, valid values ['all']) – Command category the rule applies to
o_ipasudorunasusercategory (str, valid values ['all']) – RunAs User category the rule applies to
o_ipasudorunasgroupcategory (str, valid values ['all']) – RunAs Group category the rule applies to
o_sudoorder (int, min value 0, max value 2147483647) – integer to order the Sudo rules
o_externaluser (str) – External User the rule applies to (sudorule- find only)
o_externalhost (str) – External host
o_ipasudorunasextuser (str) – External User the commands can run as (sudorule-find only)
o_ipasudorunasextgroup (str) – External Group the commands can run as (sudorule-find only)
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“sudorule-name”)

sudorule_mod(a_cn, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=0, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_description (str) – Description
o_ipaenabledflag (Bool) – Enabled
o_usercategory (str, valid values ['all']) – User category the rule applies to
o_hostcategory (str, valid values ['all']) – Host category the rule applies to
o_cmdcategory (str, valid values ['all']) – Command category the rule applies to
o_ipasudorunasusercategory (str, valid values ['all']) – RunAs User category the rule applies to
o_ipasudorunasgroupcategory (str, valid values ['all']) – RunAs Group category the rule applies to
o_sudoorder (int, min value 0, max value 2147483647) – integer to order the Sudo rules
o_externaluser (str) – External User the rule applies to (sudorule- find only)
o_externalhost (str) – External host
o_ipasudorunasextuser (str) – External User the commands can run as (sudorule-find only)
o_ipasudorunasextgroup (str) – External Group the commands can run as (sudorule-find only)
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the sudo rule object

sudorule_remove_allow_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None)¶

Remove commands and sudo command groups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_sudocmd (str) – sudo commands to remove
o_sudocmdgroup (str) – sudo command groups to remove

sudorule_remove_deny_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None)¶

Remove commands and sudo command groups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_sudocmd (str) – sudo commands to remove
o_sudocmdgroup (str) – sudo command groups to remove

sudorule_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, o_hostmask=None)¶

Remove hosts and hostgroups affected by Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_host (str) – hosts to remove
o_hostgroup (str) – host groups to remove
o_hostmask (str) – host masks of allowed hosts

sudorule_remove_option(a_cn, o_ipasudoopt, o_all=True, o_raw=False, o_no_members=False)¶

Remove an option from Sudo Rule.

Parameters:	a_cn (str) – Rule name o_ipasudoopt (str) – Sudo Option o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

sudorule_remove_runasgroup(a_cn, o_all=True, o_raw=False, o_no_members=False, o_group=None)¶

Remove group for Sudo to execute as.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_group (str) – groups to remove

sudorule_remove_runasuser(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users and groups for Sudo to execute as.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

sudorule_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None)¶

Remove users and groups affected by Sudo Rule.

Parameters:	a_cn (str) – Rule name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove o_group (str) – groups to remove

sudorule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False)¶

Display Sudo Rule.

Parameters:

a_cn (str) – Rule name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

topic_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for help topics.

Parameters:	a_criteria (str) – A string searched in all relevant object attributes o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

topic_show(a_full_name, o_all=True, o_raw=False)¶

Display information about a help topic.

Parameters:	a_full_name (str) – Full name o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysegment_add(a_topologysuffixcn, a_cn, o_iparepltoposegmentleftnode, o_iparepltoposegmentrightnode, o_iparepltoposegmentdirection='both', o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new segment.

Parameters:

a_topologysuffixcn (str) – Suffix name
a_cn (str) – Arbitrary string identifying the segment
o_iparepltoposegmentleftnode (str) – Left replication node - an IPA server
o_iparepltoposegmentrightnode (str) – Right replication node - an IPA server
o_iparepltoposegmentdirection (str, valid values ['both', 'left-right', 'right-left']) – Direction of replication between left and right replication node
o_nsds5replicastripattrs (str) – A space separated list of attributes which are removed from replication updates.
o_nsds5replicatedattributelist (str) – Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
o_nsds5replicatedattributelisttotal (str) – Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
o_nsds5replicatimeout (int, min value 0, max value 2147483647) – Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
o_nsds5replicaenabled (str, valid values ['on', 'off']) – Whether a replication agreement is active, meaning whether replication is occurring per that agreement
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysegment_del(a_topologysuffixcn, a_cn, o_continue=False)¶

Delete a segment.

