Welcome to FreeIPA client's documentation!

Installation

pip install python-freeipa

Example usage

Client using username and password to connect to specific IPA server:

from python_freeipa import ClientMeta
client = ClientMeta('ipa.demo1.freeipa.org')
client.login('admin', 'Secret123')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', o_preferredlanguage='EN')
print(user)

Client using DNS service discovery. By default, we will try to find IPA servers using the FQDN of the host trying to connect to an IPA server. Alternatively you can also manually specify a domain here.

For DNS service discovery, you need to have the srvlookup module installed.

from python_freeipa import ClientMeta
client = ClientMeta(dns_discovery=True)
client.login('admin', 'Secret123')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', o_preferredlanguage='EN')
print(user)

Breaking changes in 1.0 release

Previously, Python FreeIPA client covered only small fraction of FreeIPA API calls. By introducing code generator we cover all FreeIPA API calls. By default autogenerated client is used. It has different API signatures. Therefore if you want to preserve old behaviour you should just use ClientLegacy instead of Client. For example:

from python_freeipa import ClientLegacy
client = ClientLegacy('ipa.demo1.freeipa.org', version='2.215')
client.login('admin', 'Secret123')

Contributing

1. Install pre-commit:

pip install pre-commit
pre-commit install

1. Install python-freeipa in development mode along with dependencies:

poetry install

1. Run tests suite:

poetry run pytest

Recreation of MetaClient

It is possible to manually recreate the "ClientMeta" class. This might be needed if the IPA/IdM Server you are using is not matching the on that has been used to build the packaged version.

Here is what you need to do:

sudo apt-get install libkrb5-dev
# fetch code, create virtual environment, and install required packages
git clone git@github.com:opennode/python-freeipa.git
cd python-freeipa
poetry install
poetry shell
# recreate the ClientMeta class
contrib/py_ipa_api_recreate --source-url ipa.demo1.freeipa.org --source-url-user admin --source-url-pass Secret123
# move the file where it belongs
mv meta_api.py src/python_freeipa/client_meta.py
# build the python package
poetry build

This will give you a python package, which you can install using "pip install"

Base client module

Lightweight FreeIPA JSON RPC client.

AuthenticatedSession

Bases: object

Context manager class that automatically logs out upon exit.

logged_in property

Returns True if and only if the login attempt succeeded.

login_exception property

Returns the exception occurred during the login attempt, if any, otherwise None.

__enter__()

Tries to perform a login, if necessary, using the login arguments specified at construction.

This method does not throw, but will store any occurring exception in login_exception.

__exit__(exc_type, exc_val, exc_tb)

Logs out of the session, if necessary.

__init__(client, *login_arguments, **kwargs)

Constructs a new authenticated session with optional login arguments.

When the __enter__ method of is invoked, if the parameter logged_in is False, the class will attempt to login using the specified login_arguments (e.g. username and password) through Client.login. If no login arguments is specified, it will attempt a Kerberos login via Client.login_kerberos.

Parameters:

Name	Type	Description	Default
client	``Client``	an instance of a FreeIPA client	required
login_arguments		arguments to use to login upon enter, possibly empty.	()
logged_in	bool	True if the instance client is already logged in.	required

logout()

Logs out of the current session, if any is active.

Client

Bases: object

Lightweight FreeIPA JSON RPC client.

__init__(host=None, verify_ssl=True, version=None, dns_discovery=True)

Initialize client with connection options.

Parameters:

Name	Type	Description	Default
host	str | None	hostname to connect to, set None for dns service discovery	None
verify_ssl	bool	verify SSL certificates for HTTPS requests	True
version	str	default client version, may be overwritten in individual requests	None
dns_discovery	str	if set to True, will try to use the current hosts domain name for dns discovery. if set to a string, will use this string for dns discovery. in both cases, it will try to strip as many parts left from a dot (.), until it finds an idm server. discovered IPA servers will by tried in order (priority, weight), until one is found that will respond to our login request. if host param is set, host param will always win, and no dns discovery is performed.	True

change_password(username, new_password, old_password, otp=None)

Set the password of a user. (Does not expire)

Parameters:

Name	Type	Description	Default
username	str	User login (username)	required
new_password	str	New password for the user	required
old_password	str	Users old password	required
otp	str | None	User's OTP token if they have one	None

login(username, password)

Login to FreeIPA server using username and password.

Parameters:

Name	Type	Description	Default
username	str	user to connect	required
password	str	password of the user	required

Raises:

Type	Description
Unauthorized	raised if credentials are invalid.

login_kerberos()

Login to FreeIPA server using existing Kerberos credentials.

In order to use this method, the package `requests_gssapi https://pypi.org/project/requests-gssapi/`_ must be installed. There must already be a Kerberos Ticket-Granting Ticket (TGT) cached in a Kerberos credential cache. Whether a TGT is available can be easily determined by running the klist command. If no TGT is available, then it first must be obtained by running the kinit command, or pointing the $KRB5CCNAME environment variable to a credential cache with a valid TGT.

Raises:

Type	Description
Unauthorized	raised if credentials are invalid.
ImportError	raised if the requests_gssapi module is unavailable.

logout()

Logs out of the FreeIPA session.

Autogenerated client module

ClientMeta

Bases: Client

aci_add(a_aciname, o_permissions, o_aciprefix, o_permission=None, o_group=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_test=False, o_all=True, o_raw=False, **kwargs)

Create new ACI.

Parameters:

Name	Type	Description	Default
a_aciname		ACI name	required
o_permission		Permission ACI grants access to	None
o_group		User group ACI grants access to	None
o_permissions		Permissions to grant(read, write, add, delete, all)	required
o_attrs		Attributes	None
o_type		type of IPA object (user, group, host, hostgroup, service, netgroup)	None
o_memberof		Member of a group	None
o_filter		Legal LDAP filter (e.g. ou=Engineering)	None
o_subtree		Subtree to apply ACI to	None
o_targetgroup		Group to apply ACI to	None
o_selfaci		Apply ACI to your own entry (self)	False
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	required
o_test		Test the ACI syntax but don't write anything	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

aci_del(a_aciname, o_aciprefix, **kwargs)

Delete ACI.

Parameters:

Name	Type	Description	Default
a_aciname		ACI name	required
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	required

aci_find(a_criteria=None, o_aciname=None, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=None, o_aciprefix=None, o_pkey_only=False, o_all=True, o_raw=False, **kwargs)

Search for ACIs.

Returns a list of ACIs

EXAMPLES:

 To find all ACIs that apply directly to members of the group ipausers:
   ipa aci-find --memberof=ipausers

 To find all ACIs that grant add access:
   ipa aci-find --permissions=add

Note that the find command only looks for the given text in the set of
ACIs, it does not evaluate the ACIs to see if something would apply.
For example, searching on memberof=ipausers will find all ACIs that
have ipausers as a memberof. There may be other ACIs that apply to
members of that group indirectly.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_aciname		ACI name	None
o_permission		Permission ACI grants access to	None
o_group		User group ACI grants access to	None
o_permissions		Permissions to grant(read, write, add, delete, all)	None
o_attrs		Attributes	None
o_type		type of IPA object (user, group, host, hostgroup, service, netgroup)	None
o_memberof		Member of a group	None
o_filter		Legal LDAP filter (e.g. ou=Engineering)	None
o_subtree		Subtree to apply ACI to	None
o_targetgroup		Group to apply ACI to	None
o_selfaci		Apply ACI to your own entry (self)	None
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	None
o_pkey_only		Results should contain primary key attribute only ("name")	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

aci_mod(a_aciname, o_aciprefix, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_all=True, o_raw=False, **kwargs)

Modify ACI.

Parameters:

Name	Type	Description	Default
a_aciname		ACI name	required
o_permission		Permission ACI grants access to	None
o_group		User group ACI grants access to	None
o_permissions		Permissions to grant(read, write, add, delete, all)	None
o_attrs		Attributes	None
o_type		type of IPA object (user, group, host, hostgroup, service, netgroup)	None
o_memberof		Member of a group	None
o_filter		Legal LDAP filter (e.g. ou=Engineering)	None
o_subtree		Subtree to apply ACI to	None
o_targetgroup		Group to apply ACI to	None
o_selfaci		Apply ACI to your own entry (self)	False
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

aci_rename(a_aciname, o_aciprefix, o_newname, o_permission=None, o_group=None, o_permissions=None, o_attrs=None, o_type=None, o_memberof=None, o_filter=None, o_subtree=None, o_targetgroup=None, o_selfaci=False, o_all=True, o_raw=False, **kwargs)

Rename an ACI.

Parameters:

Name	Type	Description	Default
a_aciname		ACI name	required
o_permission		Permission ACI grants access to	None
o_group		User group ACI grants access to	None
o_permissions		Permissions to grant(read, write, add, delete, all)	None
o_attrs		Attributes	None
o_type		type of IPA object (user, group, host, hostgroup, service, netgroup)	None
o_memberof		Member of a group	None
o_filter		Legal LDAP filter (e.g. ou=Engineering)	None
o_subtree		Subtree to apply ACI to	None
o_targetgroup		Group to apply ACI to	None
o_selfaci		Apply ACI to your own entry (self)	False
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	required
o_newname		New ACI name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

aci_show(a_aciname, o_aciprefix, o_location=None, o_all=True, o_raw=False, **kwargs)

Display a single ACI given an ACI name.

Parameters:

Name	Type	Description	Default
a_aciname		ACI name	required
o_aciprefix		Prefix used to distinguish ACI types (permission, delegation, selfservice, none)	required
o_location		Location of the ACI	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

adtrust_is_enabled(**kwargs)

Determine whether ipa-adtrust-install has been run on this system

automember_add(a_cn, o_type, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_description		A description of this auto member rule	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_add_condition(a_cn, o_key, o_type, o_description=None, o_automemberinclusiveregex=None, o_automemberexclusiveregex=None, o_all=True, o_raw=False, **kwargs)

Add conditions to an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_description		A description of this auto member rule	None
o_automemberinclusiveregex		Inclusive Regex	None
o_automemberexclusiveregex		Exclusive Regex	None
o_key		Attribute to filter via regex. For example fqdn for a host, or manager for a user	required
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_default_group_remove(o_type, o_all=True, o_raw=False, **kwargs)

Remove default (fallback) group for all unmatched entries.

Parameters:

Name	Type	Description	Default
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_default_group_set(o_automemberdefaultgroup, o_type, o_all=True, o_raw=False, **kwargs)

Set default (fallback) group for all unmatched entries.

Parameters:

Name	Type	Description	Default
o_automemberdefaultgroup		Default (fallback) group for entries to land	required
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_default_group_show(o_type, o_all=True, o_raw=False, **kwargs)

Display information about the default (fallback) automember groups.

Parameters:

Name	Type	Description	Default
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_del(a_cn, o_type, **kwargs)

Delete an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_type		Grouping to which the rule applies	required

automember_find(o_type, a_criteria=None, o_description=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for automember rules.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_description		A description of this auto member rule	None
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("automember-rule")	False

automember_find_orphans(o_type, a_criteria=None, o_description=None, o_remove=False, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for orphan automember rules. The command might need to be run as a privileged user user to get all orphan rules.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_description		A description of this auto member rule	None
o_type		Grouping to which the rule applies	required
o_remove		Remove orphan automember rules	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("automember-rule")	False

automember_mod(a_cn, o_type, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_description		A description of this auto member rule	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_rebuild(o_type=None, o_users=None, o_hosts=None, o_no_wait=False, o_all=True, o_raw=False, **kwargs)

Rebuild auto membership.

Parameters:

Name	Type	Description	Default
o_type		Grouping to which the rule applies	None
o_users		Rebuild membership for specified users	None
o_hosts		Rebuild membership for specified hosts	None
o_no_wait		Don't wait for rebuilding membership	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_remove_condition(a_cn, o_key, o_type, o_description=None, o_automemberinclusiveregex=None, o_automemberexclusiveregex=None, o_all=True, o_raw=False, **kwargs)

Remove conditions from an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_description		A description of this auto member rule	None
o_automemberinclusiveregex		Inclusive Regex	None
o_automemberexclusiveregex		Exclusive Regex	None
o_key		Attribute to filter via regex. For example fqdn for a host, or manager for a user	required
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automember_show(a_cn, o_type, o_all=True, o_raw=False, **kwargs)

Display information about an automember rule.

Parameters:

Name	Type	Description	Default
a_cn		Automember Rule	required
o_type		Grouping to which the rule applies	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountkey_add(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_automountinformation, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Create a new automount key.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapautomountmapname		Automount map name.	required
o_automountkey		Automount key name.	required
o_automountinformation		Mount information	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountkey_del(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_continue=False, o_automountinformation=None, **kwargs)

Delete an automount key.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapautomountmapname		Automount map name.	required
o_continue		Continuous mode: Don't stop on errors.	False
o_automountkey		Automount key name.	required
o_automountinformation		Mount information	None

automountkey_find(a_automountlocationcn, a_automountmapautomountmapname, a_criteria=None, o_automountkey=None, o_automountinformation=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, **kwargs)

Search for an automount key.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapautomountmapname		Automount map name.	required
a_criteria		A string searched in all relevant object attributes	None
o_automountkey		Automount key name.	None
o_automountinformation		Mount information	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountkey_mod(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_automountinformation=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_newautomountinformation=None, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify an automount key.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapautomountmapname		Automount map name.	required
o_automountkey		Automount key name.	required
o_automountinformation		Mount information	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_newautomountinformation		New mount information	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the automount key object	None

automountkey_show(a_automountlocationcn, a_automountmapautomountmapname, o_automountkey, o_rights=False, o_automountinformation=None, o_all=True, o_raw=False, **kwargs)

Display an automount key.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapautomountmapname		Automount map name.	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_automountkey		Automount key name.	required
o_automountinformation		Mount information	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountlocation_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Create a new automount location.

Parameters:

Name	Type	Description	Default
a_cn		Automount location name.	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountlocation_del(a_cn, o_continue=False, **kwargs)

Delete an automount location.

Parameters:

Name	Type	Description	Default
a_cn		Automount location name.	required
o_continue		Continuous mode: Don't stop on errors.	False

automountlocation_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for an automount location.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Automount location name.	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("location")	False

automountlocation_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display an automount location.

Parameters:

Name	Type	Description	Default
a_cn		Automount location name.	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountlocation_tofiles(a_cn, **kwargs)

Generate automount files for a specific location.

Parameters:

Name	Type	Description	Default
a_cn		Automount location name.	required

automountmap_add(a_automountlocationcn, a_automountmapname, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Create a new automount map.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapname		Automount map name.	required
o_description		Description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountmap_add_indirect(a_automountlocationcn, a_automountmapname, o_key, o_description=None, o_setattr=None, o_addattr=None, o_parentmap='auto.master', o_all=True, o_raw=False, **kwargs)

Create a new indirect mount point.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapname		Automount map name.	required
o_description		Description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_key		Mount point	required
o_parentmap		Name of parent automount map (default: auto.master).	'auto.master'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountmap_del(a_automountlocationcn, a_automountmapname, o_continue=False, **kwargs)

Delete an automount map.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapname		Automount map name.	required
o_continue		Continuous mode: Don't stop on errors.	False

automountmap_find(a_automountlocationcn, a_criteria=None, o_automountmapname=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for an automount map.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_criteria		A string searched in all relevant object attributes	None
o_automountmapname		Automount map name.	None
o_description		Description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("map")	False

automountmap_mod(a_automountlocationcn, a_automountmapname, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify an automount map.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapname		Automount map name.	required
o_description		Description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

automountmap_show(a_automountlocationcn, a_automountmapname, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display an automount map.

Parameters:

Name	Type	Description	Default
a_automountlocationcn		Automount location name.	required
a_automountmapname		Automount map name.	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

batch(a_methods=None, **kwargs)

Make multiple ipa calls via one remote procedure call

Parameters:

Name	Type	Description	Default
a_methods		Nested Methods to execute	None

ca_add(a_cn, o_ipacasubjectdn, o_description=None, o_setattr=None, o_addattr=None, o_chain=False, o_all=True, o_raw=False, **kwargs)

Create a CA.

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required
o_description		Description of the purpose of the CA	None
o_ipacasubjectdn		Subject Distinguished Name	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_chain		Include certificate chain in output	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

ca_del(a_cn, o_continue=False, **kwargs)

Delete a CA (must be disabled first).

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required
o_continue		Continuous mode: Don't stop on errors.	False

ca_disable(a_cn, **kwargs)

Disable a CA.

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required

ca_enable(a_cn, **kwargs)

Enable a CA.

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required

ca_find(a_criteria=None, o_cn=None, o_description=None, o_ipacaid=None, o_ipacasubjectdn=None, o_ipacaissuerdn=None, o_ipacarandomserialnumberversion=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for CAs.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Name for referencing the CA	None
o_description		Description of the purpose of the CA	None
o_ipacaid		Dogtag Authority ID	None
o_ipacasubjectdn		Subject Distinguished Name	None
o_ipacaissuerdn		Issuer Distinguished Name	None
o_ipacarandomserialnumberversion		Random Serial Number Version	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

ca_is_enabled(**kwargs)

Checks if any of the servers has the CA service enabled.

ca_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify CA configuration.

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required
o_description		Description of the purpose of the CA	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the Certificate Authority object	None

ca_show(a_cn, o_rights=False, o_chain=False, o_all=True, o_raw=False, **kwargs)

Display the properties of a CA.

Parameters:

Name	Type	Description	Default
a_cn		Name for referencing the CA	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_chain		Include certificate chain in output	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

caacl_add(a_cn, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create a new CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_ipacacategory		CA category the ACL applies to	None
o_ipacertprofilecategory		Profile category the ACL applies to	None
o_usercategory		User category the ACL applies to	None
o_hostcategory		Host category the ACL applies to	None
o_servicecategory		Service category the ACL applies to	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

caacl_add_ca(a_cn, o_all=True, o_raw=False, o_no_members=False, o_ca=None, **kwargs)

Add CAs to a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_ca		Certificate Authorities to add	None

caacl_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Add target hosts and hostgroups to a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None

caacl_add_profile(a_cn, o_all=True, o_raw=False, o_no_members=False, o_certprofile=None, **kwargs)

Add profiles to a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_certprofile		Certificate Profiles to add	None

caacl_add_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_service=None, **kwargs)

Add services to a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_service		services to add	None

caacl_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users and groups to a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

caacl_del(a_cn, o_continue=False, **kwargs)

Delete a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_continue		Continuous mode: Don't stop on errors.	False

caacl_disable(a_cn, **kwargs)

Disable a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required

caacl_enable(a_cn, **kwargs)

Enable a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required

caacl_find(a_criteria=None, o_cn=None, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for CA ACLs.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		ACL name	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_ipacacategory		CA category the ACL applies to	None
o_ipacertprofilecategory		Profile category the ACL applies to	None
o_usercategory		User category the ACL applies to	None
o_hostcategory		Host category the ACL applies to	None
o_servicecategory		Service category the ACL applies to	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

caacl_mod(a_cn, o_description=None, o_ipaenabledflag=None, o_ipacacategory=None, o_ipacertprofilecategory=None, o_usercategory=None, o_hostcategory=None, o_servicecategory=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_ipacacategory		CA category the ACL applies to	None
o_ipacertprofilecategory		Profile category the ACL applies to	None
o_usercategory		User category the ACL applies to	None
o_hostcategory		Host category the ACL applies to	None
o_servicecategory		Service category the ACL applies to	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

caacl_remove_ca(a_cn, o_all=True, o_raw=False, o_no_members=False, o_ca=None, **kwargs)

Remove CAs from a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_ca		Certificate Authorities to remove	None

caacl_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Remove target hosts and hostgroups from a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

caacl_remove_profile(a_cn, o_all=True, o_raw=False, o_no_members=False, o_certprofile=None, **kwargs)

Remove profiles from a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_certprofile		Certificate Profiles to remove	None

caacl_remove_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_service=None, **kwargs)

Remove services from a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_service		services to remove	None

caacl_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users and groups from a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

caacl_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display the properties of a CA ACL.

Parameters:

Name	Type	Description	Default
a_cn		ACL name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

cert_find(a_criteria=None, o_certificate=None, o_issuer=None, o_revocation_reason=None, o_cacn=None, o_subject=None, o_min_serial_number=None, o_max_serial_number=None, o_exactly=False, o_validnotafter_from=None, o_validnotafter_to=None, o_validnotbefore_from=None, o_validnotbefore_to=None, o_issuedon_from=None, o_issuedon_to=None, o_revokedon_from=None, o_revokedon_to=None, o_status=None, o_pkey_only=False, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_user=None, o_no_user=None, o_host=None, o_no_host=None, o_service=None, o_no_service=None, **kwargs)

Search for existing certificates.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_certificate		Base-64 encoded certificate.	None
o_issuer		Issuer DN	None
o_revocation_reason		Reason for revoking the certificate (0-10). Type "ipa help cert" for revocation reason details.	None
o_cacn		Name of issuing CA	None
o_subject		Match cn attribute in subject	None
o_min_serial_number		minimum serial number	None
o_max_serial_number		maximum serial number	None
o_exactly		match the common name exactly	False
o_validnotafter_from		Valid not after from this date (YYYY-mm- dd)	None
o_validnotafter_to		Valid not after to this date (YYYY-mm-dd)	None
o_validnotbefore_from		Valid not before from this date (YYYY- mm-dd)	None
o_validnotbefore_to		Valid not before to this date (YYYY-mm-dd)	None
o_issuedon_from		Issued on from this date (YYYY-mm-dd)	None
o_issuedon_to		Issued on to this date (YYYY-mm-dd)	None
o_revokedon_from		Revoked on from this date (YYYY-mm-dd)	None
o_revokedon_to		Revoked on to this date (YYYY-mm-dd)	None
o_status		Status of the certificate	None
o_pkey_only		Results should contain primary key attribute only ("certificate")	False
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_user		Search for certificates with these owner users.	None
o_no_user		Search for certificates without these owner users.	None
o_host		Search for certificates with these owner hosts.	None
o_no_host		Search for certificates without these owner hosts.	None
o_service		Search for certificates with these owner services.	None
o_no_service		Search for certificates without these owner services.	None

cert_remove_hold(a_serial_number, o_cacn='ipa', **kwargs)

Take a revoked certificate off hold.

