ipa

ipa [global-options] COMMAND [command-options]

--version
    Show program's version number and exit.

-h, --help
    Show a help message for the ipa command or a specific subcommand and exit.

--debug
    Enable verbose debug output, useful for troubleshooting.

--json
    Output results in JSON format, suitable for scripting and programmatic access.

--server=SERVER
    Connect to the specified FreeIPA server hostname or IP address instead of the default.

--principal=PRINCIPAL
    Authenticate as a specific Kerberos principal, overriding the default client principal.

--in-session
    Use an existing IPA session (if available) and do not create a new one. This implies that the user has already authenticated.

--no-session
    Do not use or create an IPA session for this command execution.

--skip-version-check
    Skip the client-server version compatibility check. Use with caution.

-e, --external
    Use external authentication via GSSAPI, typically used by external services or tools.

--config=FILE
    Use a specific configuration file instead of the default /etc/ipa/default.conf.

--profile=PROFILE
    Use a specific profile for configuration from the configuration file.

The ipa command is the primary command-line interface for managing a FreeIPA environment. FreeIPA is an integrated security information management solution for Linux/UNIX networked environments. It provides centralized authentication, authorization, and account information by combining 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag Certificate System, and SSSD.

The ipa command allows administrators to perform a wide range of tasks, including creating and managing users, hosts, services, groups, sudo rules, HBAC rules, DNS records, and certificates. It acts as a dispatcher, taking various subcommands (e.g., user-add, host-find, service-del) to interact with the FreeIPA server and manage the integrated services.

The ipa command requires a functioning FreeIPA server infrastructure to be effective. Many commands require proper Kerberos authentication (a valid Kerberos ticket) for an administrative principal to execute successfully. The sheer number of subcommands and options can be daunting for new users, necessitating careful consultation of documentation or context-specific help.

The ipa command doesn't perform actions directly but dispatches them to specific subcommands. These subcommands are organized logically by the object they manage, e.g., user, host, service, group, sudorule, hbacrule, cert, dns. Each subcommand then has its own set of actions like -add, -mod, -find, -show, -del, and specific options related to that action. For example, to add a user, one would use ipa user-add [options].

For most administrative tasks, the ipa command relies on Kerberos for authentication. This means an administrator typically needs to obtain a Kerberos ticket-granting ticket (TGT) using the kinit command (e.g., kinit admin) before executing ipa commands. The command uses this TGT to authenticate to the FreeIPA server. If no valid ticket is present, the command may prompt for a password or fail with an authentication error.

The behavior of the ipa client can be influenced by configuration files, primarily /etc/ipa/default.conf. This file contains settings such as the default FreeIPA server to connect to, Kerberos realm, client certificate paths, and other client-specific parameters. These settings can often be overridden by command-line options.

The FreeIPA project was initiated around 2007-2008 by Red Hat as an open-source initiative to provide an integrated identity management solution on Linux. The ipa command-line tool has been a core component since its early days, evolving alongside the FreeIPA server to offer a consistent and comprehensive interface for administering the complex array of services it integrates, including 389 Directory Server, MIT Kerberos, and Dogtag Certificate System. Its development has focused on robustness, automation capabilities, and ease of use for administrators.

kinit(1), klist(1), ipa-client-install(1), authselect(8), sssd(8), ldapsearch(1)