Parameters:	a_topologysuffixcn (str) – Suffix name a_cn (str) – Arbitrary string identifying the segment o_continue (bool) – Continuous mode: Don’t stop on errors.

topologysegment_find(a_topologysuffixcn, a_criteria=None, o_cn=None, o_iparepltoposegmentleftnode=None, o_iparepltoposegmentrightnode=None, o_iparepltoposegmentdirection='both', o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for topology segments.

Parameters:

a_topologysuffixcn (str) – Suffix name
a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Arbitrary string identifying the segment
o_iparepltoposegmentleftnode (str) – Left replication node - an IPA server
o_iparepltoposegmentrightnode (str) – Right replication node - an IPA server
o_iparepltoposegmentdirection (str, valid values ['both', 'left-right', 'right-left']) – Direction of replication between left and right replication node
o_nsds5replicastripattrs (str) – A space separated list of attributes which are removed from replication updates.
o_nsds5replicatedattributelist (str) – Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
o_nsds5replicatedattributelisttotal (str) – Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
o_nsds5replicatimeout (int, min value 0, max value 2147483647) – Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
o_nsds5replicaenabled (str, valid values ['on', 'off']) – Whether a replication agreement is active, meaning whether replication is occurring per that agreement
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

topologysegment_mod(a_topologysuffixcn, a_cn, o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify a segment.

Parameters:

a_topologysuffixcn (str) – Suffix name
a_cn (str) – Arbitrary string identifying the segment
o_nsds5replicastripattrs (str) – A space separated list of attributes which are removed from replication updates.
o_nsds5replicatedattributelist (str) – Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof
o_nsds5replicatedattributelisttotal (str) – Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout
o_nsds5replicatimeout (int, min value 0, max value 2147483647) – Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing
o_nsds5replicaenabled (str, valid values ['on', 'off']) – Whether a replication agreement is active, meaning whether replication is occurring per that agreement
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysegment_reinitialize(a_topologysuffixcn, a_cn, o_left=False, o_right=False, o_stop=False)¶

Request a full re-initialization of the node retrieving data from the other node.

Parameters:	a_topologysuffixcn (str) – Suffix name a_cn (str) – Arbitrary string identifying the segment o_left (bool) – Initialize left node o_right (bool) – Initialize right node o_stop (bool) – Stop already started refresh of chosen node(s)

topologysegment_show(a_topologysuffixcn, a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display a segment.

Parameters:

a_topologysuffixcn (str) – Suffix name
a_cn (str) – Arbitrary string identifying the segment
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysuffix_add(a_cn, o_iparepltopoconfroot, o_setattr=None, o_addattr=None, o_all=True, o_raw=False)¶

Add a new topology suffix to be managed.

Parameters:

a_cn (str) – Suffix name
o_iparepltopoconfroot (DNParam) – Managed LDAP suffix DN
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysuffix_del(a_cn, o_continue=False)¶

Delete a topology suffix.

Parameters:	a_cn (str) – Suffix name o_continue (bool) – Continuous mode: Don’t stop on errors.

topologysuffix_find(a_criteria=None, o_cn=None, o_iparepltopoconfroot=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for topology suffixes.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Suffix name
o_iparepltopoconfroot (DNParam) – Managed LDAP suffix DN
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

topologysuffix_mod(a_cn, o_iparepltopoconfroot=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify a topology suffix.

Parameters:

a_cn (str) – Suffix name
o_iparepltopoconfroot (DNParam) – Managed LDAP suffix DN
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysuffix_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Show managed suffix.

Parameters:	a_cn (str) – Suffix name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

topologysuffix_verify(a_cn)¶

Verify replication topology for suffix.

Checks done:

check if a topology is not disconnected. In other words if there are replication paths between all servers.
check if servers don’t have more than the recommended number of replication agreements

Parameters:	a_cn (str) – Suffix name

trust_add(a_cn, o_setattr=None, o_addattr=None, o_trust_type='ad', o_realm_admin=None, o_realm_passwd=None, o_realm_server=None, o_trust_secret=None, o_base_id=None, o_range_size=None, o_range_type=None, o_bidirectional=False, o_external=False, o_all=True, o_raw=False)¶

Add new trust to use.