Parameters:

Name	Type	Description	Default
a_serial_number		Serial number in decimal or if prefixed with 0x in hexadecimal	required
o_cacn		Name of issuing CA	'ipa'

cert_request(a_csr, o_principal, o_request_type='pkcs10', o_profile_id=None, o_cacn='ipa', o_add=False, o_chain=False, o_all=True, o_raw=False, **kwargs)

Submit a certificate signing request.

Parameters:

Name	Type	Description	Default
a_csr		CSR	required
o_request_type			'pkcs10'
o_profile_id		Certificate Profile to use	None
o_cacn		Name of issuing CA	'ipa'
o_principal		Principal for this certificate (e.g. HTTP/test.example.com)	required
o_add		automatically add the principal if it doesn't exist (service principals only)	False
o_chain		Include certificate chain in output	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

cert_revoke(a_serial_number, o_revocation_reason=0, o_cacn='ipa', **kwargs)

Revoke a certificate.

Parameters:

Name	Type	Description	Default
a_serial_number		Serial number in decimal or if prefixed with 0x in hexadecimal	required
o_revocation_reason		Reason for revoking the certificate (0-10). Type "ipa help cert" for revocation reason details.	0
o_cacn		Name of issuing CA	'ipa'

cert_show(a_serial_number, o_cacn='ipa', o_out=None, o_chain=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Retrieve an existing certificate.

Parameters:

Name	Type	Description	Default
a_serial_number		Serial number in decimal or if prefixed with 0x in hexadecimal	required
o_cacn		Name of issuing CA	'ipa'
o_out		File to store the certificate in.	None
o_chain		Include certificate chain in output	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

cert_status(a_request_id, o_cacn='ipa', o_all=True, o_raw=False, **kwargs)

Check the status of a certificate signing request.

Parameters:

Name	Type	Description	Default
a_request_id		Request id	required
o_cacn		Name of issuing CA	'ipa'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmap_match(a_certificate, o_all=True, o_raw=False, **kwargs)

Search for users matching the provided certificate.

This command relies on SSSD to retrieve the list of matching users and may return cached data. For more information on purging SSSD cache, please refer to sss_cache documentation.

Parameters:

Name	Type	Description	Default
a_certificate		Base-64 encoded user certificate	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmapconfig_mod(o_ipacertmappromptusername=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify Certificate Identity Mapping configuration.

Parameters:

Name	Type	Description	Default
o_ipacertmappromptusername		Prompt for the username when multiple identities are mapped to a certificate	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmapconfig_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Show the current Certificate Identity Mapping configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmaprule_add(a_cn, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=True, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Create a new Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required
o_description		Certificate Identity Mapping Rule description	None
o_ipacertmapmaprule		Rule used to map the certificate with a user entry	None
o_ipacertmapmatchrule		Rule used to check if a certificate can be used for authentication	None
o_associateddomain		Domain where the user entry will be searched	None
o_ipacertmappriority		Priority of the rule (higher number means lower priority	None
o_ipaenabledflag		Enabled	True
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmaprule_del(a_cn, o_continue=False, **kwargs)

Delete a Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required
o_continue		Continuous mode: Don't stop on errors.	False

certmaprule_disable(a_cn, **kwargs)

Disable a Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required

certmaprule_enable(a_cn, **kwargs)

Enable a Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required

certmaprule_find(a_criteria=None, o_cn=None, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for Certificate Identity Mapping Rules.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Certificate Identity Mapping Rule name	None
o_description		Certificate Identity Mapping Rule description	None
o_ipacertmapmaprule		Rule used to map the certificate with a user entry	None
o_ipacertmapmatchrule		Rule used to check if a certificate can be used for authentication	None
o_associateddomain		Domain where the user entry will be searched	None
o_ipacertmappriority		Priority of the rule (higher number means lower priority	None
o_ipaenabledflag		Enabled	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("rulename")	False

certmaprule_mod(a_cn, o_description=None, o_ipacertmapmaprule=None, o_ipacertmapmatchrule=None, o_associateddomain=None, o_ipacertmappriority=None, o_ipaenabledflag=True, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required
o_description		Certificate Identity Mapping Rule description	None
o_ipacertmapmaprule		Rule used to map the certificate with a user entry	None
o_ipacertmapmatchrule		Rule used to check if a certificate can be used for authentication	None
o_associateddomain		Domain where the user entry will be searched	None
o_ipacertmappriority		Priority of the rule (higher number means lower priority	None
o_ipaenabledflag		Enabled	True
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certmaprule_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a Certificate Identity Mapping Rule.

Parameters:

Name	Type	Description	Default
a_cn		Certificate Identity Mapping Rule name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certprofile_del(a_cn, o_continue=False, **kwargs)

Delete a Certificate Profile.

Parameters:

Name	Type	Description	Default
a_cn		Profile ID for referring to this profile	required
o_continue		Continuous mode: Don't stop on errors.	False

certprofile_find(a_criteria=None, o_cn=None, o_description=None, o_ipacertprofilestoreissued=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for Certificate Profiles.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Profile ID for referring to this profile	None
o_description		Brief description of this profile	None
o_ipacertprofilestoreissued		Whether to store certs issued using this profile	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("id")	False

certprofile_import(a_cn, o_description, o_file, o_ipacertprofilestoreissued=True, o_all=True, o_raw=False, **kwargs)

Import a Certificate Profile.

Parameters:

Name	Type	Description	Default
a_cn		Profile ID for referring to this profile	required
o_description		Brief description of this profile	required
o_ipacertprofilestoreissued		Whether to store certs issued using this profile	True
o_file		Filename of a raw profile. The XML format is not supported.	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certprofile_mod(a_cn, o_description=None, o_ipacertprofilestoreissued=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_file=None, o_all=True, o_raw=False, **kwargs)

Modify Certificate Profile configuration.

Parameters:

Name	Type	Description	Default
a_cn		Profile ID for referring to this profile	required
o_description		Brief description of this profile	None
o_ipacertprofilestoreissued		Whether to store certs issued using this profile	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_file		File containing profile configuration	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

certprofile_show(a_cn, o_rights=False, o_out=None, o_all=True, o_raw=False, **kwargs)

Display the properties of a Certificate Profile.

Parameters:

Name	Type	Description	Default
a_cn		Profile ID for referring to this profile	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_out		Write profile configuration to file	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

class_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for classes.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

class_show(a_full_name, o_all=True, o_raw=False, **kwargs)

Display information about a class.

Parameters:

Name	Type	Description	Default
a_full_name		Full name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

command_defaults(a_full_name, o_params=None, o_kw=None, **kwargs)

Return command defaults

Parameters:

Name	Type	Description	Default
a_full_name		Full name	required
o_params			None
o_kw			None

command_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for commands.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

command_show(a_full_name, o_all=True, o_raw=False, **kwargs)

Display information about a command.

Parameters:

Name	Type	Description	Default
a_full_name		Full name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

compat_is_enabled(**kwargs)

Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups

config_mod(o_ipamaxusernamelength=None, o_ipamaxhostnamelength=None, o_ipahomesrootdir=None, o_ipadefaultloginshell=None, o_ipadefaultprimarygroup=None, o_ipadefaultemaildomain=None, o_ipasearchtimelimit=None, o_ipasearchrecordslimit=None, o_ipausersearchfields=None, o_ipagroupsearchfields=None, o_ipamigrationenabled=None, o_ipagroupobjectclasses=None, o_ipauserobjectclasses=None, o_ipapwdexpadvnotify=None, o_ipaconfigstring=None, o_ipaselinuxusermaporder=None, o_ipaselinuxusermapdefault=None, o_ipakrbauthzdata=None, o_ipauserauthtype=None, o_ipauserdefaultsubordinateid=None, o_ca_renewal_master_server=None, o_ipadomainresolutionorder=None, o_enable_sid=False, o_add_sids=False, o_netbios_name=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify configuration options.

Parameters:

Name	Type	Description	Default
o_ipamaxusernamelength		Maximum username length	None
o_ipamaxhostnamelength		Maximum hostname length	None
o_ipahomesrootdir		Default location of home directories	None
o_ipadefaultloginshell		Default shell for new users	None
o_ipadefaultprimarygroup		Default group for new users	None
o_ipadefaultemaildomain		Default e-mail domain	None
o_ipasearchtimelimit		Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)	None
o_ipasearchrecordslimit		Maximum number of records to search (-1 or 0 is unlimited)	None
o_ipausersearchfields		A comma-separated list of fields to search in when searching for users	None
o_ipagroupsearchfields		A comma-separated list of fields to search in when searching for groups	None
o_ipamigrationenabled		Enable migration mode	None
o_ipagroupobjectclasses		Default group objectclasses (comma- separated list)	None
o_ipauserobjectclasses		Default user objectclasses (comma- separated list)	None
o_ipapwdexpadvnotify		Number of days's notice of impending password expiration	None
o_ipaconfigstring		Extra hashes to generate in password plug-in	None
o_ipaselinuxusermaporder		Order in increasing priority of SELinux users, delimited by $	None
o_ipaselinuxusermapdefault		Default SELinux user when no match is found in SELinux map rule	None
o_ipakrbauthzdata		Default types of PAC supported for services	None
o_ipauserauthtype		Default types of supported user authentication	None
o_ipauserdefaultsubordinateid		Enable adding subids to new users	None
o_ca_renewal_master_server		Renewal master for IPA certificate authority	None
o_ipadomainresolutionorder		colon-separated list of domains used for short name qualification	None
o_enable_sid		New users and groups automatically get a SID assigned	False
o_add_sids		Add SIDs for existing users and groups	False
o_netbios_name		NetBIOS name of the IPA domain	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

config_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Show the current configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

cosentry_add(a_cn, o_krbpwdpolicyreference, o_cospriority, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add Class of Service entry

Parameters:

Name	Type	Description	Default
a_cn			required
o_krbpwdpolicyreference			required
o_cospriority			required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

cosentry_del(a_cn, o_continue=False, **kwargs)

Delete Class of Service entry

Parameters:

Name	Type	Description	Default
a_cn			required
o_continue		Continuous mode: Don't stop on errors.	False

cosentry_find(a_criteria=None, o_cn=None, o_krbpwdpolicyreference=None, o_cospriority=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for Class of Service entry

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn			None
o_krbpwdpolicyreference			None
o_cospriority			None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("cn")	False

cosentry_mod(a_cn, o_krbpwdpolicyreference=None, o_cospriority=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify Class of Service entry

Parameters:

Name	Type	Description	Default
a_cn			required
o_krbpwdpolicyreference			None
o_cospriority			None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

cosentry_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display Class of Service entry

Parameters:

Name	Type	Description	Default
a_cn			required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

delegation_add(a_aciname, o_attrs, o_memberof, o_group, o_permissions=None, o_all=True, o_raw=False, **kwargs)

Add a new delegation.

Parameters:

Name	Type	Description	Default
a_aciname		Delegation name	required
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the delegation applies	required
o_memberof		User group to apply delegation to	required
o_group		User group ACI grants access to	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

delegation_del(a_aciname, **kwargs)

Delete a delegation.

Parameters:

Name	Type	Description	Default
a_aciname		Delegation name	required

delegation_find(a_criteria=None, o_aciname=None, o_permissions=None, o_attrs=None, o_memberof=None, o_group=None, o_pkey_only=False, o_all=True, o_raw=False, **kwargs)

Search for delegations.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_aciname		Delegation name	None
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the delegation applies	None
o_memberof		User group to apply delegation to	None
o_group		User group ACI grants access to	None
o_pkey_only		Results should contain primary key attribute only ("name")	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

delegation_mod(a_aciname, o_permissions=None, o_attrs=None, o_memberof=None, o_group=None, o_all=True, o_raw=False, **kwargs)

Modify a delegation.

Parameters:

Name	Type	Description	Default
a_aciname		Delegation name	required
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the delegation applies	None
o_memberof		User group to apply delegation to	None
o_group		User group ACI grants access to	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

delegation_show(a_aciname, o_all=True, o_raw=False, **kwargs)

Display information about a delegation.

Parameters:

Name	Type	Description	Default
a_aciname		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dns_is_enabled(**kwargs)

Checks if any of the servers has the DNS service enabled.

dns_resolve(a_hostname, **kwargs)

Resolve a host name in DNS. (Deprecated)

Parameters:

Name	Type	Description	Default
a_hostname		Hostname (FQDN)	required

dns_update_system_records(o_dry_run=False, o_all=True, o_raw=False, **kwargs)

Update location and IPA server DNS records

Parameters:

Name	Type	Description	Default
o_dry_run		Do not update records only return expected records	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsconfig_mod(o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnsallowsyncptr=None, o_idnszonerefresh=None, o_ipadnsversion=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify global DNS configuration.

Parameters:

Name	Type	Description	Default
o_idnsforwarders		Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Global forwarding policy. Set to "none" to disable any configured global forwarders.	None
o_idnsallowsyncptr		Allow synchronization of forward (A, AAAA) and reverse (PTR) records	None
o_idnszonerefresh		An interval between regular polls of the name server for new DNS zones	None
o_ipadnsversion		IPA DNS version	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsconfig_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Show the current global DNS configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsforwardzone_add(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_skip_overlap_check=False, o_all=True, o_raw=False, **kwargs)

Create new DNS forward zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_name_from_ip		IP network to create reverse zone name from	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_skip_overlap_check		Force DNS zone creation even if it will overlap with an existing zone.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsforwardzone_add_permission(a_idnsname, **kwargs)

Add a permission for per-forward zone access delegation.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnsforwardzone_del(a_idnsname, o_continue=False, **kwargs)

Delete DNS forward zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_continue		Continuous mode: Don't stop on errors.	False

dnsforwardzone_disable(a_idnsname, **kwargs)

Disable DNS Forward Zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnsforwardzone_enable(a_idnsname, **kwargs)

Enable DNS Forward Zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnsforwardzone_find(a_criteria=None, o_idnsname=None, o_name_from_ip=None, o_idnszoneactive=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for DNS forward zones.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_idnsname		Zone name (FQDN)	None
o_name_from_ip		IP network to create reverse zone name from	None
o_idnszoneactive		Is zone active?	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

dnsforwardzone_mod(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify DNS forward zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_name_from_ip		IP network to create reverse zone name from	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsforwardzone_remove_permission(a_idnsname, **kwargs)

Remove a permission for per-forward zone access delegation.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnsforwardzone_show(a_idnsname, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a DNS forward zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsrecord_add(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_a_part_ip_address=None, o_a_extra_create_reverse=False, o_aaaarecord=None, o_aaaa_part_ip_address=None, o_aaaa_extra_create_reverse=False, o_a6record=None, o_a6_part_data=None, o_afsdbrecord=None, o_afsdb_part_subtype=None, o_afsdb_part_hostname=None, o_aplrecord=None, o_certrecord=None, o_cert_part_type=None, o_cert_part_key_tag=None, o_cert_part_algorithm=None, o_cert_part_certificate_or_crl=None, o_cnamerecord=None, o_cname_part_hostname=None, o_dhcidrecord=None, o_dlvrecord=None, o_dlv_part_key_tag=None, o_dlv_part_algorithm=None, o_dlv_part_digest_type=None, o_dlv_part_digest=None, o_dnamerecord=None, o_dname_part_target=None, o_dsrecord=None, o_ds_part_key_tag=None, o_ds_part_algorithm=None, o_ds_part_digest_type=None, o_ds_part_digest=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_kx_part_preference=None, o_kx_part_exchanger=None, o_locrecord=None, o_loc_part_lat_deg=None, o_loc_part_lat_min=None, o_loc_part_lat_sec=None, o_loc_part_lat_dir=None, o_loc_part_lon_deg=None, o_loc_part_lon_min=None, o_loc_part_lon_sec=None, o_loc_part_lon_dir=None, o_loc_part_altitude=None, o_loc_part_size=None, o_loc_part_h_precision=None, o_loc_part_v_precision=None, o_mxrecord=None, o_mx_part_preference=None, o_mx_part_exchanger=None, o_naptrrecord=None, o_naptr_part_order=None, o_naptr_part_preference=None, o_naptr_part_flags=None, o_naptr_part_service=None, o_naptr_part_regexp=None, o_naptr_part_replacement=None, o_nsrecord=None, o_ns_part_hostname=None, o_nsecrecord=None, o_ptrrecord=None, o_ptr_part_hostname=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_srv_part_priority=None, o_srv_part_weight=None, o_srv_part_port=None, o_srv_part_target=None, o_sshfprecord=None, o_sshfp_part_algorithm=None, o_sshfp_part_fp_type=None, o_sshfp_part_fingerprint=None, o_tlsarecord=None, o_tlsa_part_cert_usage=None, o_tlsa_part_selector=None, o_tlsa_part_matching_type=None, o_tlsa_part_cert_association_data=None, o_txtrecord=None, o_txt_part_data=None, o_urirecord=None, o_uri_part_priority=None, o_uri_part_weight=None, o_uri_part_target=None, o_setattr=None, o_addattr=None, o_force=False, o_structured=False, o_all=True, o_raw=False, **kwargs)

Add new DNS resource record.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_idnsname		Record name	required
o_dnsttl		Time to live	None
o_dnsclass			None
o_arecord		Raw A records	None
o_a_part_ip_address		A IP Address	None
o_a_extra_create_reverse		Create reverse record for this IP Address	False
o_aaaarecord		Raw AAAA records	None
o_aaaa_part_ip_address		AAAA IP Address	None
o_aaaa_extra_create_reverse		Create reverse record for this IP Address	False
o_a6record		Raw A6 records	None
o_a6_part_data		A6 Record data	None
o_afsdbrecord		Raw AFSDB records	None
o_afsdb_part_subtype		AFSDB Subtype	None
o_afsdb_part_hostname		AFSDB Hostname	None
o_aplrecord		Raw APL records	None
o_certrecord		Raw CERT records	None
o_cert_part_type		CERT Certificate Type	None
o_cert_part_key_tag		CERT Key Tag	None
o_cert_part_algorithm		CERT Algorithm	None
o_cert_part_certificate_or_crl		CERT Certificate/CRL	None
o_cnamerecord		Raw CNAME records	None
o_cname_part_hostname		A hostname which this alias hostname points to	None
o_dhcidrecord		Raw DHCID records	None
o_dlvrecord		Raw DLV records	None
o_dlv_part_key_tag		DLV Key Tag	None
o_dlv_part_algorithm		DLV Algorithm	None
o_dlv_part_digest_type		DLV Digest Type	None
o_dlv_part_digest		DLV Digest	None
o_dnamerecord		Raw DNAME records	None
o_dname_part_target		DNAME Target	None
o_dsrecord		Raw DS records	None
o_ds_part_key_tag		DS Key Tag	None
o_ds_part_algorithm		DS Algorithm	None
o_ds_part_digest_type		DS Digest Type	None
o_ds_part_digest		DS Digest	None
o_hiprecord		Raw HIP records	None
o_ipseckeyrecord		Raw IPSECKEY records	None
o_keyrecord		Raw KEY records	None
o_kxrecord		Raw KX records	None
o_kx_part_preference		Preference given to this exchanger. Lower values are more preferred	None
o_kx_part_exchanger		A host willing to act as a key exchanger	None
o_locrecord		Raw LOC records	None
o_loc_part_lat_deg		LOC Degrees Latitude	None
o_loc_part_lat_min		LOC Minutes Latitude	None
o_loc_part_lat_sec		LOC Seconds Latitude	None
o_loc_part_lat_dir		LOC Direction Latitude	None
o_loc_part_lon_deg		LOC Degrees Longitude	None
o_loc_part_lon_min		LOC Minutes Longitude	None
o_loc_part_lon_sec		LOC Seconds Longitude	None
o_loc_part_lon_dir		LOC Direction Longitude	None
o_loc_part_altitude		LOC Altitude	None
o_loc_part_size		LOC Size	None
o_loc_part_h_precision		LOC Horizontal Precision	None
o_loc_part_v_precision		LOC Vertical Precision	None
o_mxrecord		Raw MX records	None
o_mx_part_preference		Preference given to this exchanger. Lower values are more preferred	None
o_mx_part_exchanger		A host willing to act as a mail exchanger	None
o_naptrrecord		Raw NAPTR records	None
o_naptr_part_order		NAPTR Order	None
o_naptr_part_preference		NAPTR Preference	None
o_naptr_part_flags		NAPTR Flags	None
o_naptr_part_service		NAPTR Service	None
o_naptr_part_regexp		NAPTR Regular Expression	None
o_naptr_part_replacement		NAPTR Replacement	None
o_nsrecord		Raw NS records	None
o_ns_part_hostname		NS Hostname	None
o_nsecrecord		Raw NSEC records	None
o_ptrrecord		Raw PTR records	None
o_ptr_part_hostname		The hostname this reverse record points to	None
o_rrsigrecord		Raw RRSIG records	None
o_rprecord		Raw RP records	None
o_sigrecord		Raw SIG records	None
o_spfrecord		Raw SPF records	None
o_srvrecord		Raw SRV records	None
o_srv_part_priority		Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.	None
o_srv_part_weight		Relative weight for entries with the same priority.	None
o_srv_part_port		SRV Port	None
o_srv_part_target		The domain name of the target host or '.' if the service is decidedly not available at this domain	None
o_sshfprecord		Raw SSHFP records	None
o_sshfp_part_algorithm		SSHFP Algorithm	None
o_sshfp_part_fp_type		SSHFP Fingerprint Type	None
o_sshfp_part_fingerprint		SSHFP Fingerprint	None
o_tlsarecord		Raw TLSA records	None
o_tlsa_part_cert_usage		TLSA Certificate Usage	None
o_tlsa_part_selector		TLSA Selector	None
o_tlsa_part_matching_type		TLSA Matching Type	None
o_tlsa_part_cert_association_data		TLSA Certificate Association Data	None
o_txtrecord		Raw TXT records	None
o_txt_part_data		TXT Text Data	None
o_urirecord		Raw URI records	None
o_uri_part_priority		Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.	None
o_uri_part_weight		Relative weight for entries with the same priority.	None
o_uri_part_target		Target Uniform Resource Identifier according to RFC 3986	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_force		force NS record creation even if its hostname is not in DNS	False
o_structured		Parse all raw DNS records and return them in a structured way	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsrecord_del(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_aaaarecord=None, o_a6record=None, o_afsdbrecord=None, o_aplrecord=None, o_certrecord=None, o_cnamerecord=None, o_dhcidrecord=None, o_dlvrecord=None, o_dnamerecord=None, o_dsrecord=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_locrecord=None, o_mxrecord=None, o_naptrrecord=None, o_nsrecord=None, o_nsecrecord=None, o_ptrrecord=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_sshfprecord=None, o_tlsarecord=None, o_txtrecord=None, o_urirecord=None, o_del_all=False, o_structured=False, o_raw=False, **kwargs)

