ipa

ipa [global-options] subcommand [subcommand-options] [arguments]

-h, --help
    Show help message and exit

--usage
    Show usage summary

--version
    Print IPA client version

-d, --debug[=LEVEL]
    Enable debug logging (1-5)

-v, --verbose
    Increase verbosity

-q, --quiet
    Suppress non-essential output

--log-file=FILE
    Log to specified file

-y, --prompt-yubikey
    Prompt for YubiKey PIN

--server=SERVER
    Specify IPA server hostname

--domain=DOMAIN
    Kerberos realm/domain

--realm=REALM
    Kerberos realm name

--certificate=CERT
    Client certificate file

-p PASS, --password=PASS
    Password (insecure)

-w, --password-from-prompt
    Prompt for password

-k KTAB, --keytab=KTAB
    Keytab file for auth

-b DN, --bind-dn=DN
    LDAP bind DN

--bind-pw=PASS
    LDAP bind password

-N, --no-prompt
    Non-interactive mode

-e VAR=VAL, --environment=VAR=VAL
    Set environment variable

--raw
    Raw XML-RPC output

The ipa command provides a powerful command-line interface for managing FreeIPA (Identity, Policy, Audit), an open-source integrated security information management solution. FreeIPA centralizes authentication (Kerberos), identity (users, groups, hosts, services), authorization (HBAC, SUDO rules), policy enforcement, and auditing for Linux/UNIX environments.

It uses hierarchical subcommands like ipa user-add, ipa host-find, ipa dnsrecord-add, and ipa cert-request to perform CRUD operations on directory entries. Authentication occurs via Kerberos tickets (kinit), passwords, keytabs, or certificates, communicating with the IPA server using XML-RPC over HTTPS/LDAP.

Features include JSON/YAML output for scripting, tab completion (with ipa-completion), detailed help (ipa help topic), and multi-server support. Ideal for admins automating identity lifecycle, DNS integration, and access controls in enterprise setups.

Requires an IPA-enrolled client or server access; supports idempotent operations and dry-runs where available.

Requires valid Kerberos ticket or credentials; network-dependent; some subcommands need admin privileges. Avoid --password in scripts for security. JSON output default in non-interactive mode.

Settings in /etc/ipa/default.conf or ~/.ipa/default.conf control server, realm, XML-RPC URI.
Use ipa-config-mod to update.

ipa help lists subcommands; ipa <cmd>--help for details. Enable tab completion with ipa-completion-install.

ipa user-add jdoe --first=John --last=Doe --shell=/bin/bash --password
ipa group-add engineers --desc='Engineering team'
ipa host-add server.example.com

Originated in FreeIPA project (2007) by Red Hat engineers for RHEL Identity Management. Evolved from 389-DS/Kerberos tools; major releases align with FreeIPA 4.x (2018+ supports containers, ACME certs). Widely used in enterprises for IdM.

ipa-client-install(8), kinit(1), sssctl(8), realm(1), authselect(8), certmonger(8)