This command establishes trust relationship to another domain which becomes ‘trusted’. As result, users of the trusted domain may access resources of this domain.

Only trusts to Active Directory domains are supported right now.

The command can be safely run multiple times against the same domain, this will cause change to trust relationship credentials on both sides.

Note that if the command was previously run with a specific range type, or with automatic detection of the range type, and you want to configure a different range type, you may need to delete first the ID range using ipa idrange-del before retrying the command with the desired range type.

Parameters:

a_cn (str) – Realm name
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_trust_type (str, valid values ['ad']) – Trust type (ad for Active Directory, default)
o_realm_admin (str) – Active Directory domain administrator
o_realm_passwd (Password) – Active Directory domain administrator’s password
o_realm_server (str) – Domain controller for the Active Directory domain (optional)
o_trust_secret (Password) – Shared secret for the trust
o_base_id (int, min value -2147483648, max value 2147483647) – First Posix ID of the range reserved for the trusted domain
o_range_size (int, min value -2147483648, max value 2147483647) – Size of the ID range reserved for the trusted domain
o_range_type (str, valid values ['ipa-ad-trust', 'ipa-ad-trust-posix']) – Type of trusted domain ID range, one of allowed values
o_bidirectional (Bool) – Establish bi-directional trust. By default trust is inbound one-way only.
o_external (Bool) – Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trust_del(a_cn, o_continue=False)¶

Delete a trust.

Parameters:	a_cn (str) – Realm name o_continue (bool) – Continuous mode: Don’t stop on errors.

trust_fetch_domains(a_cn, o_rights=False, o_realm_admin=None, o_realm_passwd=None, o_realm_server=None, o_all=True, o_raw=False)¶

Refresh list of the domains associated with the trust

Parameters:

a_cn (str) – Realm name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_realm_admin (str) – Active Directory domain administrator
o_realm_passwd (Password) – Active Directory domain administrator’s password
o_realm_server (str) – Domain controller for the Active Directory domain (optional)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trust_find(a_criteria=None, o_cn=None, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_ipantsidblacklistincoming=None, o_ipantsidblacklistoutgoing=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search for trusts.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Realm name
o_ipantflatname (str) – Domain NetBIOS name
o_ipanttrusteddomainsid (str) – Domain Security Identifier
o_ipantsidblacklistincoming (str) – SID blacklist incoming
o_ipantsidblacklistoutgoing (str) – SID blacklist outgoing
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“realm”)

trust_mod(a_cn, o_ipantsidblacklistincoming=None, o_ipantsidblacklistoutgoing=None, o_ipantadditionalsuffixes=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False)¶

Modify a trust (for future use).

Currently only the default option to modify the LDAP attributes is available. More specific options will be added in coming releases.

Parameters:

a_cn (str) – Realm name
o_ipantsidblacklistincoming (str) – SID blacklist incoming
o_ipantsidblacklistoutgoing (str) – SID blacklist outgoing
o_ipantadditionalsuffixes (str) – UPN suffixes
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trust_resolve(o_sids, o_all=True, o_raw=False)¶

Resolve security identifiers of users and groups in trusted domains

Parameters:	o_sids (str) – Security Identifiers (SIDs) o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

trust_show(a_cn, o_rights=False, o_all=True, o_raw=False)¶

Display information about a trust.

Parameters:	a_cn (str) – Realm name o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details. o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

trustconfig_mod(o_ipantfallbackprimarygroup=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_trust_type='ad', o_all=True, o_raw=False)¶

Modify global trust configuration.

Parameters:

o_ipantfallbackprimarygroup (str) – Fallback primary group
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_trust_type (str, valid values ['ad']) – Trust type (ad for Active Directory, default)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trustconfig_show(o_rights=False, o_trust_type='ad', o_all=True, o_raw=False)¶

Show global trust configuration.