Delete DNS resource record.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_idnsname		Record name	required
o_dnsttl		Time to live	None
o_dnsclass			None
o_arecord		Raw A records	None
o_aaaarecord		Raw AAAA records	None
o_a6record		Raw A6 records	None
o_afsdbrecord		Raw AFSDB records	None
o_aplrecord		Raw APL records	None
o_certrecord		Raw CERT records	None
o_cnamerecord		Raw CNAME records	None
o_dhcidrecord		Raw DHCID records	None
o_dlvrecord		Raw DLV records	None
o_dnamerecord		Raw DNAME records	None
o_dsrecord		Raw DS records	None
o_hiprecord		Raw HIP records	None
o_ipseckeyrecord		Raw IPSECKEY records	None
o_keyrecord		Raw KEY records	None
o_kxrecord		Raw KX records	None
o_locrecord		Raw LOC records	None
o_mxrecord		Raw MX records	None
o_naptrrecord		Raw NAPTR records	None
o_nsrecord		Raw NS records	None
o_nsecrecord		Raw NSEC records	None
o_ptrrecord		Raw PTR records	None
o_rrsigrecord		Raw RRSIG records	None
o_rprecord		Raw RP records	None
o_sigrecord		Raw SIG records	None
o_spfrecord		Raw SPF records	None
o_srvrecord		Raw SRV records	None
o_sshfprecord		Raw SSHFP records	None
o_tlsarecord		Raw TLSA records	None
o_txtrecord		Raw TXT records	None
o_urirecord		Raw URI records	None
o_del_all		Delete all associated records	False
o_structured		Parse all raw DNS records and return them in a structured way	False
o_raw			False

dnsrecord_delentry(a_dnszoneidnsname, a_idnsname, o_continue=False, **kwargs)

Delete DNS record entry.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_idnsname		Record name	required
o_continue		Continuous mode: Don't stop on errors.	False

dnsrecord_find(a_dnszoneidnsname, a_criteria=None, o_idnsname=None, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_aaaarecord=None, o_a6record=None, o_afsdbrecord=None, o_aplrecord=None, o_certrecord=None, o_cnamerecord=None, o_dhcidrecord=None, o_dlvrecord=None, o_dnamerecord=None, o_dsrecord=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_locrecord=None, o_mxrecord=None, o_naptrrecord=None, o_nsrecord=None, o_nsecrecord=None, o_ptrrecord=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_sshfprecord=None, o_tlsarecord=None, o_txtrecord=None, o_urirecord=None, o_timelimit=None, o_sizelimit=None, o_structured=False, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for DNS resources.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_criteria		A string searched in all relevant object attributes	None
o_idnsname		Record name	None
o_dnsttl		Time to live	None
o_dnsclass			None
o_arecord		Raw A records	None
o_aaaarecord		Raw AAAA records	None
o_a6record		Raw A6 records	None
o_afsdbrecord		Raw AFSDB records	None
o_aplrecord		Raw APL records	None
o_certrecord		Raw CERT records	None
o_cnamerecord		Raw CNAME records	None
o_dhcidrecord		Raw DHCID records	None
o_dlvrecord		Raw DLV records	None
o_dnamerecord		Raw DNAME records	None
o_dsrecord		Raw DS records	None
o_hiprecord		Raw HIP records	None
o_ipseckeyrecord		Raw IPSECKEY records	None
o_keyrecord		Raw KEY records	None
o_kxrecord		Raw KX records	None
o_locrecord		Raw LOC records	None
o_mxrecord		Raw MX records	None
o_naptrrecord		Raw NAPTR records	None
o_nsrecord		Raw NS records	None
o_nsecrecord		Raw NSEC records	None
o_ptrrecord		Raw PTR records	None
o_rrsigrecord		Raw RRSIG records	None
o_rprecord		Raw RP records	None
o_sigrecord		Raw SIG records	None
o_spfrecord		Raw SPF records	None
o_srvrecord		Raw SRV records	None
o_sshfprecord		Raw SSHFP records	None
o_tlsarecord		Raw TLSA records	None
o_txtrecord		Raw TXT records	None
o_urirecord		Raw URI records	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_structured		Parse all raw DNS records and return them in a structured way	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

dnsrecord_mod(a_dnszoneidnsname, a_idnsname, o_dnsttl=None, o_dnsclass=None, o_arecord=None, o_a_part_ip_address=None, o_aaaarecord=None, o_aaaa_part_ip_address=None, o_a6record=None, o_a6_part_data=None, o_afsdbrecord=None, o_afsdb_part_subtype=None, o_afsdb_part_hostname=None, o_aplrecord=None, o_certrecord=None, o_cert_part_type=None, o_cert_part_key_tag=None, o_cert_part_algorithm=None, o_cert_part_certificate_or_crl=None, o_cnamerecord=None, o_cname_part_hostname=None, o_dhcidrecord=None, o_dlvrecord=None, o_dlv_part_key_tag=None, o_dlv_part_algorithm=None, o_dlv_part_digest_type=None, o_dlv_part_digest=None, o_dnamerecord=None, o_dname_part_target=None, o_dsrecord=None, o_ds_part_key_tag=None, o_ds_part_algorithm=None, o_ds_part_digest_type=None, o_ds_part_digest=None, o_hiprecord=None, o_ipseckeyrecord=None, o_keyrecord=None, o_kxrecord=None, o_kx_part_preference=None, o_kx_part_exchanger=None, o_locrecord=None, o_loc_part_lat_deg=None, o_loc_part_lat_min=None, o_loc_part_lat_sec=None, o_loc_part_lat_dir=None, o_loc_part_lon_deg=None, o_loc_part_lon_min=None, o_loc_part_lon_sec=None, o_loc_part_lon_dir=None, o_loc_part_altitude=None, o_loc_part_size=None, o_loc_part_h_precision=None, o_loc_part_v_precision=None, o_mxrecord=None, o_mx_part_preference=None, o_mx_part_exchanger=None, o_naptrrecord=None, o_naptr_part_order=None, o_naptr_part_preference=None, o_naptr_part_flags=None, o_naptr_part_service=None, o_naptr_part_regexp=None, o_naptr_part_replacement=None, o_nsrecord=None, o_ns_part_hostname=None, o_nsecrecord=None, o_ptrrecord=None, o_ptr_part_hostname=None, o_rrsigrecord=None, o_rprecord=None, o_sigrecord=None, o_spfrecord=None, o_srvrecord=None, o_srv_part_priority=None, o_srv_part_weight=None, o_srv_part_port=None, o_srv_part_target=None, o_sshfprecord=None, o_sshfp_part_algorithm=None, o_sshfp_part_fp_type=None, o_sshfp_part_fingerprint=None, o_tlsarecord=None, o_tlsa_part_cert_usage=None, o_tlsa_part_selector=None, o_tlsa_part_matching_type=None, o_tlsa_part_cert_association_data=None, o_txtrecord=None, o_txt_part_data=None, o_urirecord=None, o_uri_part_priority=None, o_uri_part_weight=None, o_uri_part_target=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_structured=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify a DNS resource record.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_idnsname		Record name	required
o_dnsttl		Time to live	None
o_dnsclass			None
o_arecord		Raw A records	None
o_a_part_ip_address		A IP Address	None
o_aaaarecord		Raw AAAA records	None
o_aaaa_part_ip_address		AAAA IP Address	None
o_a6record		Raw A6 records	None
o_a6_part_data		A6 Record data	None
o_afsdbrecord		Raw AFSDB records	None
o_afsdb_part_subtype		AFSDB Subtype	None
o_afsdb_part_hostname		AFSDB Hostname	None
o_aplrecord		Raw APL records	None
o_certrecord		Raw CERT records	None
o_cert_part_type		CERT Certificate Type	None
o_cert_part_key_tag		CERT Key Tag	None
o_cert_part_algorithm		CERT Algorithm	None
o_cert_part_certificate_or_crl		CERT Certificate/CRL	None
o_cnamerecord		Raw CNAME records	None
o_cname_part_hostname		A hostname which this alias hostname points to	None
o_dhcidrecord		Raw DHCID records	None
o_dlvrecord		Raw DLV records	None
o_dlv_part_key_tag		DLV Key Tag	None
o_dlv_part_algorithm		DLV Algorithm	None
o_dlv_part_digest_type		DLV Digest Type	None
o_dlv_part_digest		DLV Digest	None
o_dnamerecord		Raw DNAME records	None
o_dname_part_target		DNAME Target	None
o_dsrecord		Raw DS records	None
o_ds_part_key_tag		DS Key Tag	None
o_ds_part_algorithm		DS Algorithm	None
o_ds_part_digest_type		DS Digest Type	None
o_ds_part_digest		DS Digest	None
o_hiprecord		Raw HIP records	None
o_ipseckeyrecord		Raw IPSECKEY records	None
o_keyrecord		Raw KEY records	None
o_kxrecord		Raw KX records	None
o_kx_part_preference		Preference given to this exchanger. Lower values are more preferred	None
o_kx_part_exchanger		A host willing to act as a key exchanger	None
o_locrecord		Raw LOC records	None
o_loc_part_lat_deg		LOC Degrees Latitude	None
o_loc_part_lat_min		LOC Minutes Latitude	None
o_loc_part_lat_sec		LOC Seconds Latitude	None
o_loc_part_lat_dir		LOC Direction Latitude	None
o_loc_part_lon_deg		LOC Degrees Longitude	None
o_loc_part_lon_min		LOC Minutes Longitude	None
o_loc_part_lon_sec		LOC Seconds Longitude	None
o_loc_part_lon_dir		LOC Direction Longitude	None
o_loc_part_altitude		LOC Altitude	None
o_loc_part_size		LOC Size	None
o_loc_part_h_precision		LOC Horizontal Precision	None
o_loc_part_v_precision		LOC Vertical Precision	None
o_mxrecord		Raw MX records	None
o_mx_part_preference		Preference given to this exchanger. Lower values are more preferred	None
o_mx_part_exchanger		A host willing to act as a mail exchanger	None
o_naptrrecord		Raw NAPTR records	None
o_naptr_part_order		NAPTR Order	None
o_naptr_part_preference		NAPTR Preference	None
o_naptr_part_flags		NAPTR Flags	None
o_naptr_part_service		NAPTR Service	None
o_naptr_part_regexp		NAPTR Regular Expression	None
o_naptr_part_replacement		NAPTR Replacement	None
o_nsrecord		Raw NS records	None
o_ns_part_hostname		NS Hostname	None
o_nsecrecord		Raw NSEC records	None
o_ptrrecord		Raw PTR records	None
o_ptr_part_hostname		The hostname this reverse record points to	None
o_rrsigrecord		Raw RRSIG records	None
o_rprecord		Raw RP records	None
o_sigrecord		Raw SIG records	None
o_spfrecord		Raw SPF records	None
o_srvrecord		Raw SRV records	None
o_srv_part_priority		Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach.	None
o_srv_part_weight		Relative weight for entries with the same priority.	None
o_srv_part_port		SRV Port	None
o_srv_part_target		The domain name of the target host or '.' if the service is decidedly not available at this domain	None
o_sshfprecord		Raw SSHFP records	None
o_sshfp_part_algorithm		SSHFP Algorithm	None
o_sshfp_part_fp_type		SSHFP Fingerprint Type	None
o_sshfp_part_fingerprint		SSHFP Fingerprint	None
o_tlsarecord		Raw TLSA records	None
o_tlsa_part_cert_usage		TLSA Certificate Usage	None
o_tlsa_part_selector		TLSA Selector	None
o_tlsa_part_matching_type		TLSA Matching Type	None
o_tlsa_part_cert_association_data		TLSA Certificate Association Data	None
o_txtrecord		Raw TXT records	None
o_txt_part_data		TXT Text Data	None
o_urirecord		Raw URI records	None
o_uri_part_priority		Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach.	None
o_uri_part_weight		Relative weight for entries with the same priority.	None
o_uri_part_target		Target Uniform Resource Identifier according to RFC 3986	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_structured		Parse all raw DNS records and return them in a structured way	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the DNS resource record object	None

dnsrecord_show(a_dnszoneidnsname, a_idnsname, o_rights=False, o_structured=False, o_all=True, o_raw=False, **kwargs)

Display DNS resource.

Parameters:

Name	Type	Description	Default
a_dnszoneidnsname		Zone name (FQDN)	required
a_idnsname		Record name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_structured		Parse all raw DNS records and return them in a structured way	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsrecord_split_parts(a_name, a_value, **kwargs)

Split DNS record to parts

Parameters:

Name	Type	Description	Default
a_name			required
a_value			required

dnsserver_find(a_criteria=None, o_idnsserverid=None, o_idnssoamname=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for DNS servers.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_idnsserverid		DNS Server name	None
o_idnssoamname		SOA mname (authoritative server) override	None
o_idnsforwarders		Per-server forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-server conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("hostname")	False

dnsserver_mod(a_idnsserverid, o_idnssoamname=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify DNS server configuration

Parameters:

Name	Type	Description	Default
a_idnsserverid		DNS Server name	required
o_idnssoamname		SOA mname (authoritative server) override	None
o_idnsforwarders		Per-server forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-server conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnsserver_show(a_idnsserverid, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display configuration of a DNS server.

Parameters:

Name	Type	Description	Default
a_idnsserverid		DNS Server name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnszone_add(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname='', o_idnssoaserial=None, o_idnssoarefresh=3600, o_idnssoaretry=900, o_idnssoaexpire=1209600, o_idnssoaminimum=3600, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=False, o_idnsallowquery='any;', o_idnsallowtransfer='none;', o_idnsallowsyncptr=None, o_idnssecinlinesigning=None, o_nsec3paramrecord=None, o_setattr=None, o_addattr=None, o_skip_overlap_check=False, o_force=False, o_skip_nameserver_check=False, o_ip_address=None, o_all=True, o_raw=False, **kwargs)

Create new DNS zone (SOA record).

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_name_from_ip		IP network to create reverse zone name from	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_idnssoamname		Authoritative nameserver domain name	None
o_idnssoarname		Administrator e-mail address	''
o_idnssoaserial		SOA record serial number	None
o_idnssoarefresh		SOA record refresh time	3600
o_idnssoaretry		SOA record retry time	900
o_idnssoaexpire		SOA record expire time	1209600
o_idnssoaminimum		How long should negative responses be cached	3600
o_dnsttl		Time to live for records at zone apex	None
o_dnsdefaultttl		Time to live for records without explicit TTL definition	None
o_dnsclass			None
o_idnsupdatepolicy		BIND update policy	None
o_idnsallowdynupdate		Allow dynamic updates.	False
o_idnsallowquery		Semicolon separated list of IP addresses or networks which are allowed to issue queries	'any;'
o_idnsallowtransfer		Semicolon separated list of IP addresses or networks which are allowed to transfer the zone	'none;'
o_idnsallowsyncptr		Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone	None
o_idnssecinlinesigning		Allow inline DNSSEC signing of records in the zone	None
o_nsec3paramrecord		NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_skip_overlap_check		Force DNS zone creation even if it will overlap with an existing zone.	False
o_force		Force DNS zone creation even if nameserver is not resolvable. (Deprecated)	False
o_skip_nameserver_check		Force DNS zone creation even if nameserver is not resolvable.	False
o_ip_address			None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnszone_add_permission(a_idnsname, **kwargs)

Add a permission for per-zone access delegation.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnszone_del(a_idnsname, o_continue=False, **kwargs)

Delete DNS zone (SOA record).

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_continue		Continuous mode: Don't stop on errors.	False

dnszone_disable(a_idnsname, **kwargs)

Disable DNS Zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnszone_enable(a_idnsname, **kwargs)

Enable DNS Zone.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnszone_find(a_criteria=None, o_idnsname=None, o_name_from_ip=None, o_idnszoneactive=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname=None, o_idnssoaserial=None, o_idnssoarefresh=None, o_idnssoaretry=None, o_idnssoaexpire=None, o_idnssoaminimum=None, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=None, o_idnsallowquery=None, o_idnsallowtransfer=None, o_idnsallowsyncptr=None, o_idnssecinlinesigning=None, o_nsec3paramrecord=None, o_timelimit=None, o_sizelimit=None, o_forward_only=False, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for DNS zones (SOA records).

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_idnsname		Zone name (FQDN)	None
o_name_from_ip		IP network to create reverse zone name from	None
o_idnszoneactive		Is zone active?	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_idnssoamname		Authoritative nameserver domain name	None
o_idnssoarname		Administrator e-mail address	None
o_idnssoaserial		SOA record serial number	None
o_idnssoarefresh		SOA record refresh time	None
o_idnssoaretry		SOA record retry time	None
o_idnssoaexpire		SOA record expire time	None
o_idnssoaminimum		How long should negative responses be cached	None
o_dnsttl		Time to live for records at zone apex	None
o_dnsdefaultttl		Time to live for records without explicit TTL definition	None
o_dnsclass			None
o_idnsupdatepolicy		BIND update policy	None
o_idnsallowdynupdate		Allow dynamic updates.	None
o_idnsallowquery		Semicolon separated list of IP addresses or networks which are allowed to issue queries	None
o_idnsallowtransfer		Semicolon separated list of IP addresses or networks which are allowed to transfer the zone	None
o_idnsallowsyncptr		Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone	None
o_idnssecinlinesigning		Allow inline DNSSEC signing of records in the zone	None
o_nsec3paramrecord		NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_forward_only		Search for forward zones only	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

dnszone_mod(a_idnsname, o_name_from_ip=None, o_idnsforwarders=None, o_idnsforwardpolicy=None, o_idnssoamname=None, o_idnssoarname=None, o_idnssoaserial=None, o_idnssoarefresh=None, o_idnssoaretry=None, o_idnssoaexpire=None, o_idnssoaminimum=None, o_dnsttl=None, o_dnsdefaultttl=None, o_dnsclass=None, o_idnsupdatepolicy=None, o_idnsallowdynupdate=None, o_idnsallowquery=None, o_idnsallowtransfer=None, o_idnsallowsyncptr=None, o_idnssecinlinesigning=None, o_nsec3paramrecord=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_force=False, o_all=True, o_raw=False, **kwargs)

Modify DNS zone (SOA record).

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_name_from_ip		IP network to create reverse zone name from	None
o_idnsforwarders		Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"	None
o_idnsforwardpolicy		Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.	None
o_idnssoamname		Authoritative nameserver domain name	None
o_idnssoarname		Administrator e-mail address	None
o_idnssoaserial		SOA record serial number	None
o_idnssoarefresh		SOA record refresh time	None
o_idnssoaretry		SOA record retry time	None
o_idnssoaexpire		SOA record expire time	None
o_idnssoaminimum		How long should negative responses be cached	None
o_dnsttl		Time to live for records at zone apex	None
o_dnsdefaultttl		Time to live for records without explicit TTL definition	None
o_dnsclass			None
o_idnsupdatepolicy		BIND update policy	None
o_idnsallowdynupdate		Allow dynamic updates.	None
o_idnsallowquery		Semicolon separated list of IP addresses or networks which are allowed to issue queries	None
o_idnsallowtransfer		Semicolon separated list of IP addresses or networks which are allowed to transfer the zone	None
o_idnsallowsyncptr		Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone	None
o_idnssecinlinesigning		Allow inline DNSSEC signing of records in the zone	None
o_nsec3paramrecord		NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_force		Force nameserver change even if nameserver not in DNS	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

dnszone_remove_permission(a_idnsname, **kwargs)

Remove a permission for per-zone access delegation.

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required

dnszone_show(a_idnsname, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a DNS zone (SOA record).

Parameters:

Name	Type	Description	Default
a_idnsname		Zone name (FQDN)	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

domainlevel_get(**kwargs)

Query current Domain Level.

domainlevel_set(a_ipadomainlevel, **kwargs)

Change current Domain Level.

