i've noticed that some of my users (imported from openldap) don't have
personal user groups, but the new ones that i make within freeipa do.

Is there a way of marking the existing accounts such that they get user
groups made for them ? I couldn't seem to see the groups that IPA is
making in the LDAP output so it must be creating them via some other means.

Is there some sort of  'ipa user create-private-group <userA>' command ?

The only work around i have is to make hundreds of fake private groups
by making normal user groups each with one user, which'll clutter the UI
up with pointless groups.

Yeah, there is a ticket open to allow UPG creation in migration but as you see, it isn't done yet.

There is no documented way to do it but it should be possible with ldapmodify. I forget the exact ordering but I'd probably do the group first, then the user. In theory you can convert a group to be managed by adding:

objectclass: mepmanagedentry
mepmanagedby: uid=<user>,cn=users,cn=accounts,$SUFFIX

And removing:

objectclass: groupofnames
objectclass: nestedgroup

You also need to update the user with:

objectclass: meporiginentry
mepmanagedentry: cn=<user>,cn=groups,cn=accounts,$SUFFIX

Just don't do this with any groups that have members.

Definitely worth experimenting on a non-production installation.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to