Parameters:

o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_trust_type (str, valid values ['ad']) – Trust type (ad for Active Directory, default)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trustdomain_add(a_trustcn, a_cn, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_setattr=None, o_addattr=None, o_trust_type='ad', o_all=True, o_raw=False)¶

Allow access from the trusted domain

Parameters:

a_trustcn (str) – Realm name
a_cn (str) – Domain name
o_ipantflatname (str) – Domain NetBIOS name
o_ipanttrusteddomainsid (str) – Domain Security Identifier
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_trust_type (str, valid values ['ad']) – Trust type (ad for Active Directory, default)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

trustdomain_del(a_trustcn, a_cn, o_continue=False)¶

Remove information about the domain associated with the trust.

Parameters:	a_trustcn (str) – Realm name a_cn (str) – Domain name o_continue (bool) – Continuous mode: Don’t stop on errors.

trustdomain_disable(a_trustcn, a_cn)¶

Disable use of IPA resources by the domain of the trust

Parameters:	a_trustcn (str) – Realm name a_cn (str) – Domain name

trustdomain_enable(a_trustcn, a_cn)¶

Allow use of IPA resources by the domain of the trust

Parameters:	a_trustcn (str) – Realm name a_cn (str) – Domain name

trustdomain_find(a_trustcn, a_criteria=None, o_cn=None, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False)¶

Search domains of the trust

Parameters:

a_trustcn (str) – Realm name
a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Domain name
o_ipantflatname (str) – Domain NetBIOS name
o_ipanttrusteddomainsid (str) – Domain Security Identifier
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_pkey_only (bool) – Results should contain primary key attribute only (“domain”)

trustdomain_mod(a_trustcn, a_cn, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_trust_type='ad', o_all=True, o_raw=False)¶

Modify trustdomain of the trust

Parameters:

a_trustcn (str) – Realm name
a_cn (str) – Domain name
o_ipantflatname (str) – Domain NetBIOS name
o_ipanttrusteddomainsid (str) – Domain Security Identifier
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_trust_type (str, valid values ['ad']) – Trust type (ad for Active Directory, default)
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

user_add(a_uid, o_givenname, o_sn, o_cn, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_nsaccountlock=False, o_setattr=None, o_addattr=None, o_noprivate=False, o_all=True, o_raw=False, o_no_members=False)¶

Add a new user.

Parameters:

a_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_random (bool) – Generate a random user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipasshpubkey (str) – SSH public key
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_nsaccountlock (Bool) – Account disabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_noprivate (bool) – Don’t create user private group
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

user_add_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Add one or more certificates to the user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded user certificate

user_add_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False)¶

Add one or more certificate mappings to the user entry.

Parameters:

a_uid (str) – User login
a_ipacertmapdata (str) – Certificate mapping data
o_issuer (DNParam) – Issuer of the certificate
o_subject (DNParam) – Subject of the certificate
o_certificate (Certificate) – Base-64 encoded user certificate
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

user_add_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Add a manager to the user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to add

user_add_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Add new principal alias to the user entry

Parameters:	a_uid (str) – User login a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

user_del(a_uid, o_continue=False, o_preserve=None)¶

Delete a user.

Parameters:	a_uid (str) – User login o_continue (bool) – Continuous mode: Don’t stop on errors. o_preserve (Bool) – <preserve>

user_disable(a_uid)¶

Disable a user account.

Parameters:	a_uid (str) – User login

user_enable(a_uid)¶

Enable a user account.

Parameters:	a_uid (str) – User login

user_find(a_criteria=None, o_uid=None, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectoryrive=None, o_nsaccountlock=False, o_preserved=False, o_timelimit=None, o_sizelimit=None, o_whoami=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None)¶

Search for users.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_ipantlogonscript (str) – SMB logon script path
o_ipantprofilepath (str) – SMB profile path
o_ipanthomedirectory (str) – SMB Home Directory
o_ipanthomedirectoryrive (str, valid values ['A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:']) – SMB Home Directory Drive
o_nsaccountlock (Bool) – Account disabled
o_preserved (Bool) – Preserved user
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_whoami (bool) – Display user record for current Kerberos principal
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“login”)
o_in_group (str) – Search for users with these member of groups.
o_not_in_group (str) – Search for users without these member of groups.
o_in_netgroup (str) – Search for users with these member of netgroups.
o_not_in_netgroup (str) – Search for users without these member of netgroups.
o_in_role (str) – Search for users with these member of roles.
o_not_in_role (str) – Search for users without these member of roles.
o_in_hbacrule (str) – Search for users with these member of HBAC rules.
o_not_in_hbacrule (str) – Search for users without these member of HBAC rules.
o_in_sudorule (str) – Search for users with these member of sudo rules.
o_not_in_sudorule (str) – Search for users without these member of sudo rules.

user_mod(a_uid, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectoryrive=None, o_nsaccountlock=False, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None)¶

Modify a user.