Parameters:

Name	Type	Description	Default
a_ipadomainlevel		Domain Level	required

env(o_server=False, o_all=True, **kwargs)

Show environment variables.

Parameters:

Name	Type	Description	Default
o_server		Forward to server instead of running locally	False
o_all		retrieve and print all attributes from the server. Affects command output.	True

group_add(a_cn, o_description=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_nonposix=False, o_external=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create a new group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_description		Group description	None
o_gidnumber		GID (use this option to set it manually)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_nonposix		Create as a non-POSIX group	False
o_external		Allow adding external non-IPA members from trusted domains	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

group_add_member(a_cn, o_ipaexternalmember=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_service=None, o_idoverrideuser=None, **kwargs)

Add members to a group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_ipaexternalmember		Members of a trusted domain in DOM\name or name@domain form	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_service		services to add	None
o_idoverrideuser		User ID overrides to add	None

group_add_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users that can manage members of this group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

group_del(a_cn, o_continue=False, **kwargs)

Delete group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_continue		Continuous mode: Don't stop on errors.	False

group_detach(a_cn, **kwargs)

Detach a managed group from a user.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required

group_find(a_criteria=None, o_cn=None, o_description=None, o_gidnumber=None, o_timelimit=None, o_sizelimit=None, o_private=False, o_posix=False, o_external=False, o_nonposix=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_user=None, o_no_user=None, o_group=None, o_no_group=None, o_service=None, o_no_service=None, o_idoverrideuser=None, o_no_idoverrideuser=None, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_membermanager_user=None, o_not_membermanager_user=None, o_membermanager_group=None, o_not_membermanager_group=None, **kwargs)

Search for groups.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Group name	None
o_description		Group description	None
o_gidnumber		GID (use this option to set it manually)	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_private		search for private groups	False
o_posix		search for POSIX groups	False
o_external		search for groups with support of external non-IPA members from trusted domains	False
o_nonposix		search for non-POSIX groups	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("group-name")	False
o_user		Search for groups with these member users.	None
o_no_user		Search for groups without these member users.	None
o_group		Search for groups with these member groups.	None
o_no_group		Search for groups without these member groups.	None
o_service		Search for groups with these member services.	None
o_no_service		Search for groups without these member services.	None
o_idoverrideuser		Search for groups with these member User ID overrides.	None
o_no_idoverrideuser		Search for groups without these member User ID overrides.	None
o_in_group		Search for groups with these member of groups.	None
o_not_in_group		Search for groups without these member of groups.	None
o_in_netgroup		Search for groups with these member of netgroups.	None
o_not_in_netgroup		Search for groups without these member of netgroups.	None
o_in_role		Search for groups with these member of roles.	None
o_not_in_role		Search for groups without these member of roles.	None
o_in_hbacrule		Search for groups with these member of HBAC rules.	None
o_not_in_hbacrule		Search for groups without these member of HBAC rules.	None
o_in_sudorule		Search for groups with these member of sudo rules.	None
o_not_in_sudorule		Search for groups without these member of sudo rules.	None
o_membermanager_user		Search for groups with these group membership managed by users.	None
o_not_membermanager_user		Search for groups without these group membership managed by users.	None
o_membermanager_group		Search for groups with these group membership managed by groups.	None
o_not_membermanager_group		Search for groups without these group membership managed by groups.	None

group_mod(a_cn, o_description=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_posix=False, o_external=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_description		Group description	None
o_gidnumber		GID (use this option to set it manually)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_posix		change to a POSIX group	False
o_external		change to support external non-IPA members from trusted domains	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the group object	None

group_remove_member(a_cn, o_ipaexternalmember=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_service=None, o_idoverrideuser=None, **kwargs)

Remove members from a group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_ipaexternalmember		Members of a trusted domain in DOM\name or name@domain form	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_service		services to remove	None
o_idoverrideuser		User ID overrides to remove	None

group_remove_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users that can manage members of this group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

group_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a named group.

Parameters:

Name	Type	Description	Default
a_cn		Group name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacrule_add(a_cn, o_accessruletype='allow', o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create a new HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_accessruletype		Rule type (allow)	'allow'
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_sourcehostcategory		Source host category the rule applies to	None
o_servicecategory		Service category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_externalhost		External host	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacrule_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Add target hosts and hostgroups to an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None

hbacrule_add_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, o_hbacsvcgroup=None, **kwargs)

Add services to an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_hbacsvc		HBAC services to add	None
o_hbacsvcgroup		HBAC service groups to add	None

hbacrule_add_sourcehost(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Add source hosts and hostgroups to an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None

hbacrule_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users and groups to an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

hbacrule_del(a_cn, o_continue=False, **kwargs)

Delete an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_continue		Continuous mode: Don't stop on errors.	False

hbacrule_disable(a_cn, **kwargs)

Disable an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

hbacrule_enable(a_cn, **kwargs)

Enable an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

hbacrule_find(a_criteria=None, o_cn=None, o_accessruletype=None, o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for HBAC rules.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Rule name	None
o_accessruletype		Rule type (allow)	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_sourcehostcategory		Source host category the rule applies to	None
o_servicecategory		Service category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_externalhost		External host	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

hbacrule_mod(a_cn, o_accessruletype=None, o_usercategory=None, o_hostcategory=None, o_sourcehostcategory=None, o_servicecategory=None, o_description=None, o_ipaenabledflag=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_accessruletype		Rule type (allow)	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_sourcehostcategory		Source host category the rule applies to	None
o_servicecategory		Service category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_externalhost		External host	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the HBAC rule object	None

hbacrule_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Remove target hosts and hostgroups from an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

hbacrule_remove_service(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, o_hbacsvcgroup=None, **kwargs)

Remove service and service groups from an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_hbacsvc		HBAC services to remove	None
o_hbacsvcgroup		HBAC service groups to remove	None

hbacrule_remove_sourcehost(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Remove source hosts and hostgroups from an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

hbacrule_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users and groups from an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

hbacrule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display the properties of an HBAC rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvc_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new HBAC service.

Parameters:

Name	Type	Description	Default
a_cn		HBAC service	required
o_description		HBAC service description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvc_del(a_cn, o_continue=False, **kwargs)

Delete an existing HBAC service.

Parameters:

Name	Type	Description	Default
a_cn		HBAC service	required
o_continue		Continuous mode: Don't stop on errors.	False

hbacsvc_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for HBAC services.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		HBAC service	None
o_description		HBAC service description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("service")	False

hbacsvc_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify an HBAC service.

Parameters:

Name	Type	Description	Default
a_cn		HBAC service	required
o_description		HBAC service description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvc_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about an HBAC service.

Parameters:

Name	Type	Description	Default
a_cn		HBAC service	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvcgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_description		HBAC service group description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvcgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, **kwargs)

Add members to an HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_hbacsvc		HBAC services to add	None

hbacsvcgroup_del(a_cn, o_continue=False, **kwargs)

Delete an HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_continue		Continuous mode: Don't stop on errors.	False

hbacsvcgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for an HBAC service group.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Service group name	None
o_description		HBAC service group description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

hbacsvcgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify an HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_description		HBAC service group description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbacsvcgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_hbacsvc=None, **kwargs)

Remove members from an HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_hbacsvc		HBAC services to remove	None

hbacsvcgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about an HBAC service group.

Parameters:

Name	Type	Description	Default
a_cn		Service group name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hbactest(o_user, o_targethost, o_service, o_sourcehost=None, o_rules=None, o_nodetail=False, o_enabled=False, o_disabled=False, o_sizelimit=None, **kwargs)

Simulate use of Host-based access controls

Parameters:

Name	Type	Description	Default
o_user		User name	required
o_sourcehost		Source host	None
o_targethost		Target host	required
o_service		Service	required
o_rules		Rules to test. If not specified, --enabled is assumed	None
o_nodetail		Hide details which rules are matched, not matched, or invalid	False
o_enabled		Include all enabled IPA rules into test [default]	False
o_disabled		Include all disabled IPA rules into test	False
o_sizelimit		Maximum number of rules to process when no --rules is specified	None

host_add(a_fqdn, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_userpassword=None, o_random=False, o_usercertificate=None, o_macaddress=None, o_ipasshpubkey=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_force=False, o_no_reverse=False, o_ip_address=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_description		A description of this host	None
o_l		Host locality (e.g. "Baltimore, MD")	None
o_nshostlocation		Host physical location hint (e.g. "Lab 2")	None
o_nshardwareplatform		Host hardware platform (e.g. "Lenovo T61")	None
o_nsosversion		Host operating system and version (e.g. "Fedora 9")	None
o_userpassword		Password used in bulk enrollment	None
o_random		Generate a random password to be used in bulk enrollment	False
o_usercertificate		Base-64 encoded host certificate	None
o_macaddress		Hardware MAC address(es) on this host	None
o_ipasshpubkey		SSH public key	None
o_userclass		Host category (semantics placed on this attribute are for local interpretation)	None
o_ipaassignedidview		Assigned ID View	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow External Identity Provider authentications. Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_ipakrbrequirespreauth		Pre-authentication is required for the service	None
o_ipakrbokasdelegate		Client credentials may be delegated to the service	None
o_ipakrboktoauthasdelegate		The service is allowed to authenticate on behalf of a client	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_force		force host name even if not in DNS	False
o_no_reverse		skip reverse DNS detection	False
o_ip_address		Add the host to DNS with this IP address	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_add_cert(a_fqdn, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add certificates to host entry

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded host certificate	required

host_add_delegation(a_fqdn, a_memberprincipal, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new resource delegation to a host

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
a_memberprincipal		Delegation principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_add_managedby(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_host=None, **kwargs)

Add hosts that can manage this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None

host_add_principal(a_fqdn, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new principal alias to host entry

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_allow_add_delegation(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to handle a resource delegation of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

host_allow_create_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to create a keytab of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

host_allow_retrieve_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to retrieve a keytab of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

host_del(a_fqdn, o_continue=False, o_updatedns=False, **kwargs)

Delete a host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_continue		Continuous mode: Don't stop on errors.	False
o_updatedns		Remove A, AAAA, SSHFP and PTR records of the host(s) managed by IPA DNS	False

host_disable(a_fqdn, **kwargs)

Disable the Kerberos key, SSL certificate and all services of a host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required

host_disallow_add_delegation(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to handle a resource delegation of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

host_disallow_create_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to create a keytab of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

host_disallow_retrieve_keytab(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to retrieve a keytab of this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

host_find(a_criteria=None, o_fqdn=None, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_usercertificate=None, o_macaddress=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_hostgroup=None, o_not_in_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_enroll_by_user=None, o_not_enroll_by_user=None, o_man_by_host=None, o_not_man_by_host=None, o_man_host=None, o_not_man_host=None, **kwargs)

Search for hosts.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_fqdn		Host name	None
o_description		A description of this host	None
o_l		Host locality (e.g. "Baltimore, MD")	None
o_nshostlocation		Host physical location hint (e.g. "Lab 2")	None
o_nshardwareplatform		Host hardware platform (e.g. "Lenovo T61")	None
o_nsosversion		Host operating system and version (e.g. "Fedora 9")	None
o_usercertificate		Base-64 encoded host certificate	None
o_macaddress		Hardware MAC address(es) on this host	None
o_userclass		Host category (semantics placed on this attribute are for local interpretation)	None
o_ipaassignedidview		Assigned ID View	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow External Identity Provider authentications. Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("hostname")	False
o_in_hostgroup		Search for hosts with these member of host groups.	None
o_not_in_hostgroup		Search for hosts without these member of host groups.	None
o_in_netgroup		Search for hosts with these member of netgroups.	None
o_not_in_netgroup		Search for hosts without these member of netgroups.	None
o_in_role		Search for hosts with these member of roles.	None
o_not_in_role		Search for hosts without these member of roles.	None
o_in_hbacrule		Search for hosts with these member of HBAC rules.	None
o_not_in_hbacrule		Search for hosts without these member of HBAC rules.	None
o_in_sudorule		Search for hosts with these member of sudo rules.	None
o_not_in_sudorule		Search for hosts without these member of sudo rules.	None
o_enroll_by_user		Search for hosts with these enrolled by users.	None
o_not_enroll_by_user		Search for hosts without these enrolled by users.	None
o_man_by_host		Search for hosts with these managed by hosts.	None
o_not_man_by_host		Search for hosts without these managed by hosts.	None
o_man_host		Search for hosts with these managing hosts.	None
o_not_man_host		Search for hosts without these managing hosts.	None

host_mod(a_fqdn, o_description=None, o_l=None, o_nshostlocation=None, o_nshardwareplatform=None, o_nsosversion=None, o_userpassword=None, o_random=False, o_usercertificate=None, o_krbprincipalname=None, o_macaddress=None, o_ipasshpubkey=None, o_userclass=None, o_ipaassignedidview=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_updatedns=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify information about a host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_description		A description of this host	None
o_l		Host locality (e.g. "Baltimore, MD")	None
o_nshostlocation		Host physical location hint (e.g. "Lab 2")	None
o_nshardwareplatform		Host hardware platform (e.g. "Lenovo T61")	None
o_nsosversion		Host operating system and version (e.g. "Fedora 9")	None
o_userpassword		Password used in bulk enrollment	None
o_random		Generate a random password to be used in bulk enrollment	False
o_usercertificate		Base-64 encoded host certificate	None
o_krbprincipalname		Principal alias	None
o_macaddress		Hardware MAC address(es) on this host	None
o_ipasshpubkey		SSH public key	None
o_userclass		Host category (semantics placed on this attribute are for local interpretation)	None
o_ipaassignedidview		Assigned ID View	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow External Identity Provider authentications. Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_ipakrbrequirespreauth		Pre-authentication is required for the service	None
o_ipakrbokasdelegate		Client credentials may be delegated to the service	None
o_ipakrboktoauthasdelegate		The service is allowed to authenticate on behalf of a client	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_updatedns		Update DNS entries	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_remove_cert(a_fqdn, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove certificates from host entry

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded host certificate	required

host_remove_delegation(a_fqdn, a_memberprincipal, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove resource delegation from a host

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
a_memberprincipal		Delegation principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_remove_managedby(a_fqdn, o_all=True, o_raw=False, o_no_members=False, o_host=None, **kwargs)

Remove hosts that can manage this host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None

host_remove_principal(a_fqdn, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove principal alias from a host entry

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

host_show(a_fqdn, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a host.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_out		file to store certificate in	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hostgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_description		A description of this host-group	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

hostgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Add members to a hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None

hostgroup_add_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users that can manage members of this hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

hostgroup_del(a_cn, o_continue=False, **kwargs)

Delete a hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_continue		Continuous mode: Don't stop on errors.	False

hostgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_host=None, o_no_host=None, o_hostgroup=None, o_no_hostgroup=None, o_in_hostgroup=None, o_not_in_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_membermanager_user=None, o_not_membermanager_user=None, o_membermanager_group=None, o_not_membermanager_group=None, **kwargs)

Search for hostgroups.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Name of host-group	None
o_description		A description of this host-group	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("hostgroup-name")	False
o_host		Search for host groups with these member hosts.	None
o_no_host		Search for host groups without these member hosts.	None
o_hostgroup		Search for host groups with these member host groups.	None
o_no_hostgroup		Search for host groups without these member host groups.	None
o_in_hostgroup		Search for host groups with these member of host groups.	None
o_not_in_hostgroup		Search for host groups without these member of host groups.	None
o_in_netgroup		Search for host groups with these member of netgroups.	None
o_not_in_netgroup		Search for host groups without these member of netgroups.	None
o_in_hbacrule		Search for host groups with these member of HBAC rules.	None
o_not_in_hbacrule		Search for host groups without these member of HBAC rules.	None
o_in_sudorule		Search for host groups with these member of sudo rules.	None
o_not_in_sudorule		Search for host groups without these member of sudo rules.	None
o_membermanager_user		Search for host groups with these group membership managed by users.	None
o_not_membermanager_user		Search for host groups without these group membership managed by users.	None
o_membermanager_group		Search for host groups with these group membership managed by groups.	None
o_not_membermanager_group		Search for host groups without these group membership managed by groups.	None

hostgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_description		A description of this host-group	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the host group object	None

hostgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Remove members from a hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

hostgroup_remove_member_manager(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users that can manage members of this hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

hostgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a hostgroup.

Parameters:

Name	Type	Description	Default
a_cn		Name of host-group	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

i18n_messages(**kwargs)

Internationalization messages

idoverridegroup_add(a_idviewcn, a_ipaanchoruuid, o_description=None, o_cn=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, **kwargs)

Add a new Group ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_description		Description	None
o_cn		Group name	None
o_gidnumber		Group ID Number	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idoverridegroup_del(a_idviewcn, a_ipaanchoruuid, o_continue=False, o_fallback_to_ldap=False, **kwargs)

Delete an Group ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_continue		Continuous mode: Don't stop on errors.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False

idoverridegroup_find(a_idviewcn, a_criteria=None, o_ipaanchoruuid=None, o_description=None, o_cn=None, o_gidnumber=None, o_timelimit=None, o_sizelimit=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for an Group ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_criteria		A string searched in all relevant object attributes	None
o_ipaanchoruuid		Anchor to override	None
o_description		Description	None
o_cn		Group name	None
o_gidnumber		Group ID Number	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("anchor")	False

idoverridegroup_mod(a_idviewcn, a_ipaanchoruuid, o_description=None, o_cn=None, o_gidnumber=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify an Group ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_description		Description	None
o_cn		Group name	None
o_gidnumber		Group ID Number	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the Group ID override object	None

idoverridegroup_show(a_idviewcn, a_ipaanchoruuid, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, **kwargs)

Display information about an Group ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idoverrideuser_add(a_idviewcn, a_ipaanchoruuid, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_ipasshpubkey=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new User ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_description		Description	None
o_uid		User login	None
o_uidnumber		User ID Number	None
o_gecos		GECOS	None
o_gidnumber		Group ID Number	None
o_homedirectory		Home directory	None
o_loginshell		Login shell	None
o_ipaoriginaluid			None
o_ipasshpubkey		SSH public key	None
o_usercertificate		Base-64 encoded user certificate	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

idoverrideuser_add_cert(a_idviewcn, a_ipaanchoruuid, o_usercertificate, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more certificates to the idoverrideuser entry

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

idoverrideuser_del(a_idviewcn, a_ipaanchoruuid, o_continue=False, o_fallback_to_ldap=False, **kwargs)

Delete an User ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_continue		Continuous mode: Don't stop on errors.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False

idoverrideuser_find(a_idviewcn, a_criteria=None, o_ipaanchoruuid=None, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_timelimit=None, o_sizelimit=None, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for an User ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_criteria		A string searched in all relevant object attributes	None
o_ipaanchoruuid		Anchor to override	None
o_description		Description	None
o_uid		User login	None
o_uidnumber		User ID Number	None
o_gecos		GECOS	None
o_gidnumber		Group ID Number	None
o_homedirectory		Home directory	None
o_loginshell		Login shell	None
o_ipaoriginaluid			None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("anchor")	False

idoverrideuser_mod(a_idviewcn, a_ipaanchoruuid, o_description=None, o_uid=None, o_uidnumber=None, o_gecos=None, o_gidnumber=None, o_homedirectory=None, o_loginshell=None, o_ipaoriginaluid=None, o_ipasshpubkey=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify an User ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_description		Description	None
o_uid		User login	None
o_uidnumber		User ID Number	None
o_gecos		GECOS	None
o_gidnumber		Group ID Number	None
o_homedirectory		Home directory	None
o_loginshell		Login shell	None
o_ipaoriginaluid			None
o_ipasshpubkey		SSH public key	None
o_usercertificate		Base-64 encoded user certificate	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the User ID override object	None

idoverrideuser_remove_cert(a_idviewcn, a_ipaanchoruuid, o_usercertificate, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more certificates to the idoverrideuser entry

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

idoverrideuser_show(a_idviewcn, a_ipaanchoruuid, o_rights=False, o_fallback_to_ldap=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about an User ID override.

Parameters:

Name	Type	Description	Default
a_idviewcn		ID View Name	required
a_ipaanchoruuid		Anchor to override	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_fallback_to_ldap		Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

idp_add(a_cn, o_ipaidpclientid, o_ipaidpauthendpoint=None, o_ipaidpdevauthendpoint=None, o_ipaidptokenendpoint=None, o_ipaidpuserinfoendpoint=None, o_ipaidpkeysendpoint=None, o_ipaidpissuerurl=None, o_ipaidpclientsecret=None, o_ipaidpscope=None, o_ipaidpsub=None, o_setattr=None, o_addattr=None, o_ipaidpprovider=None, o_ipaidporg=None, o_ipaidpbaseurl=None, o_all=True, o_raw=False, **kwargs)

Add a new Identity Provider reference.

Parameters:

Name	Type	Description	Default
a_cn		Identity Provider reference name	required
o_ipaidpauthendpoint		OAuth 2.0 authorization endpoint	None
o_ipaidpdevauthendpoint		Device authorization endpoint	None
o_ipaidptokenendpoint		Token endpoint	None
o_ipaidpuserinfoendpoint		User information endpoint	None
o_ipaidpkeysendpoint		JWKS endpoint	None
o_ipaidpissuerurl		The Identity Provider OIDC URL	None
o_ipaidpclientid		OAuth 2.0 client identifier	required
o_ipaidpclientsecret		OAuth 2.0 client secret	None
o_ipaidpscope		OAuth 2.0 scope. Multiple scopes separated by space	None
o_ipaidpsub		Attribute for user identity in OAuth 2.0 userinfo	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_ipaidpprovider		Choose a pre-defined template to use	None
o_ipaidporg		Organization ID or Realm name for IdP provider templates	None
o_ipaidpbaseurl		Base URL for IdP provider templates	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idp_del(a_cn, o_continue=False, **kwargs)

Delete an Identity Provider reference.