Parameters:

a_uid (str) – User login
o_givenname (str) – First name
o_sn (str) – Last name
o_cn (str) – Full name
o_displayname (str) – Display name
o_initials (str) – Initials
o_homedirectory (str) – Home directory
o_gecos (str) – GECOS
o_loginshell (str) – Login shell
o_krbprincipalname (Principal) – Principal alias
o_krbprincipalexpiration (DateTime) – Kerberos principal expiration
o_krbpasswordexpiration (DateTime) – User password expiration
o_mail (str) – Email address
o_userpassword (Password) – Prompt to set the user password
o_random (bool) – Generate a random user password
o_uidnumber (int, min value 1, max value 2147483647) – User ID Number (system will assign one if not provided)
o_gidnumber (int, min value 1, max value 2147483647) – Group ID Number
o_street (str) – Street address
o_l (str) – City
o_st (str) – State/Province
o_postalcode (str) – ZIP
o_telephonenumber (str) – Telephone Number
o_mobile (str) – Mobile Telephone Number
o_pager (str) – Pager Number
o_facsimiletelephonenumber (str) – Fax Number
o_ou (str) – Org. Unit
o_title (str) – Job Title
o_manager (str) – Manager
o_carlicense (str) – Car License
o_ipasshpubkey (str) – SSH public key
o_ipauserauthtype (list of str, valid values ['password', 'radius', 'otp', 'pkinit', 'hardened']) – Types of supported user authentication
o_userclass (str) – User category (semantics placed on this attribute are for local interpretation)
o_ipatokenradiusconfiglink (str) – RADIUS proxy configuration
o_ipatokenradiususername (str) – RADIUS proxy username
o_departmentnumber (str) – Department Number
o_employeenumber (str) – Employee Number
o_employeetype (str) – Employee Type
o_preferredlanguage (str) – Preferred Language
o_usercertificate (Certificate) – Base-64 encoded user certificate
o_ipantlogonscript (str) – SMB logon script path
o_ipantprofilepath (str) – SMB profile path
o_ipanthomedirectory (str) – SMB Home Directory
o_ipanthomedirectoryrive (str, valid values ['A:', 'B:', 'C:', 'D:', 'E:', 'F:', 'G:', 'H:', 'I:', 'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:', 'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:']) – SMB Home Directory Drive
o_nsaccountlock (Bool) – Account disabled
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_rename (str) – Rename the user object

user_remove_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False)¶

Remove one or more certificates to the user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_usercertificate (Certificate) – Base-64 encoded user certificate

user_remove_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False)¶

Remove one or more certificate mappings from the user entry.

Parameters:

a_uid (str) – User login
a_ipacertmapdata (str) – Certificate mapping data
o_issuer (DNParam) – Issuer of the certificate
o_subject (DNParam) – Subject of the certificate
o_certificate (Certificate) – Base-64 encoded user certificate
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

user_remove_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None)¶

Remove a manager to the user entry

Parameters:	a_uid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes. o_user (str) – users to remove

user_remove_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False)¶

Remove principal alias from the user entry

Parameters:	a_uid (str) – User login a_krbprincipalname (Principal) – Principal alias o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format. o_no_members (bool) – Suppress processing of membership attributes.

user_show(a_uid, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a user.

Parameters:

a_uid (str) – User login
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_out (str) – file to store certificate in
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

user_stage(a_uid, o_continue=False)¶

Move deleted user into staged area

Parameters:	a_uid (str) – User login o_continue (bool) – Continuous mode: Don’t stop on errors.

user_status(a_useruid, o_all=True, o_raw=False)¶

Lockout status of a user account

An account may become locked if the password is entered incorrectly too many times within a specific time period as controlled by password policy. A locked account is a temporary condition and may be unlocked by an administrator.

This connects to each IPA master and displays the lockout status on each one.

To determine whether an account is locked on a given server you need to compare the number of failed logins and the time of the last failure. For an account to be locked it must exceed the maxfail failures within the failinterval duration as specified in the password policy associated with the user.

The failed login counter is modified only when a user attempts a log in so it is possible that an account may appear locked but the last failed login attempt is older than the lockouttime of the password policy. This means that the user may attempt a login again.

Parameters:	a_useruid (str) – User login o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

user_undel(a_uid)¶

Undelete a delete user account.

Parameters:	a_uid (str) – User login

user_unlock(a_uid)¶

Unlock a user account

An account may become locked if the password is entered incorrectly too many times within a specific time period as controlled by password policy. A locked account is a temporary condition and may be unlocked by an administrator.

Parameters:	a_uid (str) – User login

vault_add_internal(a_cn, o_description=None, o_ipavaulttype='symmetric', o_ipavaultsalt=None, o_ipavaultpublickey=None, o_setattr=None, o_addattr=None, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False)¶

Add a vault.

Parameters:

a_cn (str) – Vault name
o_description (str) – Vault description
o_ipavaulttype (str, valid values ['standard', 'symmetric', 'asymmetric']) – Vault type
o_ipavaultsalt (Bytes) – Vault salt
o_ipavaultpublickey (Bytes) – Vault public key
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

vault_add_member(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Add members to a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_services (str) – services to add

vault_add_owner(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Add owners to a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_services (str) – services to add

vault_archive_internal(a_cn, o_session_key, o_vault_data, o_nonce, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False)¶

Archive data into a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_session_key (Bytes) – Session key wrapped with transport certificate
o_vault_data (Bytes) – Vault data encrypted with session key
o_nonce (Bytes) – Nonce
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

vault_del(a_cn, o_continue=False, o_service=None, o_shared=False, o_username=None)¶

Delete a vault.

Parameters:	a_cn (str) – Vault name o_continue (bool) – Continuous mode: Don’t stop on errors. o_service (Principal) – Service name of the service vault o_shared (bool) – Shared vault o_username (str) – Username of the user vault

vault_find(a_criteria=None, o_cn=None, o_description=None, o_ipavaulttype='symmetric', o_timelimit=None, o_sizelimit=None, o_service=None, o_shared=False, o_username=None, o_services=False, o_users=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False)¶

Search for vaults.

Parameters:

a_criteria (str) – A string searched in all relevant object attributes
o_cn (str) – Vault name
o_description (str) – Vault description
o_ipavaulttype (str, valid values ['standard', 'symmetric', 'asymmetric']) – Vault type
o_timelimit (int, min value 0, max value 2147483647) – Time limit of search in seconds (0 is unlimited)
o_sizelimit (int, min value 0, max value 2147483647) – Maximum number of entries returned (0 is unlimited)
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_services (bool) – List all service vaults
o_users (bool) – List all user vaults
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_pkey_only (bool) – Results should contain primary key attribute only (“name”)

vault_mod_internal(a_cn, o_description=None, o_ipavaulttype='symmetric', o_ipavaultsalt=None, o_ipavaultpublickey=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False)¶

Modify a vault.

Parameters:

a_cn (str) – Vault name
o_description (str) – Vault description
o_ipavaulttype (str, valid values ['standard', 'symmetric', 'asymmetric']) – Vault type
o_ipavaultsalt (Bytes) – Vault salt
o_ipavaultpublickey (Bytes) – Vault public key
o_setattr (str) – Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.
o_addattr (str) – Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.
o_delattr (str) – Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

vault_remove_member(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Remove members from a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_services (str) – services to remove

vault_remove_owner(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Remove owners from a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_services (str) – services to remove

vault_retrieve_internal(a_cn, o_session_key, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False)¶

Retrieve data from a vault.

Parameters:

a_cn (str) – Vault name
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_session_key (Bytes) – Session key wrapped with transport certificate
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.

vault_show(a_cn, o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a vault.

Parameters:

a_cn (str) – Vault name
o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

vaultconfig_show(o_transport_out=None, o_all=True, o_raw=False)¶

Show vault configuration.