Parameters:

Name	Type	Description	Default
a_cn		Identity Provider reference name	required
o_continue		Continuous mode: Don't stop on errors.	False

idp_find(a_criteria=None, o_cn=None, o_ipaidpauthendpoint=None, o_ipaidpdevauthendpoint=None, o_ipaidptokenendpoint=None, o_ipaidpuserinfoendpoint=None, o_ipaidpkeysendpoint=None, o_ipaidpissuerurl=None, o_ipaidpclientid=None, o_ipaidpclientsecret=None, o_ipaidpscope=None, o_ipaidpsub=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for Identity Provider references.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Identity Provider reference name	None
o_ipaidpauthendpoint		OAuth 2.0 authorization endpoint	None
o_ipaidpdevauthendpoint		Device authorization endpoint	None
o_ipaidptokenendpoint		Token endpoint	None
o_ipaidpuserinfoendpoint		User information endpoint	None
o_ipaidpkeysendpoint		JWKS endpoint	None
o_ipaidpissuerurl		The Identity Provider OIDC URL	None
o_ipaidpclientid		OAuth 2.0 client identifier	None
o_ipaidpclientsecret		OAuth 2.0 client secret	None
o_ipaidpscope		OAuth 2.0 scope. Multiple scopes separated by space	None
o_ipaidpsub		Attribute for user identity in OAuth 2.0 userinfo	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

idp_mod(a_cn, o_ipaidpauthendpoint=None, o_ipaidpdevauthendpoint=None, o_ipaidptokenendpoint=None, o_ipaidpuserinfoendpoint=None, o_ipaidpkeysendpoint=None, o_ipaidpissuerurl=None, o_ipaidpclientid=None, o_ipaidpclientsecret=None, o_ipaidpscope=None, o_ipaidpsub=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify an Identity Provider reference.

Parameters:

Name	Type	Description	Default
a_cn		Identity Provider reference name	required
o_ipaidpauthendpoint		OAuth 2.0 authorization endpoint	None
o_ipaidpdevauthendpoint		Device authorization endpoint	None
o_ipaidptokenendpoint		Token endpoint	None
o_ipaidpuserinfoendpoint		User information endpoint	None
o_ipaidpkeysendpoint		JWKS endpoint	None
o_ipaidpissuerurl		The Identity Provider OIDC URL	None
o_ipaidpclientid		OAuth 2.0 client identifier	None
o_ipaidpclientsecret		OAuth 2.0 client secret	None
o_ipaidpscope		OAuth 2.0 scope. Multiple scopes separated by space	None
o_ipaidpsub		Attribute for user identity in OAuth 2.0 userinfo	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the Identity Provider reference object	None

idp_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about an Identity Provider reference.

Parameters:

Name	Type	Description	Default
a_cn		Identity Provider reference name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idrange_add(a_cn, o_ipabaseid, o_ipaidrangesize, o_ipabaserid=None, o_ipasecondarybaserid=None, o_ipanttrusteddomainsid=None, o_ipanttrusteddomainname=None, o_iparangetype=None, o_ipaautoprivategroups=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add new ID range.

To add a new ID range you always have to specify

    --base-id
    --range-size

Additionally

    --rid-base
    --secondary-rid-base

may be given for a new ID range for the local domain while

    --auto-private-groups

may be given for a new ID range for a trusted AD domain and

    --rid-base
    --dom-sid

must be given to add a new range for a trusted AD domain.

---

WARNING:

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.

---

Parameters:

Name	Type	Description	Default
a_cn		Range name	required
o_ipabaseid		First Posix ID of the range	required
o_ipaidrangesize		Number of IDs in the range	required
o_ipabaserid		First RID of the corresponding RID range	None
o_ipasecondarybaserid		First RID of the secondary RID range	None
o_ipanttrusteddomainsid		Domain SID of the trusted domain	None
o_ipanttrusteddomainname		Name of the trusted domain	None
o_iparangetype		ID range type, one of allowed values	None
o_ipaautoprivategroups		Auto creation of private groups, one of allowed values	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idrange_del(a_cn, o_continue=False, **kwargs)

Delete an ID range.

Parameters:

Name	Type	Description	Default
a_cn		Range name	required
o_continue		Continuous mode: Don't stop on errors.	False

idrange_find(a_criteria=None, o_cn=None, o_ipabaseid=None, o_ipaidrangesize=None, o_ipabaserid=None, o_ipasecondarybaserid=None, o_ipanttrusteddomainsid=None, o_iparangetype=None, o_ipaautoprivategroups=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for ranges.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Range name	None
o_ipabaseid		First Posix ID of the range	None
o_ipaidrangesize		Number of IDs in the range	None
o_ipabaserid		First RID of the corresponding RID range	None
o_ipasecondarybaserid		First RID of the secondary RID range	None
o_ipanttrusteddomainsid		Domain SID of the trusted domain	None
o_iparangetype		ID range type, one of allowed values	None
o_ipaautoprivategroups		Auto creation of private groups, one of allowed values	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

idrange_mod(a_cn, o_ipabaseid=None, o_ipaidrangesize=None, o_ipabaserid=None, o_ipasecondarybaserid=None, o_ipaautoprivategroups=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_ipanttrusteddomainsid=None, o_ipanttrusteddomainname=None, o_all=True, o_raw=False, **kwargs)

Modify ID range.

---

WARNING:

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.

---

Parameters:

Name	Type	Description	Default
a_cn		Range name	required
o_ipabaseid		First Posix ID of the range	None
o_ipaidrangesize		Number of IDs in the range	None
o_ipabaserid		First RID of the corresponding RID range	None
o_ipasecondarybaserid		First RID of the secondary RID range	None
o_ipaautoprivategroups		Auto creation of private groups, one of allowed values	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_ipanttrusteddomainsid		Domain SID of the trusted domain	None
o_ipanttrusteddomainname		Name of the trusted domain	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idrange_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a range.

Parameters:

Name	Type	Description	Default
a_cn		Range name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idview_add(a_cn, o_description=None, o_ipadomainresolutionorder=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new ID View.

Parameters:

Name	Type	Description	Default
a_cn		ID View Name	required
o_description		Description	None
o_ipadomainresolutionorder		colon-separated list of domains used for short name qualification	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idview_apply(a_cn, o_host=None, o_hostgroup=None, **kwargs)

Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.

Parameters:

Name	Type	Description	Default
a_cn		ID View Name	required
o_host		Hosts to apply the ID View to	None
o_hostgroup		Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.	None

idview_del(a_cn, o_continue=False, **kwargs)

Delete an ID View.

Parameters:

Name	Type	Description	Default
a_cn		ID View Name	required
o_continue		Continuous mode: Don't stop on errors.	False

idview_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for an ID View.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		ID View Name	None
o_description		Description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

idview_mod(a_cn, o_description=None, o_ipadomainresolutionorder=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify an ID View.

Parameters:

Name	Type	Description	Default
a_cn		ID View Name	required
o_description		Description	None
o_ipadomainresolutionorder		colon-separated list of domains used for short name qualification	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the ID View object	None

idview_show(a_cn, o_rights=False, o_show_hosts=False, o_all=True, o_raw=False, **kwargs)

Display information about an ID View.

Parameters:

Name	Type	Description	Default
a_cn		ID View Name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_show_hosts		Enumerate all the hosts the view applies to.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

idview_unapply(o_host=None, o_hostgroup=None, **kwargs)

Clears ID View from specified hosts or current members of specified hostgroups.

Parameters:

Name	Type	Description	Default
o_host		Hosts to clear (any) ID View from.	None
o_hostgroup		Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.	None

join(a_cn, o_realm, o_nshardwareplatform=None, o_nsosversion=None, **kwargs)

Join an IPA domain

Parameters:

Name	Type	Description	Default
a_cn		The hostname to register as	required
o_realm		The IPA realm	required
o_nshardwareplatform		Hardware platform of the host (e.g. Lenovo T61)	None
o_nsosversion		Operating System and version of the host (e.g. Fedora 9)	None

json_metadata(a_objname=None, a_methodname=None, o_object=None, o_method=None, o_command=None, **kwargs)

Export plugin meta-data for the webUI.

Parameters:

Name	Type	Description	Default
a_objname		Name of object to export	None
a_methodname		Name of method to export	None
o_object		Name of object to export	None
o_method		Name of method to export	None
o_command		Name of command to export	None

kra_is_enabled(**kwargs)

Checks if any of the servers has the KRA service enabled

krbtpolicy_mod(a_uid=None, o_krbmaxticketlife=None, o_krbmaxrenewableage=None, o_krbauthindmaxticketlife_otp=None, o_krbauthindmaxrenewableage_otp=None, o_krbauthindmaxticketlife_radius=None, o_krbauthindmaxrenewableage_radius=None, o_krbauthindmaxticketlife_pkinit=None, o_krbauthindmaxrenewableage_pkinit=None, o_krbauthindmaxticketlife_hardened=None, o_krbauthindmaxrenewableage_hardened=None, o_krbauthindmaxticketlife_idp=None, o_krbauthindmaxrenewableage_idp=None, o_krbauthindmaxticketlife_passkey=None, o_krbauthindmaxrenewableage_passkey=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify Kerberos ticket policy.

Parameters:

Name	Type	Description	Default
a_uid		Manage ticket policy for specific user	None
o_krbmaxticketlife		Maximum ticket life (seconds)	None
o_krbmaxrenewableage		Maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_otp		OTP token maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_otp		OTP token ticket maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_radius		RADIUS maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_radius		RADIUS ticket maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_pkinit		PKINIT maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_pkinit		PKINIT ticket maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_hardened		Hardened ticket maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_hardened		Hardened ticket maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_idp		External Identity Provider ticket maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_idp		External Identity Provider ticket maximum renewable age (seconds)	None
o_krbauthindmaxticketlife_passkey		Passkey ticket maximum ticket life (seconds)	None
o_krbauthindmaxrenewableage_passkey		Passkey ticket maximum renewable age (seconds)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

krbtpolicy_reset(a_uid=None, o_all=True, o_raw=False, **kwargs)

Reset Kerberos ticket policy to the default values.

Parameters:

Name	Type	Description	Default
a_uid		Manage ticket policy for specific user	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

krbtpolicy_show(a_uid=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display the current Kerberos ticket policy.

Parameters:

Name	Type	Description	Default
a_uid		Manage ticket policy for specific user	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

location_add(a_idnsname, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new IPA location.

Parameters:

Name	Type	Description	Default
a_idnsname		IPA location name	required
o_description		IPA Location description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

location_del(a_idnsname, o_continue=False, **kwargs)

Delete an IPA location.

Parameters:

Name	Type	Description	Default
a_idnsname		IPA location name	required
o_continue		Continuous mode: Don't stop on errors.	False

location_find(a_criteria=None, o_idnsname=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for IPA locations.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_idnsname		IPA location name	None
o_description		IPA Location description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

location_mod(a_idnsname, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify information about an IPA location.

Parameters:

Name	Type	Description	Default
a_idnsname		IPA location name	required
o_description		IPA Location description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

location_show(a_idnsname, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about an IPA location.

Parameters:

Name	Type	Description	Default
a_idnsname		IPA location name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

migrate_ds(a_ldapuri, a_bindpw, o_binddn='cn=directory manager', o_usercontainer='ou=people', o_groupcontainer='ou=groups', o_userobjectclass=None, o_groupobjectclass=None, o_userignoreobjectclass=None, o_userignoreattribute=None, o_groupignoreobjectclass=None, o_groupignoreattribute=None, o_groupoverwritegid=False, o_schema='RFC2307bis', o_continue=False, o_basedn=None, o_compat=False, o_cacertfile=None, o_use_def_group=True, o_scope='onelevel', o_exclude_users=None, o_exclude_groups=None, **kwargs)

Migrate users and groups from DS to IPA.

Parameters:

Name	Type	Description	Default
a_ldapuri		LDAP URI of DS server to migrate from	required
a_bindpw		bind password	required
o_binddn		Bind DN	'cn=directory manager'
o_usercontainer		DN of container for users in DS relative to base DN	'ou=people'
o_groupcontainer		DN of container for groups in DS relative to base DN	'ou=groups'
o_userobjectclass		Objectclasses used to search for user entries in DS	None
o_groupobjectclass		Objectclasses used to search for group entries in DS	None
o_userignoreobjectclass		Objectclasses to be ignored for user entries in DS	None
o_userignoreattribute		Attributes to be ignored for user entries in DS	None
o_groupignoreobjectclass		Objectclasses to be ignored for group entries in DS	None
o_groupignoreattribute		Attributes to be ignored for group entries in DS	None
o_groupoverwritegid		When migrating a group already existing in IPA domain overwrite the group GID and report as success	False
o_schema		The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis	'RFC2307bis'
o_continue		Continuous operation mode. Errors are reported but the process continues	False
o_basedn		Base DN on remote LDAP server	None
o_compat		Allows migration despite the usage of compat plugin	False
o_cacertfile		Load CA certificate of LDAP server from FILE	None
o_use_def_group		Add migrated users without a group to a default group (default: true)	True
o_scope		LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel	'onelevel'
o_exclude_users		users to exclude from migration	None
o_exclude_groups		groups to exclude from migration	None

netgroup_add(a_cn, o_description=None, o_nisdomainname=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_description		Netgroup description	None
o_nisdomainname		NIS domain name	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_externalhost		External host	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

netgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_netgroup=None, **kwargs)

Add members to a netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None
o_netgroup		netgroups to add	None

netgroup_del(a_cn, o_continue=False, **kwargs)

Delete a netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_continue		Continuous mode: Don't stop on errors.	False

netgroup_find(a_criteria=None, o_cn=None, o_description=None, o_nisdomainname=None, o_ipauniqueid=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_timelimit=None, o_sizelimit=None, o_private=False, o_managed=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_netgroup=None, o_no_netgroup=None, o_user=None, o_no_user=None, o_group=None, o_no_group=None, o_host=None, o_no_host=None, o_hostgroup=None, o_no_hostgroup=None, o_in_netgroup=None, o_not_in_netgroup=None, **kwargs)

Search for a netgroup.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Netgroup name	None
o_description		Netgroup description	None
o_nisdomainname		NIS domain name	None
o_ipauniqueid		IPA unique ID	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_externalhost		External host	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_private			False
o_managed		search for managed groups	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False
o_netgroup		Search for netgroups with these member netgroups.	None
o_no_netgroup		Search for netgroups without these member netgroups.	None
o_user		Search for netgroups with these member users.	None
o_no_user		Search for netgroups without these member users.	None
o_group		Search for netgroups with these member groups.	None
o_no_group		Search for netgroups without these member groups.	None
o_host		Search for netgroups with these member hosts.	None
o_no_host		Search for netgroups without these member hosts.	None
o_hostgroup		Search for netgroups with these member host groups.	None
o_no_hostgroup		Search for netgroups without these member host groups.	None
o_in_netgroup		Search for netgroups with these member of netgroups.	None
o_not_in_netgroup		Search for netgroups without these member of netgroups.	None

netgroup_mod(a_cn, o_description=None, o_nisdomainname=None, o_usercategory=None, o_hostcategory=None, o_externalhost=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify a netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_description		Netgroup description	None
o_nisdomainname		NIS domain name	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_externalhost		External host	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

netgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_netgroup=None, **kwargs)

Remove members from a netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None
o_netgroup		netgroups to remove	None

netgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a netgroup.

Parameters:

Name	Type	Description	Default
a_cn		Netgroup name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

otpconfig_mod(o_ipatokentotpauthwindow=None, o_ipatokentotpsyncwindow=None, o_ipatokenhotpauthwindow=None, o_ipatokenhotpsyncwindow=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify OTP configuration options.

Parameters:

Name	Type	Description	Default
o_ipatokentotpauthwindow		TOTP authentication time variance (seconds)	None
o_ipatokentotpsyncwindow		TOTP synchronization time variance (seconds)	None
o_ipatokenhotpauthwindow		HOTP authentication skip-ahead	None
o_ipatokenhotpsyncwindow		HOTP synchronization skip-ahead	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

otpconfig_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Show the current OTP configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

otptoken_add(a_ipatokenuniqueid=None, o_type='totp', o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_ipatokenotpkey=None, o_ipatokenotpalgorithm='sha1', o_ipatokenotpdigits=6, o_ipatokentotpclockoffset=0, o_ipatokentotptimestep=30, o_ipatokenhotpcounter=0, o_setattr=None, o_addattr=None, o_qrcode=False, o_no_qrcode=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new OTP token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	None
o_type		Type of the token	'totp'
o_description		Token description (informational only)	None
o_ipatokenowner		Assigned user of the token (default: self)	None
o_ipatokendisabled		Mark the token as disabled (default: false)	None
o_ipatokennotbefore		First date/time the token can be used	None
o_ipatokennotafter		Last date/time the token can be used	None
o_ipatokenvendor		Token vendor name (informational only)	None
o_ipatokenmodel		Token model (informational only)	None
o_ipatokenserial		Token serial (informational only)	None
o_ipatokenotpkey		Token secret (Base32; default: random)	None
o_ipatokenotpalgorithm		Token hash algorithm	'sha1'
o_ipatokenotpdigits		Number of digits each token code will have	6
o_ipatokentotpclockoffset		TOTP token / IPA server time difference	0
o_ipatokentotptimestep		Length of TOTP token code validity	30
o_ipatokenhotpcounter		Initial counter for the HOTP token	0
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_qrcode		(deprecated)	False
o_no_qrcode		Do not display QR code	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

otptoken_add_managedby(a_ipatokenuniqueid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Add users that can manage this token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None

otptoken_del(a_ipatokenuniqueid, o_continue=False, **kwargs)

Delete an OTP token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	required
o_continue		Continuous mode: Don't stop on errors.	False

otptoken_find(a_criteria=None, o_ipatokenuniqueid=None, o_type=None, o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_ipatokenotpalgorithm=None, o_ipatokenotpdigits=None, o_ipatokentotpclockoffset=None, o_ipatokentotptimestep=None, o_ipatokenhotpcounter=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for OTP token.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_ipatokenuniqueid		Unique ID	None
o_type		Type of the token	None
o_description		Token description (informational only)	None
o_ipatokenowner		Assigned user of the token (default: self)	None
o_ipatokendisabled		Mark the token as disabled (default: false)	None
o_ipatokennotbefore		First date/time the token can be used	None
o_ipatokennotafter		Last date/time the token can be used	None
o_ipatokenvendor		Token vendor name (informational only)	None
o_ipatokenmodel		Token model (informational only)	None
o_ipatokenserial		Token serial (informational only)	None
o_ipatokenotpalgorithm		Token hash algorithm	None
o_ipatokenotpdigits		Number of digits each token code will have	None
o_ipatokentotpclockoffset		TOTP token / IPA server time difference	None
o_ipatokentotptimestep		Length of TOTP token code validity	None
o_ipatokenhotpcounter		Initial counter for the HOTP token	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("id")	False

otptoken_mod(a_ipatokenuniqueid, o_description=None, o_ipatokenowner=None, o_ipatokendisabled=None, o_ipatokennotbefore=None, o_ipatokennotafter=None, o_ipatokenvendor=None, o_ipatokenmodel=None, o_ipatokenserial=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a OTP token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	required
o_description		Token description (informational only)	None
o_ipatokenowner		Assigned user of the token (default: self)	None
o_ipatokendisabled		Mark the token as disabled (default: false)	None
o_ipatokennotbefore		First date/time the token can be used	None
o_ipatokennotafter		Last date/time the token can be used	None
o_ipatokenvendor		Token vendor name (informational only)	None
o_ipatokenmodel		Token model (informational only)	None
o_ipatokenserial		Token serial (informational only)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the OTP token object	None

otptoken_remove_managedby(a_ipatokenuniqueid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Remove users that can manage this token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None

otptoken_show(a_ipatokenuniqueid, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about an OTP token.

Parameters:

Name	Type	Description	Default
a_ipatokenuniqueid		Unique ID	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

output_find(a_commandfull_name, a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for command outputs.

Parameters:

Name	Type	Description	Default
a_commandfull_name		Full name	required
a_criteria		A string searched in all relevant object attributes	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

output_show(a_commandfull_name, a_name, o_all=True, o_raw=False, **kwargs)

Display information about a command output.

Parameters:

Name	Type	Description	Default
a_commandfull_name		Full name	required
a_name		Name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

param_find(a_metaobjectfull_name, a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search command parameters.

Parameters:

Name	Type	Description	Default
a_metaobjectfull_name		Full name	required
a_criteria		A string searched in all relevant object attributes	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

param_show(a_metaobjectfull_name, a_name, o_all=True, o_raw=False, **kwargs)

Display information about a command parameter.

Parameters:

Name	Type	Description	Default
a_metaobjectfull_name		Full name	required
a_name		Name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

passkeyconfig_mod(o_iparequireuserverification=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify Passkey configuration.

Parameters:

Name	Type	Description	Default
o_iparequireuserverification		Require user verification during authentication	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

passkeyconfig_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Show the current Passkey configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

passwd(a_principal, a_password, a_current_password, o_otp=None, **kwargs)

Set a user's password.

Parameters:

Name	Type	Description	Default
a_principal		User name	required
a_password		New Password	required
a_current_password		Current Password	required
o_otp		The OTP if the user has a token configured	None

permission_add(a_cn, o_ipapermright=None, o_attrs=None, o_ipapermbindruletype='permission', o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_ipapermright		Rights to grant (read, search, compare, write, add, delete, all)	None
o_attrs		All attributes to which the permission applies	None
o_ipapermbindruletype		Bind rule type	'permission'
o_ipapermlocation		Subtree to apply permissions to	None
o_extratargetfilter		Extra target filter	None
o_ipapermtargetfilter		All target filters, including those implied by type and memberof	None
o_ipapermtarget		Optional DN to apply the permission to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetto		Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetfrom		Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)	None
o_memberof		Target members of a group (sets memberOf targetfilter)	None
o_targetgroup		User group to apply permissions to (sets target)	None
o_type		Type of IPA object (sets subtree and objectClass targetfilter)	None
o_permissions		Deprecated; use ipapermright	None
o_filter		Deprecated; use extratargetfilter	None
o_subtree		Deprecated; use ipapermlocation	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

permission_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None, **kwargs)

Add members to a permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_privilege		privileges to add	None

permission_add_noaci(a_cn, o_ipapermissiontype, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a system permission without an ACI (internal command)

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_ipapermissiontype		Permission flags	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

permission_del(a_cn, o_continue=False, o_force=False, **kwargs)

Delete a permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_continue		Continuous mode: Don't stop on errors.	False
o_force		force delete of SYSTEM permissions	False

permission_find(a_criteria=None, o_cn=None, o_ipapermright=None, o_attrs=None, o_ipapermincludedattr=None, o_ipapermexcludedattr=None, o_ipapermdefaultattr=None, o_ipapermbindruletype=None, o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for permissions.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Permission name	None
o_ipapermright		Rights to grant (read, search, compare, write, add, delete, all)	None
o_attrs		All attributes to which the permission applies	None
o_ipapermincludedattr		User-specified attributes to which the permission applies	None
o_ipapermexcludedattr		User-specified attributes to which the permission explicitly does not apply	None
o_ipapermdefaultattr		Attributes to which the permission applies by default	None
o_ipapermbindruletype		Bind rule type	None
o_ipapermlocation		Subtree to apply permissions to	None
o_extratargetfilter		Extra target filter	None
o_ipapermtargetfilter		All target filters, including those implied by type and memberof	None
o_ipapermtarget		Optional DN to apply the permission to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetto		Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetfrom		Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)	None
o_memberof		Target members of a group (sets memberOf targetfilter)	None
o_targetgroup		User group to apply permissions to (sets target)	None
o_type		Type of IPA object (sets subtree and objectClass targetfilter)	None
o_permissions		Deprecated; use ipapermright	None
o_filter		Deprecated; use extratargetfilter	None
o_subtree		Deprecated; use ipapermlocation	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

permission_mod(a_cn, o_ipapermright=None, o_attrs=None, o_ipapermincludedattr=None, o_ipapermexcludedattr=None, o_ipapermbindruletype=None, o_ipapermlocation=None, o_extratargetfilter=None, o_ipapermtargetfilter=None, o_ipapermtarget=None, o_ipapermtargetto=None, o_ipapermtargetfrom=None, o_memberof=None, o_targetgroup=None, o_type=None, o_permissions=None, o_filter=None, o_subtree=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_ipapermright		Rights to grant (read, search, compare, write, add, delete, all)	None
o_attrs		All attributes to which the permission applies	None
o_ipapermincludedattr		User-specified attributes to which the permission applies	None
o_ipapermexcludedattr		User-specified attributes to which the permission explicitly does not apply	None
o_ipapermbindruletype		Bind rule type	None
o_ipapermlocation		Subtree to apply permissions to	None
o_extratargetfilter		Extra target filter	None
o_ipapermtargetfilter		All target filters, including those implied by type and memberof	None
o_ipapermtarget		Optional DN to apply the permission to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetto		Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)	None
o_ipapermtargetfrom		Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)	None
o_memberof		Target members of a group (sets memberOf targetfilter)	None
o_targetgroup		User group to apply permissions to (sets target)	None
o_type		Type of IPA object (sets subtree and objectClass targetfilter)	None
o_permissions		Deprecated; use ipapermright	None
o_filter		Deprecated; use extratargetfilter	None
o_subtree		Deprecated; use ipapermlocation	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the permission object	None

permission_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None, **kwargs)

Remove members from a permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_privilege		privileges to remove	None

permission_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a permission.

Parameters:

Name	Type	Description	Default
a_cn		Permission name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

ping(**kwargs)

Ping a remote server.

pkinit_status(a_criteria=None, o_server_server=None, o_status=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, **kwargs)

Report PKINIT status on the IPA masters

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_server_server		IPA server hostname	None
o_status		Whether PKINIT is enabled or disabled	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

plugins(o_server=False, o_all=True, **kwargs)

Show all loaded plugins.

Parameters:

Name	Type	Description	Default
o_server		Forward to server instead of running locally	False
o_all		retrieve and print all attributes from the server. Affects command output.	True

privilege_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_description		Privilege description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

privilege_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_role=None, **kwargs)

Add members to a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_role		roles to add	None

privilege_add_permission(a_cn, o_all=True, o_raw=False, o_no_members=False, o_permission=None, **kwargs)

Add permissions to a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_permission		permissions	None

privilege_del(a_cn, o_continue=False, **kwargs)

Delete a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_continue		Continuous mode: Don't stop on errors.	False

privilege_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for privileges.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Privilege name	None
o_description		Privilege description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

privilege_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_description		Privilege description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the privilege object	None

privilege_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_role=None, **kwargs)

Remove members from a privilege

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_role		roles to remove	None

privilege_remove_permission(a_cn, o_all=True, o_raw=False, o_no_members=False, o_permission=None, **kwargs)

Remove permissions from a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_permission		permissions	None

privilege_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a privilege.

Parameters:

Name	Type	Description	Default
a_cn		Privilege name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

pwpolicy_add(a_cn, o_cospriority, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_ipapwdmaxrepeat=None, o_ipapwdmaxsequence=None, o_ipapwddictcheck=None, o_ipapwdusercheck=None, o_passwordgracelimit=-1, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new group password policy.

Parameters:

Name	Type	Description	Default
a_cn		Manage password policy for specific group	required
o_krbmaxpwdlife		Maximum password lifetime (in days)	None
o_krbminpwdlife		Minimum password lifetime (in hours)	None
o_krbpwdhistorylength		Password history size	None
o_krbpwdmindiffchars		Minimum number of character classes	None
o_krbpwdminlength		Minimum length of password	None
o_cospriority		Priority of the policy (higher number means lower priority	required
o_krbpwdmaxfailure		Consecutive failures before lockout	None
o_krbpwdfailurecountinterval		Period after which failure count will be reset (seconds)	None
o_krbpwdlockoutduration		Period for which lockout is enforced (seconds)	None
o_ipapwdmaxrepeat		Maximum number of same consecutive characters	None
o_ipapwdmaxsequence		The max. length of monotonic character sequences (abcd)	None
o_ipapwddictcheck		Check if the password is a dictionary word	None
o_ipapwdusercheck		Check if the password contains the username	None
o_passwordgracelimit		Number of LDAP authentications allowed after expiration	-1
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

pwpolicy_del(a_cn, o_continue=False, **kwargs)

Delete a group password policy.

Parameters:

Name	Type	Description	Default
a_cn		Manage password policy for specific group	required
o_continue		Continuous mode: Don't stop on errors.	False

pwpolicy_find(a_criteria=None, o_cn=None, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_cospriority=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_ipapwdmaxrepeat=None, o_ipapwdmaxsequence=None, o_ipapwddictcheck=None, o_ipapwdusercheck=None, o_passwordgracelimit=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for group password policies.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Manage password policy for specific group	None
o_krbmaxpwdlife		Maximum password lifetime (in days)	None
o_krbminpwdlife		Minimum password lifetime (in hours)	None
o_krbpwdhistorylength		Password history size	None
o_krbpwdmindiffchars		Minimum number of character classes	None
o_krbpwdminlength		Minimum length of password	None
o_cospriority		Priority of the policy (higher number means lower priority	None
o_krbpwdmaxfailure		Consecutive failures before lockout	None
o_krbpwdfailurecountinterval		Period after which failure count will be reset (seconds)	None
o_krbpwdlockoutduration		Period for which lockout is enforced (seconds)	None
o_ipapwdmaxrepeat		Maximum number of same consecutive characters	None
o_ipapwdmaxsequence		The max. length of monotonic character sequences (abcd)	None
o_ipapwddictcheck		Check if the password is a dictionary word	None
o_ipapwdusercheck		Check if the password contains the username	None
o_passwordgracelimit		Number of LDAP authentications allowed after expiration	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("group")	False

pwpolicy_mod(a_cn=None, o_krbmaxpwdlife=None, o_krbminpwdlife=None, o_krbpwdhistorylength=None, o_krbpwdmindiffchars=None, o_krbpwdminlength=None, o_cospriority=None, o_krbpwdmaxfailure=None, o_krbpwdfailurecountinterval=None, o_krbpwdlockoutduration=None, o_ipapwdmaxrepeat=None, o_ipapwdmaxsequence=None, o_ipapwddictcheck=None, o_ipapwdusercheck=None, o_passwordgracelimit=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a group password policy.

Parameters:

Name	Type	Description	Default
a_cn		Manage password policy for specific group	None
o_krbmaxpwdlife		Maximum password lifetime (in days)	None
o_krbminpwdlife		Minimum password lifetime (in hours)	None
o_krbpwdhistorylength		Password history size	None
o_krbpwdmindiffchars		Minimum number of character classes	None
o_krbpwdminlength		Minimum length of password	None
o_cospriority		Priority of the policy (higher number means lower priority	None
o_krbpwdmaxfailure		Consecutive failures before lockout	None
o_krbpwdfailurecountinterval		Period after which failure count will be reset (seconds)	None
o_krbpwdlockoutduration		Period for which lockout is enforced (seconds)	None
o_ipapwdmaxrepeat		Maximum number of same consecutive characters	None
o_ipapwdmaxsequence		The max. length of monotonic character sequences (abcd)	None
o_ipapwddictcheck		Check if the password is a dictionary word	None
o_ipapwdusercheck		Check if the password contains the username	None
o_passwordgracelimit		Number of LDAP authentications allowed after expiration	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

pwpolicy_show(a_cn=None, o_rights=False, o_user=None, o_all=True, o_raw=False, **kwargs)

Display information about password policy.

Parameters:

Name	Type	Description	Default
a_cn		Manage password policy for specific group	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_user		Display effective policy for a specific user	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

radiusproxy_add(a_cn, o_ipatokenradiusserver, o_ipatokenradiussecret, o_description=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new RADIUS proxy server.

Parameters:

Name	Type	Description	Default
a_cn		RADIUS proxy server name	required
o_description		A description of this RADIUS proxy server	None
o_ipatokenradiusserver		The hostname or IP (with or without port)	required
o_ipatokenradiussecret		The secret used to encrypt data	required
o_ipatokenradiustimeout		The total timeout across all retries (in seconds)	None
o_ipatokenradiusretries		The number of times to retry authentication	None
o_ipatokenusermapattribute		The username attribute on the user object	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

radiusproxy_del(a_cn, o_continue=False, **kwargs)

Delete a RADIUS proxy server.

Parameters:

Name	Type	Description	Default
a_cn		RADIUS proxy server name	required
o_continue		Continuous mode: Don't stop on errors.	False

radiusproxy_find(a_criteria=None, o_cn=None, o_description=None, o_ipatokenradiusserver=None, o_ipatokenradiussecret=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for RADIUS proxy servers.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		RADIUS proxy server name	None
o_description		A description of this RADIUS proxy server	None
o_ipatokenradiusserver		The hostname or IP (with or without port)	None
o_ipatokenradiussecret		The secret used to encrypt data	None
o_ipatokenradiustimeout		The total timeout across all retries (in seconds)	None
o_ipatokenradiusretries		The number of times to retry authentication	None
o_ipatokenusermapattribute		The username attribute on the user object	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

radiusproxy_mod(a_cn, o_description=None, o_ipatokenradiusserver=None, o_ipatokenradiussecret=None, o_ipatokenradiustimeout=None, o_ipatokenradiusretries=None, o_ipatokenusermapattribute=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_rename=None, **kwargs)

Modify a RADIUS proxy server.

Parameters:

Name	Type	Description	Default
a_cn		RADIUS proxy server name	required
o_description		A description of this RADIUS proxy server	None
o_ipatokenradiusserver		The hostname or IP (with or without port)	None
o_ipatokenradiussecret		The secret used to encrypt data	None
o_ipatokenradiustimeout		The total timeout across all retries (in seconds)	None
o_ipatokenradiusretries		The number of times to retry authentication	None
o_ipatokenusermapattribute		The username attribute on the user object	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_rename		Rename the RADIUS proxy server object	None

radiusproxy_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a RADIUS proxy server.

Parameters:

Name	Type	Description	Default
a_cn		RADIUS proxy server name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

realmdomains_mod(o_associateddomain=None, o_add_domain=None, o_del_domain=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_force=False, o_all=True, o_raw=False, **kwargs)

Modify realm domains

DNS check: When manually adding a domain to the list, a DNS check is performed by default. It ensures that the domain is associated with the IPA realm, by checking whether the domain has a _kerberos TXT record containing the IPA realm name. This check can be skipped by specifying --force option.

Removal: when a realm domain which has a matching DNS zone managed by IPA is being removed, a corresponding _kerberos TXT record in the zone is removed automatically as well. Other records in the zone or the zone itself are not affected.

Parameters:

Name	Type	Description	Default
o_associateddomain		Domain	None
o_add_domain		Add domain	None
o_del_domain		Delete domain	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_force		Force adding domain even if not in DNS	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

realmdomains_show(o_rights=False, o_all=True, o_raw=False, **kwargs)

Display the list of realm domains.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

role_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_description		A description of this role-group	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

role_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_service=None, o_idoverrideuser=None, **kwargs)

Add members to a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None
o_service		services to add	None
o_idoverrideuser		User ID overrides to add	None

role_add_privilege(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None, **kwargs)

Add privileges to a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_privilege		privileges	None

role_del(a_cn, o_continue=False, **kwargs)

Delete a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_continue		Continuous mode: Don't stop on errors.	False

role_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for roles.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Role name	None
o_description		A description of this role-group	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

role_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_description		A description of this role-group	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the role object	None

role_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, o_service=None, o_idoverrideuser=None, **kwargs)

Remove members from a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None
o_service		services to remove	None
o_idoverrideuser		User ID overrides to remove	None

role_remove_privilege(a_cn, o_all=True, o_raw=False, o_no_members=False, o_privilege=None, **kwargs)

Remove privileges from a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_privilege		privileges	None

role_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a role.

Parameters:

Name	Type	Description	Default
a_cn		Role name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

schema(o_known_fingerprints=None, **kwargs)

Store and provide schema for commands and topics

Parameters:

Name	Type	Description	Default
o_known_fingerprints		Fingerprint of schema cached by client	None

selfservice_add(a_aciname, o_attrs, o_permissions=None, o_all=True, o_raw=False, **kwargs)

Add a new self-service permission.

Parameters:

Name	Type	Description	Default
a_aciname		Self-service name	required
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the permission applies.	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

selfservice_del(a_aciname, **kwargs)

Delete a self-service permission.

Parameters:

Name	Type	Description	Default
a_aciname		Self-service name	required

selfservice_find(a_criteria=None, o_aciname=None, o_permissions=None, o_attrs=None, o_pkey_only=False, o_all=True, o_raw=False, **kwargs)

Search for a self-service permission.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_aciname		Self-service name	None
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the permission applies.	None
o_pkey_only		Results should contain primary key attribute only ("name")	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

selfservice_mod(a_aciname, o_permissions=None, o_attrs=None, o_all=True, o_raw=False, **kwargs)

Modify a self-service permission.

Parameters:

Name	Type	Description	Default
a_aciname		Self-service name	required
o_permissions		Permissions to grant (read, write). Default is write.	None
o_attrs		Attributes to which the permission applies.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

selfservice_show(a_aciname, o_all=True, o_raw=False, **kwargs)

Display information about a self-service permission.

Parameters:

Name	Type	Description	Default
a_aciname		Self-service name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

selinuxusermap_add(a_cn, o_ipaselinuxuser, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create a new SELinux User Map.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_ipaselinuxuser		SELinux User	required
o_seealso		HBAC Rule that defines the users, groups and hostgroups	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

selinuxusermap_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Add target hosts and hostgroups to an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None

selinuxusermap_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users and groups to an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

selinuxusermap_del(a_cn, o_continue=False, **kwargs)

Delete a SELinux User Map.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_continue		Continuous mode: Don't stop on errors.	False

selinuxusermap_disable(a_cn, **kwargs)

Disable an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

selinuxusermap_enable(a_cn, **kwargs)

Enable an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

selinuxusermap_find(a_criteria=None, o_cn=None, o_ipaselinuxuser=None, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for SELinux User Maps.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Rule name	None
o_ipaselinuxuser		SELinux User	None
o_seealso		HBAC Rule that defines the users, groups and hostgroups	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

selinuxusermap_mod(a_cn, o_ipaselinuxuser=None, o_seealso=None, o_usercategory=None, o_hostcategory=None, o_description=None, o_ipaenabledflag=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify a SELinux User Map.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_ipaselinuxuser		SELinux User	None
o_seealso		HBAC Rule that defines the users, groups and hostgroups	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

selinuxusermap_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, **kwargs)

Remove target hosts and hostgroups from an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

selinuxusermap_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users and groups from an SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

selinuxusermap_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display the properties of a SELinux User Map rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

server_conncheck(a_cn, a_remote_cn, **kwargs)

Check connection to remote IPA server.

Parameters:

Name	Type	Description	Default
a_cn		IPA server hostname	required
a_remote_cn		Remote IPA server hostname	required

server_del(a_cn, o_continue=False, o_ignore_topology_disconnect=False, o_ignore_last_of_role=False, o_force=False, **kwargs)

Delete IPA server.

Parameters:

Name	Type	Description	Default
a_cn		IPA server hostname	required
o_continue		Continuous mode: Don't stop on errors.	False
o_ignore_topology_disconnect		Ignore topology connectivity problems after removal	False
o_ignore_last_of_role		Skip a check whether the last CA master or DNS server is removed	False
o_force		Force server removal even if it does not exist	False

server_find(a_criteria=None, o_cn=None, o_ipamindomainlevel=None, o_ipamaxdomainlevel=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_topologysuffix=None, o_no_topologysuffix=None, o_in_location=None, o_not_in_location=None, o_servrole=None, **kwargs)

Search for IPA servers.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		IPA server hostname	None
o_ipamindomainlevel		Minimum domain level	None
o_ipamaxdomainlevel		Maximum domain level	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False
o_topologysuffix		Search for servers with these managed suffixes.	None
o_no_topologysuffix		Search for servers without these managed suffixes.	None
o_in_location		Search for servers with these ipa locations.	None
o_not_in_location		Search for servers without these ipa locations.	None
o_servrole		Search for servers with these enabled roles.	None

server_mod(a_cn, o_ipalocation_location=None, o_ipaserviceweight=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify information about an IPA server.

Parameters:

Name	Type	Description	Default
a_cn		IPA server hostname	required
o_ipalocation_location		Server DNS location	None
o_ipaserviceweight		Weight for server services	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

server_role_find(a_criteria=None, o_server_server=None, o_role_servrole=None, o_status=None, o_timelimit=None, o_sizelimit=None, o_include_master=False, o_all=True, o_raw=False, **kwargs)

Find a server role on a server(s)

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_server_server		IPA server hostname	None
o_role_servrole		IPA server role name	None
o_status		Status of the role	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_include_master		Include IPA master entries	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

server_role_show(a_server_server, a_role_servrole, o_all=True, o_raw=False, **kwargs)

Show role status on a server

Parameters:

Name	Type	Description	Default
a_server_server		IPA server hostname	required
a_role_servrole		IPA server role name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

server_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Show IPA server.

Parameters:

Name	Type	Description	Default
a_cn		IPA server hostname	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

server_state(a_cn, o_state, **kwargs)

Set enabled/hidden state of a server.

Parameters:

Name	Type	Description	Default
a_cn		IPA server hostname	required
o_state		Server state	required

service_add(a_krbcanonicalname, o_usercertificate=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_force=False, o_skip_host_check=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new IPA service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_usercertificate		Base-64 encoded service certificate	None
o_ipakrbauthzdata		Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services.	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_ipakrbrequirespreauth		Pre-authentication is required for the service	None
o_ipakrbokasdelegate		Client credentials may be delegated to the service	None
o_ipakrboktoauthasdelegate		The service is allowed to authenticate on behalf of a client	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_force		force principal name even if host not in DNS	False
o_skip_host_check		force service to be created even when host object does not exist to manage it	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_add_cert(a_krbcanonicalname, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new certificates to a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded service certificate	required

service_add_delegation(a_krbcanonicalname, a_memberprincipal, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new resource delegation to a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
a_memberprincipal		Delegation principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_add_host(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_host=None, **kwargs)

Add hosts that can manage this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None

service_add_principal(a_krbcanonicalname, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new principal alias to a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
a_krbprincipalname		Service principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_add_smb(a_fqdn, a_ipantflatname=None, o_setattr=None, o_addattr=None, o_usercertificate=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new SMB service.