Parameters:	o_transport_out (str) – Output file to store the transport certificate o_all (bool) – Retrieve and print all attributes from the server. Affects command output. o_raw (bool) – Print entries as stored on the server. Only affects output format.

vaultcontainer_add_owner(o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Add owners to a vault container.

Parameters:

o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to add
o_group (str) – groups to add
o_services (str) – services to add

vaultcontainer_del(o_continue=False, o_service=None, o_shared=False, o_username=None)¶

Delete a vault container.

Parameters:	o_continue (bool) – Continuous mode: Don’t stop on errors. o_service (Principal) – Service name of the service vault o_shared (bool) – Shared vault o_username (str) – Username of the user vault

vaultcontainer_remove_owner(o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None)¶

Remove owners from a vault container.

Parameters:

o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.
o_user (str) – users to remove
o_group (str) – groups to remove
o_services (str) – services to remove

vaultcontainer_show(o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False)¶

Display information about a vault container.

Parameters:

o_rights (bool) – Display the access rights of this entry (requires –all). See ipa man page for details.
o_service (Principal) – Service name of the service vault
o_shared (bool) – Shared vault
o_username (str) – Username of the user vault
o_all (bool) – Retrieve and print all attributes from the server. Affects command output.
o_raw (bool) – Print entries as stored on the server. Only affects output format.
o_no_members (bool) – Suppress processing of membership attributes.

version = '2.235'¶

whoami()¶: Describe currently authenticated identity.

Exceptions module¶

Exceptions module for FreeIPA client.

exception python_freeipa.exceptions.AlreadyActive(message=None, code=None)¶: Raised when an entry is made active that is already active.

exception python_freeipa.exceptions.AlreadyInactive(message=None, code=None)¶: Raised when an entry is made inactive that is already inactive.

exception python_freeipa.exceptions.BadRequest(message=None, code=None)¶: General purpose exception class.

exception python_freeipa.exceptions.Denied(message=None, code=None)¶: Raised on ACI authorization error.

exception python_freeipa.exceptions.DuplicateEntry(message=None, code=None)¶: Raised when an entry already exists.

exception python_freeipa.exceptions.FreeIPAError(message=None, code=None)¶: Base exception class for FreeIPA client.

exception python_freeipa.exceptions.InvalidSessionPassword(message=None, code=None)¶: Raised when IPA cannot obtain a TGT for a principal.

exception python_freeipa.exceptions.KrbPrincipalExpired(message=None, code=None)¶: Raised when Kerberos Principal is expired.

exception python_freeipa.exceptions.NotFound(message=None, code=None)¶: Raised when an entry is not found.

exception python_freeipa.exceptions.PWChangeInvalidPassword(message=None, code=None)¶: Raised when the current password is not correct while trying to change passwords.

exception python_freeipa.exceptions.PWChangePolicyError(message=None, code=None, policy_error=None)¶: Raised when changing a password but the new password doesn’t fit the password policy.

exception python_freeipa.exceptions.PasswordExpired(message=None, code=None)¶: Raised when logging in with an expired password.

exception python_freeipa.exceptions.Unauthorized(message=None, code=None)¶: Raised when invalid credentials are provided.

exception python_freeipa.exceptions.UnknownOption(message=None, code=None)¶: Raised when a command is called with unknown options.

exception python_freeipa.exceptions.UserLocked(message=None, code=None)¶: Raised when a user account is locked.

exception python_freeipa.exceptions.ValidationError(message=None, code=None)¶: Raised when a parameter value fails a validation rule.

python_freeipa.exceptions.parse_error(error)¶: Convert error object to FreeIPA exception class.

python_freeipa.exceptions.parse_group_management_error(data)¶: Convert group management error object to FreeIPA exception class.

python_freeipa.exceptions.parse_hostgroup_management_error(data)¶: Convert host group management error object to FreeIPA exception class.

Welcome to FreeIPA client’s documentation!¶

Installation¶

Example usage¶

Breaking changes in 1.0 release¶

Contributing¶

Recreation of MetaClient¶

Base client module¶

Autogenerated client module¶

Exceptions module¶

Python FreeIPA client

Navigation

Related Topics