Parameters:

Name	Type	Description	Default
a_fqdn		Host name	required
a_ipantflatname		SMB service NetBIOS name	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_usercertificate		Base-64 encoded service certificate	None
o_ipakrbokasdelegate		Client credentials may be delegated to the service	None
o_ipakrboktoauthasdelegate		The service is allowed to authenticate on behalf of a client	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_allow_add_delegation(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to handle a resource delegation of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

service_allow_create_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to create a keytab of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

service_allow_retrieve_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Allow users, groups, hosts or host groups to retrieve a keytab of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_host		hosts to add	None
o_hostgroup		host groups to add	None

service_del(a_krbcanonicalname, o_continue=False, **kwargs)

Delete an IPA service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_continue		Continuous mode: Don't stop on errors.	False

service_disable(a_krbcanonicalname, **kwargs)

Disable the Kerberos key and SSL certificate of a service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required

service_disallow_add_delegation(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to handle a resource delegation of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

service_disallow_create_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to create a keytab of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

service_disallow_retrieve_keytab(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_host=None, o_hostgroup=None, **kwargs)

Disallow users, groups, hosts or host groups to retrieve a keytab of this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None

service_find(a_criteria=None, o_krbcanonicalname=None, o_krbprincipalname=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_man_by_host=None, o_not_man_by_host=None, **kwargs)

Search for IPA services.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_krbcanonicalname		Service principal	None
o_krbprincipalname		Service principal alias	None
o_ipakrbauthzdata		Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services.	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("canonical-principal")	False
o_man_by_host		Search for services with these managed by hosts.	None
o_not_man_by_host		Search for services without these managed by hosts.	None

service_mod(a_krbcanonicalname, o_krbprincipalname=None, o_usercertificate=None, o_ipakrbauthzdata=None, o_krbprincipalauthind=None, o_ipakrbrequirespreauth=None, o_ipakrbokasdelegate=None, o_ipakrboktoauthasdelegate=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify an existing IPA service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_krbprincipalname		Service principal alias	None
o_usercertificate		Base-64 encoded service certificate	None
o_ipakrbauthzdata		Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services.	None
o_krbprincipalauthind		Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use 'pkinit' to allow PKINIT-based 2FA authentications. Use 'hardened' to allow brute- force hardened password authentication by SPAKE or FAST. Use 'idp' to allow authentication against an external Identity Provider supporting OAuth 2.0 Device Authorization Flow (RFC 8628). Use 'passkey' to allow passkey-based 2FA authentications. With no indicator specified, all authentication mechanisms are allowed.	None
o_ipakrbrequirespreauth		Pre-authentication is required for the service	None
o_ipakrbokasdelegate		Client credentials may be delegated to the service	None
o_ipakrboktoauthasdelegate		The service is allowed to authenticate on behalf of a client	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_remove_cert(a_krbcanonicalname, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove certificates from a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded service certificate	required

service_remove_delegation(a_krbcanonicalname, a_memberprincipal, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove resource delegation from a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
a_memberprincipal		Delegation principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_remove_host(a_krbcanonicalname, o_all=True, o_raw=False, o_no_members=False, o_host=None, **kwargs)

Remove hosts that can manage this service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None

service_remove_principal(a_krbcanonicalname, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove principal alias from a service

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
a_krbprincipalname		Service principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

service_show(a_krbcanonicalname, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about an IPA service.

Parameters:

Name	Type	Description	Default
a_krbcanonicalname		Service principal	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_out		file to store certificate in	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

servicedelegationrule_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create a new service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

servicedelegationrule_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_principal=None, **kwargs)

Add member to a named service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_principal		principal to add	None

servicedelegationrule_add_target(a_cn, o_all=True, o_raw=False, o_no_members=False, o_servicedelegationtarget=None, **kwargs)

Add target to a named service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_servicedelegationtarget		service delegation targets to add	None

servicedelegationrule_del(a_cn, o_continue=False, **kwargs)

Delete service delegation.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_continue		Continuous mode: Don't stop on errors.	False

servicedelegationrule_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for service delegations rule.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Delegation name	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("delegation-name")	False

servicedelegationrule_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_principal=None, **kwargs)

Remove member from a named service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_principal		principal to remove	None

servicedelegationrule_remove_target(a_cn, o_all=True, o_raw=False, o_no_members=False, o_servicedelegationtarget=None, **kwargs)

Remove target from a named service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_servicedelegationtarget		service delegation targets to remove	None

servicedelegationrule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a named service delegation rule.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

servicedelegationtarget_add(a_cn, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Create a new service delegation target.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

servicedelegationtarget_add_member(a_cn, o_all=True, o_raw=False, o_principal=None, **kwargs)

Add member to a named service delegation target.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_principal		principal to add	None

servicedelegationtarget_del(a_cn, o_continue=False, **kwargs)

Delete service delegation target.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_continue		Continuous mode: Don't stop on errors.	False

servicedelegationtarget_find(a_criteria=None, o_cn=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for service delegation target.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Delegation name	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("delegation-name")	False

servicedelegationtarget_remove_member(a_cn, o_all=True, o_raw=False, o_principal=None, **kwargs)

Remove member from a named service delegation target.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_principal		principal to remove	None

servicedelegationtarget_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a named service delegation target.

Parameters:

Name	Type	Description	Default
a_cn		Delegation name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

session_logout(**kwargs)

RPC command used to log the current user out of their session.

sidgen_was_run(**kwargs)

Determine whether ipa-adtrust-install has been run with sidgen task

stageuser_activate(a_uid, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Activate a stage user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_add(a_uid, o_givenname, o_sn, o_cn, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_setattr=None, o_addattr=None, o_from_delete=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new stage user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_givenname		First name	required
o_sn		Last name	required
o_cn		Full name	required
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_random		Generate a random user password	False
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipasshpubkey		SSH public key	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_from_delete		Create Stage user in from a delete user	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_add_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more certificates to the stageuser entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

stageuser_add_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more certificate mappings to the stage user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipacertmapdata		Certificate mapping data	None
o_issuer		Issuer of the certificate	None
o_subject		Subject of the certificate	None
o_certificate		Base-64 encoded user certificate	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_add_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Add a manager to the stage user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None

stageuser_add_passkey(a_uid, a_ipapasskey, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more passkey mappings to the stage user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipapasskey		Passkey mapping	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_add_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new principal alias to the stageuser entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_del(a_uid, o_continue=False, **kwargs)

Delete a stage user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_continue		Continuous mode: Don't stop on errors.	False

stageuser_find(a_criteria=None, o_uid=None, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectorydrive=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_in_subid=None, o_not_in_subid=None, **kwargs)

Search for stage users.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_uid		User login	None
o_givenname		First name	None
o_sn		Last name	None
o_cn		Full name	None
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_ipantlogonscript		SMB logon script path	None
o_ipantprofilepath		SMB profile path	None
o_ipanthomedirectory		SMB Home Directory	None
o_ipanthomedirectorydrive		SMB Home Directory Drive	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("login")	False
o_in_group		Search for stage users with these member of groups.	None
o_not_in_group		Search for stage users without these member of groups.	None
o_in_netgroup		Search for stage users with these member of netgroups.	None
o_not_in_netgroup		Search for stage users without these member of netgroups.	None
o_in_role		Search for stage users with these member of roles.	None
o_not_in_role		Search for stage users without these member of roles.	None
o_in_hbacrule		Search for stage users with these member of HBAC rules.	None
o_not_in_hbacrule		Search for stage users without these member of HBAC rules.	None
o_in_sudorule		Search for stage users with these member of sudo rules.	None
o_not_in_sudorule		Search for stage users without these member of sudo rules.	None
o_in_subid		Search for stage users with these member of Subordinate ids.	None
o_not_in_subid		Search for stage users without these member of Subordinate ids.	None

stageuser_mod(a_uid, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectorydrive=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a stage user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_givenname		First name	None
o_sn		Last name	None
o_cn		Full name	None
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_random		Generate a random user password	False
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipasshpubkey		SSH public key	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_ipantlogonscript		SMB logon script path	None
o_ipantprofilepath		SMB profile path	None
o_ipanthomedirectory		SMB Home Directory	None
o_ipanthomedirectorydrive		SMB Home Directory Drive	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the stage user object	None

stageuser_remove_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more certificates to the stageuser entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

stageuser_remove_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more certificate mappings from the stage user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipacertmapdata		Certificate mapping data	None
o_issuer		Issuer of the certificate	None
o_subject		Subject of the certificate	None
o_certificate		Base-64 encoded user certificate	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_remove_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Remove a manager to the stage user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None

stageuser_remove_passkey(a_uid, a_ipapasskey, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more passkey mappings from the stage user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipapasskey		Passkey mapping	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_remove_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove principal alias from the stageuser entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

stageuser_show(a_uid, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a stage user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

subid_add(o_ipaowner, a_ipauniqueid=None, o_description=None, o_ipasubuidnumber=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new subordinate id.

Parameters:

Name	Type	Description	Default
a_ipauniqueid		Unique ID	None
o_description		Subordinate id description	None
o_ipaowner		Owning user of subordinate id entry	required
o_ipasubuidnumber		Start value for subordinate user ID (subuid) range	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

subid_del(a_ipauniqueid, o_continue=False, **kwargs)

Delete a subordinate id.

Parameters:

Name	Type	Description	Default
a_ipauniqueid		Unique ID	required
o_continue		Continuous mode: Don't stop on errors.	False

subid_find(a_criteria=None, o_ipauniqueid=None, o_description=None, o_ipaowner=None, o_ipasubuidnumber=None, o_ipasubgidnumber=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for subordinate id.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_ipauniqueid		Unique ID	None
o_description		Subordinate id description	None
o_ipaowner		Owning user of subordinate id entry	None
o_ipasubuidnumber		Start value for subordinate user ID (subuid) range	None
o_ipasubgidnumber		Start value for subordinate group ID (subgid) range	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("id")	False

subid_generate(o_ipaowner=None, o_all=True, o_raw=False, **kwargs)

Generate and auto-assign subuid and subgid range to user entry

Parameters:

Name	Type	Description	Default
o_ipaowner		Owning user of subordinate id entry	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

subid_match(o_ipasubuidnumber, a_criteria=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Match users by any subordinate uid in their range

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_ipasubuidnumber		Match value for subordinate user ID	required
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("id")	False

subid_mod(a_ipauniqueid, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a subordinate id.

Parameters:

Name	Type	Description	Default
a_ipauniqueid		Unique ID	required
o_description		Subordinate id description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

subid_show(a_ipauniqueid, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a subordinate id.

Parameters:

Name	Type	Description	Default
a_ipauniqueid		Unique ID	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

subid_stats(o_all=True, o_raw=False, **kwargs)

Subordinate id statistics

Parameters:

Name	Type	Description	Default
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

sudocmd_add(a_sudocmd, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create new Sudo Command.

Parameters:

Name	Type	Description	Default
a_sudocmd		Sudo Command	required
o_description		A description of this command	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudocmd_del(a_sudocmd, o_continue=False, **kwargs)

Delete Sudo Command.

Parameters:

Name	Type	Description	Default
a_sudocmd		Sudo Command	required
o_continue		Continuous mode: Don't stop on errors.	False

sudocmd_find(a_criteria=None, o_sudocmd=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for Sudo Commands.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_sudocmd		Sudo Command	None
o_description		A description of this command	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("command")	False

sudocmd_mod(a_sudocmd, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify Sudo Command.

Parameters:

Name	Type	Description	Default
a_sudocmd		Sudo Command	required
o_description		A description of this command	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudocmd_show(a_sudocmd, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display Sudo Command.

Parameters:

Name	Type	Description	Default
a_sudocmd		Sudo Command	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudocmdgroup_add(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create new Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_description		Group description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudocmdgroup_add_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, **kwargs)

Add members to Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to add	None

sudocmdgroup_del(a_cn, o_continue=False, **kwargs)

Delete Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_continue		Continuous mode: Don't stop on errors.	False

sudocmdgroup_find(a_criteria=None, o_cn=None, o_description=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for Sudo Command Groups.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Sudo Command Group	None
o_description		Group description	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("sudocmdgroup-name")	False

sudocmdgroup_mod(a_cn, o_description=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_description		Group description	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudocmdgroup_remove_member(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, **kwargs)

Remove members from Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to remove	None

sudocmdgroup_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display Sudo Command Group.

Parameters:

Name	Type	Description	Default
a_cn		Sudo Command Group	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudorule_add(a_cn, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=None, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Create new Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_cmdcategory		Command category the rule applies to	None
o_ipasudorunasusercategory		RunAs User category the rule applies to	None
o_ipasudorunasgroupcategory		RunAs Group category the rule applies to	None
o_sudoorder		integer to order the Sudo rules	None
o_externaluser		External User the rule applies to (sudorule- find only)	None
o_externalhost		External host	None
o_ipasudorunasextuser		External User the commands can run as (sudorule-find only)	None
o_ipasudorunasextgroup		External Group the commands can run as (sudorule-find only)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudorule_add_allow_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None, **kwargs)

Add commands and sudo command groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to add	None
o_sudocmdgroup		sudo command groups to add	None

sudorule_add_deny_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None, **kwargs)

Add commands and sudo command groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to add	None
o_sudocmdgroup		sudo command groups to add	None

sudorule_add_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, o_hostmask=None, **kwargs)

Add hosts and hostgroups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to add	None
o_hostgroup		host groups to add	None
o_hostmask		host masks of allowed hosts	None

sudorule_add_option(a_cn, o_ipasudoopt, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add an option to the Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_ipasudoopt		Sudo Option	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudorule_add_runasgroup(a_cn, o_all=True, o_raw=False, o_no_members=False, o_group=None, **kwargs)

Add group for Sudo to execute as.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_group		groups to add	None

sudorule_add_runasuser(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users and groups for Sudo to execute as.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

sudorule_add_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Add users and groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None

sudorule_del(a_cn, o_continue=False, **kwargs)

Delete Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_continue		Continuous mode: Don't stop on errors.	False

sudorule_disable(a_cn, **kwargs)

Disable a Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

sudorule_enable(a_cn, **kwargs)

Enable a Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required

sudorule_find(a_criteria=None, o_cn=None, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=None, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for Sudo Rule.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Rule name	None
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_cmdcategory		Command category the rule applies to	None
o_ipasudorunasusercategory		RunAs User category the rule applies to	None
o_ipasudorunasgroupcategory		RunAs Group category the rule applies to	None
o_sudoorder		integer to order the Sudo rules	None
o_externaluser		External User the rule applies to (sudorule- find only)	None
o_externalhost		External host	None
o_ipasudorunasextuser		External User the commands can run as (sudorule-find only)	None
o_ipasudorunasextgroup		External Group the commands can run as (sudorule-find only)	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("sudorule-name")	False

sudorule_mod(a_cn, o_description=None, o_ipaenabledflag=None, o_usercategory=None, o_hostcategory=None, o_cmdcategory=None, o_ipasudorunasusercategory=None, o_ipasudorunasgroupcategory=None, o_sudoorder=None, o_externaluser=None, o_externalhost=None, o_ipasudorunasextuser=None, o_ipasudorunasextgroup=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_description		Description	None
o_ipaenabledflag		Enabled	None
o_usercategory		User category the rule applies to	None
o_hostcategory		Host category the rule applies to	None
o_cmdcategory		Command category the rule applies to	None
o_ipasudorunasusercategory		RunAs User category the rule applies to	None
o_ipasudorunasgroupcategory		RunAs Group category the rule applies to	None
o_sudoorder		integer to order the Sudo rules	None
o_externaluser		External User the rule applies to (sudorule- find only)	None
o_externalhost		External host	None
o_ipasudorunasextuser		External User the commands can run as (sudorule-find only)	None
o_ipasudorunasextgroup		External Group the commands can run as (sudorule-find only)	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the sudo rule object	None

sudorule_remove_allow_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None, **kwargs)

Remove commands and sudo command groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to remove	None
o_sudocmdgroup		sudo command groups to remove	None

sudorule_remove_deny_command(a_cn, o_all=True, o_raw=False, o_no_members=False, o_sudocmd=None, o_sudocmdgroup=None, **kwargs)

Remove commands and sudo command groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_sudocmd		sudo commands to remove	None
o_sudocmdgroup		sudo command groups to remove	None

sudorule_remove_host(a_cn, o_all=True, o_raw=False, o_no_members=False, o_host=None, o_hostgroup=None, o_hostmask=None, **kwargs)

Remove hosts and hostgroups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_host		hosts to remove	None
o_hostgroup		host groups to remove	None
o_hostmask		host masks of allowed hosts	None

sudorule_remove_option(a_cn, o_ipasudoopt, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove an option from Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_ipasudoopt		Sudo Option	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

sudorule_remove_runasgroup(a_cn, o_all=True, o_raw=False, o_no_members=False, o_group=None, **kwargs)

Remove group for Sudo to execute as.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_group		groups to remove	None

sudorule_remove_runasuser(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users and groups for Sudo to execute as.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

sudorule_remove_user(a_cn, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, **kwargs)

Remove users and groups affected by Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None

sudorule_show(a_cn, o_rights=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display Sudo Rule.

Parameters:

Name	Type	Description	Default
a_cn		Rule name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

topic_find(a_criteria=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for help topics.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

topic_show(a_full_name, o_all=True, o_raw=False, **kwargs)

Display information about a help topic.

Parameters:

Name	Type	Description	Default
a_full_name		Full name	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysegment_add(a_topologysuffixcn, a_cn, o_iparepltoposegmentleftnode, o_iparepltoposegmentrightnode, o_iparepltoposegmentdirection='both', o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new segment.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_cn		Arbitrary string identifying the segment	required
o_iparepltoposegmentleftnode		Left replication node - an IPA server	required
o_iparepltoposegmentrightnode		Right replication node - an IPA server	required
o_iparepltoposegmentdirection		Direction of replication between left and right replication node	'both'
o_nsds5replicastripattrs		A space separated list of attributes which are removed from replication updates.	None
o_nsds5replicatedattributelist		Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof	None
o_nsds5replicatedattributelisttotal		Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout	None
o_nsds5replicatimeout		Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing	None
o_nsds5replicaenabled		Whether a replication agreement is active, meaning whether replication is occurring per that agreement	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysegment_del(a_topologysuffixcn, a_cn, o_continue=False, **kwargs)

Delete a segment.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_cn		Arbitrary string identifying the segment	required
o_continue		Continuous mode: Don't stop on errors.	False

topologysegment_find(a_topologysuffixcn, a_criteria=None, o_cn=None, o_iparepltoposegmentleftnode=None, o_iparepltoposegmentrightnode=None, o_iparepltoposegmentdirection=None, o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for topology segments.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_criteria		A string searched in all relevant object attributes	None
o_cn		Arbitrary string identifying the segment	None
o_iparepltoposegmentleftnode		Left replication node - an IPA server	None
o_iparepltoposegmentrightnode		Right replication node - an IPA server	None
o_iparepltoposegmentdirection		Direction of replication between left and right replication node	None
o_nsds5replicastripattrs		A space separated list of attributes which are removed from replication updates.	None
o_nsds5replicatedattributelist		Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof	None
o_nsds5replicatedattributelisttotal		Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout	None
o_nsds5replicatimeout		Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing	None
o_nsds5replicaenabled		Whether a replication agreement is active, meaning whether replication is occurring per that agreement	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

topologysegment_mod(a_topologysuffixcn, a_cn, o_nsds5replicastripattrs=None, o_nsds5replicatedattributelist=None, o_nsds5replicatedattributelisttotal=None, o_nsds5replicatimeout=None, o_nsds5replicaenabled=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a segment.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_cn		Arbitrary string identifying the segment	required
o_nsds5replicastripattrs		A space separated list of attributes which are removed from replication updates.	None
o_nsds5replicatedattributelist		Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof	None
o_nsds5replicatedattributelisttotal		Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout	None
o_nsds5replicatimeout		Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing	None
o_nsds5replicaenabled		Whether a replication agreement is active, meaning whether replication is occurring per that agreement	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysegment_reinitialize(a_topologysuffixcn, a_cn, o_left=False, o_right=False, o_stop=False, **kwargs)

Request a full re-initialization of the node retrieving data from the other node.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_cn		Arbitrary string identifying the segment	required
o_left		Initialize left node	False
o_right		Initialize right node	False
o_stop		Stop already started refresh of chosen node(s)	False

topologysegment_show(a_topologysuffixcn, a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display a segment.

Parameters:

Name	Type	Description	Default
a_topologysuffixcn		Suffix name	required
a_cn		Arbitrary string identifying the segment	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysuffix_add(a_cn, o_iparepltopoconfroot, o_setattr=None, o_addattr=None, o_all=True, o_raw=False, **kwargs)

Add a new topology suffix to be managed.

Parameters:

Name	Type	Description	Default
a_cn		Suffix name	required
o_iparepltopoconfroot		Managed LDAP suffix DN	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysuffix_del(a_cn, o_continue=False, **kwargs)

Delete a topology suffix.

Parameters:

Name	Type	Description	Default
a_cn		Suffix name	required
o_continue		Continuous mode: Don't stop on errors.	False

topologysuffix_find(a_criteria=None, o_cn=None, o_iparepltopoconfroot=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for topology suffixes.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Suffix name	None
o_iparepltopoconfroot		Managed LDAP suffix DN	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("name")	False

topologysuffix_mod(a_cn, o_iparepltopoconfroot=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a topology suffix.

Parameters:

Name	Type	Description	Default
a_cn		Suffix name	required
o_iparepltopoconfroot		Managed LDAP suffix DN	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysuffix_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Show managed suffix.

Parameters:

Name	Type	Description	Default
a_cn		Suffix name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

topologysuffix_verify(a_cn, **kwargs)

Verify replication topology for suffix.

Checks done: 1. check if a topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than the recommended number of replication agreements

Parameters:

Name	Type	Description	Default
a_cn		Suffix name	required

trust_add(a_cn, o_setattr=None, o_addattr=None, o_trust_type='ad', o_realm_admin=None, o_realm_passwd=None, o_realm_server=None, o_trust_secret=None, o_base_id=None, o_range_size=None, o_range_type=None, o_bidirectional=None, o_external=None, o_all=True, o_raw=False, **kwargs)

Add new trust to use.

This command establishes trust relationship to another domain which becomes 'trusted'. As result, users of the trusted domain may access resources of this domain.

Only trusts to Active Directory domains are supported right now.

The command can be safely run multiple times against the same domain, this will cause change to trust relationship credentials on both sides.

Note that if the command was previously run with a specific range type, or with automatic detection of the range type, and you want to configure a different range type, you may need to delete first the ID range using ipa idrange-del before retrying the command with the desired range type.

Parameters:

Name	Type	Description	Default
a_cn		Realm name	required
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_trust_type		Trust type (ad for Active Directory, default)	'ad'
o_realm_admin		Active Directory domain administrator	None
o_realm_passwd		Active Directory domain administrator's password	None
o_realm_server		Domain controller for the Active Directory domain (optional)	None
o_trust_secret		Shared secret for the trust	None
o_base_id		First Posix ID of the range reserved for the trusted domain	None
o_range_size		Size of the ID range reserved for the trusted domain	None
o_range_type		Type of trusted domain ID range, one of allowed values	None
o_bidirectional		Establish bi-directional trust. By default trust is inbound one-way only.	None
o_external		Establish external trust to a domain in another forest. The trust is not transitive beyond the domain.	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trust_del(a_cn, o_continue=False, **kwargs)

Delete a trust.

Parameters:

Name	Type	Description	Default
a_cn		Realm name	required
o_continue		Continuous mode: Don't stop on errors.	False

trust_enable_agent(a_remote_cn, o_enable_compat=False, **kwargs)

Configure this server as a trust agent.

Parameters:

Name	Type	Description	Default
a_remote_cn		Remote IPA server hostname	required
o_enable_compat		Enable support for trusted domains for old clients	False

trust_fetch_domains(a_cn, o_rights=False, o_realm_admin=None, o_realm_passwd=None, o_realm_server=None, o_all=True, o_raw=False, **kwargs)

Refresh list of the domains associated with the trust

Parameters:

Name	Type	Description	Default
a_cn		Realm name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_realm_admin		Active Directory domain administrator	None
o_realm_passwd		Active Directory domain administrator's password	None
o_realm_server		Domain controller for the Active Directory domain (optional)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trust_find(a_criteria=None, o_cn=None, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_ipantsidblacklistincoming=None, o_ipantsidblacklistoutgoing=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search for trusts.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Realm name	None
o_ipantflatname		Domain NetBIOS name	None
o_ipanttrusteddomainsid		Domain Security Identifier	None
o_ipantsidblacklistincoming		SID blocklist incoming	None
o_ipantsidblacklistoutgoing		SID blocklist outgoing	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("realm")	False

trust_mod(a_cn, o_ipantsidblacklistincoming=None, o_ipantsidblacklistoutgoing=None, o_ipantadditionalsuffixes=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, **kwargs)

Modify a trust (for future use).

Currently only the default option to modify the LDAP attributes is available. More specific options will be added in coming releases.

Parameters:

Name	Type	Description	Default
a_cn		Realm name	required
o_ipantsidblacklistincoming		SID blocklist incoming	None
o_ipantsidblacklistoutgoing		SID blocklist outgoing	None
o_ipantadditionalsuffixes		UPN suffixes	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trust_resolve(o_sids, o_all=True, o_raw=False, **kwargs)

Resolve security identifiers of users and groups in trusted domains

Parameters:

Name	Type	Description	Default
o_sids		Security Identifiers (SIDs)	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trust_show(a_cn, o_rights=False, o_all=True, o_raw=False, **kwargs)

Display information about a trust.

Parameters:

Name	Type	Description	Default
a_cn		Realm name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trustconfig_mod(o_ipantfallbackprimarygroup=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_trust_type='ad', o_all=True, o_raw=False, **kwargs)

Modify global trust configuration.

Parameters:

Name	Type	Description	Default
o_ipantfallbackprimarygroup		Fallback primary group	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_trust_type		Trust type (ad for Active Directory, default)	'ad'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trustconfig_show(o_rights=False, o_trust_type='ad', o_all=True, o_raw=False, **kwargs)

Show global trust configuration.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_trust_type		Trust type (ad for Active Directory, default)	'ad'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trustdomain_add(a_trustcn, a_cn, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_setattr=None, o_addattr=None, o_trust_type='ad', o_all=True, o_raw=False, **kwargs)

Allow access from the trusted domain

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_cn		Domain name	required
o_ipantflatname		Domain NetBIOS name	None
o_ipanttrusteddomainsid		Domain Security Identifier	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_trust_type		Trust type (ad for Active Directory, default)	'ad'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

trustdomain_del(a_trustcn, a_cn, o_continue=False, **kwargs)

Remove information about the domain associated with the trust.

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_cn		Domain name	required
o_continue		Continuous mode: Don't stop on errors.	False

trustdomain_disable(a_trustcn, a_cn, **kwargs)

Disable use of IPA resources by the domain of the trust

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_cn		Domain name	required

trustdomain_enable(a_trustcn, a_cn, **kwargs)

Allow use of IPA resources by the domain of the trust

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_cn		Domain name	required

trustdomain_find(a_trustcn, a_criteria=None, o_cn=None, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_timelimit=None, o_sizelimit=None, o_all=True, o_raw=False, o_pkey_only=False, **kwargs)

Search domains of the trust

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_criteria		A string searched in all relevant object attributes	None
o_cn		Domain name	None
o_ipantflatname		Domain NetBIOS name	None
o_ipanttrusteddomainsid		Domain Security Identifier	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_pkey_only		Results should contain primary key attribute only ("domain")	False

trustdomain_mod(a_trustcn, a_cn, o_ipantflatname=None, o_ipanttrusteddomainsid=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_trust_type='ad', o_all=True, o_raw=False, **kwargs)

Modify trustdomain of the trust

Parameters:

Name	Type	Description	Default
a_trustcn		Realm name	required
a_cn		Domain name	required
o_ipantflatname		Domain NetBIOS name	None
o_ipanttrusteddomainsid		Domain Security Identifier	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_trust_type		Trust type (ad for Active Directory, default)	'ad'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

user_add(a_uid, o_givenname, o_sn, o_cn, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_nsaccountlock=None, o_setattr=None, o_addattr=None, o_noprivate=False, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a new user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_givenname		First name	required
o_sn		Last name	required
o_cn		Full name	required
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_random		Generate a random user password	False
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipasshpubkey		SSH public key	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_nsaccountlock		Account disabled	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_noprivate		Don't create user private group	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_add_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more certificates to the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

user_add_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more certificate mappings to the user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipacertmapdata		Certificate mapping data	None
o_issuer		Issuer of the certificate	None
o_subject		Subject of the certificate	None
o_certificate		Base-64 encoded user certificate	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_add_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Add a manager to the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None

user_add_passkey(a_uid, a_ipapasskey, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add one or more passkey mappings to the user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipapasskey		Passkey mapping	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_add_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add new principal alias to the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_del(a_uid, o_continue=False, o_preserve=None, **kwargs)

Delete a user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_continue		Continuous mode: Don't stop on errors.	False
o_preserve			None

user_disable(a_uid, **kwargs)

Disable a user account.

Parameters:

Name	Type	Description	Default
a_uid		User login	required

user_enable(a_uid, **kwargs)

Enable a user account.

Parameters:

Name	Type	Description	Default
a_uid		User login	required

user_find(a_criteria=None, o_uid=None, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectorydrive=None, o_nsaccountlock=None, o_preserved=None, o_timelimit=None, o_sizelimit=None, o_whoami=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, o_in_group=None, o_not_in_group=None, o_in_netgroup=None, o_not_in_netgroup=None, o_in_role=None, o_not_in_role=None, o_in_hbacrule=None, o_not_in_hbacrule=None, o_in_sudorule=None, o_not_in_sudorule=None, o_in_subid=None, o_not_in_subid=None, **kwargs)

Search for users.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_uid		User login	None
o_givenname		First name	None
o_sn		Last name	None
o_cn		Full name	None
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_ipantlogonscript		SMB logon script path	None
o_ipantprofilepath		SMB profile path	None
o_ipanthomedirectory		SMB Home Directory	None
o_ipanthomedirectorydrive		SMB Home Directory Drive	None
o_nsaccountlock		Account disabled	None
o_preserved		Preserved user	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_whoami		Display user record for current Kerberos principal	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("login")	False
o_in_group		Search for users with these member of groups.	None
o_not_in_group		Search for users without these member of groups.	None
o_in_netgroup		Search for users with these member of netgroups.	None
o_not_in_netgroup		Search for users without these member of netgroups.	None
o_in_role		Search for users with these member of roles.	None
o_not_in_role		Search for users without these member of roles.	None
o_in_hbacrule		Search for users with these member of HBAC rules.	None
o_not_in_hbacrule		Search for users without these member of HBAC rules.	None
o_in_sudorule		Search for users with these member of sudo rules.	None
o_not_in_sudorule		Search for users without these member of sudo rules.	None
o_in_subid		Search for users with these member of Subordinate ids.	None
o_not_in_subid		Search for users without these member of Subordinate ids.	None

user_mod(a_uid, o_givenname=None, o_sn=None, o_cn=None, o_displayname=None, o_initials=None, o_homedirectory=None, o_gecos=None, o_loginshell=None, o_krbprincipalname=None, o_krbprincipalexpiration=None, o_krbpasswordexpiration=None, o_mail=None, o_userpassword=None, o_random=False, o_uidnumber=None, o_gidnumber=None, o_street=None, o_l=None, o_st=None, o_postalcode=None, o_telephonenumber=None, o_mobile=None, o_pager=None, o_facsimiletelephonenumber=None, o_ou=None, o_title=None, o_manager=None, o_carlicense=None, o_ipasshpubkey=None, o_ipauserauthtype=None, o_userclass=None, o_ipatokenradiusconfiglink=None, o_ipatokenradiususername=None, o_ipaidpconfiglink=None, o_ipaidpsub=None, o_departmentnumber=None, o_employeenumber=None, o_employeetype=None, o_preferredlanguage=None, o_usercertificate=None, o_ipantlogonscript=None, o_ipantprofilepath=None, o_ipanthomedirectory=None, o_ipanthomedirectorydrive=None, o_nsaccountlock=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_all=True, o_raw=False, o_no_members=False, o_rename=None, **kwargs)

Modify a user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_givenname		First name	None
o_sn		Last name	None
o_cn		Full name	None
o_displayname		Display name	None
o_initials		Initials	None
o_homedirectory		Home directory	None
o_gecos		GECOS	None
o_loginshell		Login shell	None
o_krbprincipalname		Principal alias	None
o_krbprincipalexpiration		Kerberos principal expiration	None
o_krbpasswordexpiration		User password expiration	None
o_mail		Email address	None
o_userpassword		Prompt to set the user password	None
o_random		Generate a random user password	False
o_uidnumber		User ID Number (system will assign one if not provided)	None
o_gidnumber		Group ID Number	None
o_street		Street address	None
o_l		City	None
o_st		State/Province	None
o_postalcode		ZIP	None
o_telephonenumber		Telephone Number	None
o_mobile		Mobile Telephone Number	None
o_pager		Pager Number	None
o_facsimiletelephonenumber		Fax Number	None
o_ou		Org. Unit	None
o_title		Job Title	None
o_manager		Manager	None
o_carlicense		Car License	None
o_ipasshpubkey		SSH public key	None
o_ipauserauthtype		Types of supported user authentication	None
o_userclass		User category (semantics placed on this attribute are for local interpretation)	None
o_ipatokenradiusconfiglink		RADIUS proxy configuration	None
o_ipatokenradiususername		RADIUS proxy username	None
o_ipaidpconfiglink		External IdP configuration	None
o_ipaidpsub		A string that identifies the user at external IdP	None
o_departmentnumber		Department Number	None
o_employeenumber		Employee Number	None
o_employeetype		Employee Type	None
o_preferredlanguage		Preferred Language	None
o_usercertificate		Base-64 encoded user certificate	None
o_ipantlogonscript		SMB logon script path	None
o_ipantprofilepath		SMB profile path	None
o_ipanthomedirectory		SMB Home Directory	None
o_ipanthomedirectorydrive		SMB Home Directory Drive	None
o_nsaccountlock		Account disabled	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_rename		Rename the user object	None

user_remove_cert(a_uid, o_usercertificate, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more certificates to the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_usercertificate		Base-64 encoded user certificate	required

user_remove_certmapdata(a_uid, a_ipacertmapdata=None, o_issuer=None, o_subject=None, o_certificate=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more certificate mappings from the user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipacertmapdata		Certificate mapping data	None
o_issuer		Issuer of the certificate	None
o_subject		Subject of the certificate	None
o_certificate		Base-64 encoded user certificate	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_remove_manager(a_uid, o_all=True, o_raw=False, o_no_members=False, o_user=None, **kwargs)

Remove a manager to the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None

user_remove_passkey(a_uid, a_ipapasskey, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove one or more passkey mappings from the user entry.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_ipapasskey		Passkey mapping	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_remove_principal(a_uid, a_krbprincipalname, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Remove principal alias from the user entry

Parameters:

Name	Type	Description	Default
a_uid		User login	required
a_krbprincipalname		Principal alias	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_show(a_uid, o_rights=False, o_out=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a user.

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_out		file to store certificate in	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

user_stage(a_uid, o_continue=False, **kwargs)

Move deleted user into staged area

Parameters:

Name	Type	Description	Default
a_uid		User login	required
o_continue		Continuous mode: Don't stop on errors.	False

user_status(a_useruid, o_all=True, o_raw=False, **kwargs)

Lockout status of a user account

An account may become locked if the password is entered incorrectly too many times within a specific time period as controlled by password policy. A locked account is a temporary condition and may be unlocked by an administrator.

This connects to each IPA master and displays the lockout status on each one.

To determine whether an account is locked on a given server you need to compare the number of failed logins and the time of the last failure. For an account to be locked it must exceed the maxfail failures within the failinterval duration as specified in the password policy associated with the user.

The failed login counter is modified only when a user attempts a log in so it is possible that an account may appear locked but the last failed login attempt is older than the lockouttime of the password policy. This means that the user may attempt a login again.

Parameters:

Name	Type	Description	Default
a_useruid		User login	required
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

user_undel(a_uid, **kwargs)

Undelete a delete user account.

Parameters:

Name	Type	Description	Default
a_uid		User login	required

user_unlock(a_uid, **kwargs)

Unlock a user account

An account may become locked if the password is entered incorrectly too many times within a specific time period as controlled by password policy. A locked account is a temporary condition and may be unlocked by an administrator.

Parameters:

Name	Type	Description	Default
a_uid		User login	required

vault_add_internal(a_cn, o_description=None, o_ipavaulttype='symmetric', o_ipavaultsalt=None, o_ipavaultpublickey=None, o_setattr=None, o_addattr=None, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Add a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_description		Vault description	None
o_ipavaulttype		Vault type	'symmetric'
o_ipavaultsalt		Vault salt	None
o_ipavaultpublickey		Vault public key	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

vault_add_member(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Add members to a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_services		services to add	None

vault_add_owner(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Add owners to a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_services		services to add	None

vault_archive_internal(a_cn, o_session_key, o_vault_data, o_nonce, o_service=None, o_shared=False, o_username=None, o_wrapping_algo='des-ede3-cbc', o_all=True, o_raw=False, **kwargs)

Archive data into a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_session_key		Session key wrapped with transport certificate	required
o_vault_data		Vault data encrypted with session key	required
o_nonce		Nonce	required
o_wrapping_algo		Key wrapping algorithm	'des-ede3-cbc'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

vault_del(a_cn, o_continue=False, o_service=None, o_shared=False, o_username=None, **kwargs)

Delete a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_continue		Continuous mode: Don't stop on errors.	False
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None

vault_find(a_criteria=None, o_cn=None, o_description=None, o_ipavaulttype=None, o_timelimit=None, o_sizelimit=None, o_service=None, o_shared=False, o_username=None, o_services=False, o_users=False, o_all=True, o_raw=False, o_no_members=True, o_pkey_only=False, **kwargs)

Search for vaults.

Parameters:

Name	Type	Description	Default
a_criteria		A string searched in all relevant object attributes	None
o_cn		Vault name	None
o_description		Vault description	None
o_ipavaulttype		Vault type	None
o_timelimit		Time limit of search in seconds (0 is unlimited)	None
o_sizelimit		Maximum number of entries returned (0 is unlimited)	None
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_services		List all service vaults	False
o_users		List all user vaults	False
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	True
o_pkey_only		Results should contain primary key attribute only ("name")	False

vault_mod_internal(a_cn, o_description=None, o_ipavaulttype=None, o_ipavaultsalt=None, o_ipavaultpublickey=None, o_setattr=None, o_addattr=None, o_delattr=None, o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Modify a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_description		Vault description	None
o_ipavaulttype		Vault type	None
o_ipavaultsalt		Vault salt	None
o_ipavaultpublickey		Vault public key	None
o_setattr		Set an attribute to a name/value pair. Format is attr=value. For multi-valued attributes, the command replaces the values already present.	None
o_addattr		Add an attribute/value pair. Format is attr=value. The attribute must be part of the schema.	None
o_delattr		Delete an attribute/value pair. The option will be evaluated last, after all sets and adds.	None
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

vault_remove_member(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Remove members from a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_services		services to remove	None

vault_remove_owner(a_cn, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Remove owners from a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_services		services to remove	None

vault_retrieve_internal(a_cn, o_session_key, o_service=None, o_shared=False, o_username=None, o_wrapping_algo='des-ede3-cbc', o_all=True, o_raw=False, **kwargs)

Retrieve data from a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_session_key		Session key wrapped with transport certificate	required
o_wrapping_algo		Key wrapping algorithm	'des-ede3-cbc'
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

vault_show(a_cn, o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a vault.

Parameters:

Name	Type	Description	Default
a_cn		Vault name	required
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

vaultconfig_show(o_transport_out=None, o_all=True, o_raw=False, **kwargs)

Show vault configuration.

Parameters:

Name	Type	Description	Default
o_transport_out		Output file to store the transport certificate	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False

vaultcontainer_add_owner(o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Add owners to a vault container.

Parameters:

Name	Type	Description	Default
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to add	None
o_group		groups to add	None
o_services		services to add	None

vaultcontainer_del(o_continue=False, o_service=None, o_shared=False, o_username=None, **kwargs)

Delete a vault container.

Parameters:

Name	Type	Description	Default
o_continue		Continuous mode: Don't stop on errors.	False
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None

vaultcontainer_remove_owner(o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, o_user=None, o_group=None, o_services=None, **kwargs)

Remove owners from a vault container.

Parameters:

Name	Type	Description	Default
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False
o_user		users to remove	None
o_group		groups to remove	None
o_services		services to remove	None

vaultcontainer_show(o_rights=False, o_service=None, o_shared=False, o_username=None, o_all=True, o_raw=False, o_no_members=False, **kwargs)

Display information about a vault container.

Parameters:

Name	Type	Description	Default
o_rights		Display the access rights of this entry (requires --all). See ipa man page for details.	False
o_service		Service name of the service vault	None
o_shared		Shared vault	False
o_username		Username of the user vault	None
o_all		Retrieve and print all attributes from the server. Affects command output.	True
o_raw		Print entries as stored on the server. Only affects output format.	False
o_no_members		Suppress processing of membership attributes.	False

whoami(**kwargs)

Describe currently authenticated identity.

Exceptions module

Exceptions module for FreeIPA client.

AlreadyActive

Bases: BadRequest

Raised when an entry is made active that is already active.

AlreadyInactive

Bases: BadRequest

Raised when an entry is made inactive that is already inactive.

BadRequest

Bases: FreeIPAError

General purpose exception class.

Denied

Bases: Unauthorized

Raised on ACI authorization error.

DuplicateEntry

Bases: BadRequest

Raised when an entry already exists.

FreeIPAError

Bases: Exception

Base exception class for FreeIPA client.

__init__(message=None, code=None)

Initialize exception class with optional message and code.

__str__()

Serialize exception to string using it's message.

InvalidSessionPassword

Bases: Unauthorized

Raised when IPA cannot obtain a TGT for a principal.

KrbPrincipalExpired

Bases: Unauthorized

Raised when Kerberos Principal is expired.

NotFound

Bases: BadRequest

Raised when an entry is not found.

PWChangeInvalidPassword

Bases: FreeIPAError

Raised when the current password is not correct while trying to change passwords.

PWChangePolicyError

Bases: FreeIPAError

Raised when changing a password but the new password doesn't fit the password policy.

PasswordExpired

Bases: Unauthorized

Raised when logging in with an expired password.

Unauthorized

Bases: BadRequest

Raised when invalid credentials are provided.

UnknownOption

Bases: BadRequest

Raised when a command is called with unknown options.

UserLocked

Bases: Unauthorized

Raised when a user account is locked.

ValidationError

Bases: BadRequest

Raised when a parameter value fails a validation rule.

parse_error(error)

Convert error object to FreeIPA exception class.

parse_group_management_error(data)

Convert group management error object to FreeIPA exception class.

parse_hostgroup_management_error(data)

Convert host group management error object to FreeIPA exception class.