From f3edd9be7d8d99f72a0c5d9dfbc9590f68f5c25b Mon Sep 17 00:00:00 2001 From: Gabe Date: Sat, 1 Mar 2014 16:09:51 -0700 Subject: [PATCH] [DOC] Document steps to restore deleted admin account Added to the existing note under 'Deleting Users'. Also added a line about ipa user-del and ipa group-remove-member not allowing the last admin user to be deleted by default. https://fedorahosted.org/freeipa/ticket/2746 --- src/user_guide/en-US/Users.xml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/user_guide/en-US/Users.xml b/src/user_guide/en-US/Users.xml index 9ab18ac4fce8e0f1f79546385244a299a8ee05ca..039871c509af346b3174a9f15a544fda6fa86d0f 100644 --- a/src/user_guide/en-US/Users.xml +++ b/src/user_guide/en-US/Users.xml @@ -449,10 +449,19 @@ UID: 387115841 NOTE - If all admin users are deleted, then you must use the Directory Manager account to create a new administrative user. + By default, the ipa user-del and ipa group-remove-member commands prevent the accidential deletion of the last admin user in the admins group. - Alternatively, any user who belongs in the group management role can also add a new admin user. + However if the admin user is deleted in some way, and no other administrative users exist in the admins group, you can use the Directory Manager account to create a new administrative user. Or, any user who belongs in the group management role can also create a new admin user: + + ldapmodify -x -D 'cn=directory manager' -W +dn: cn=admins,cn=groups,cn=accounts,dc=example,dc=com +changetype: modify +add: member +member: uid=youruser,cn=users,cn=accouns,dc=example,dc=com + + + Once you have added another user to the admins group, you can now choose whether you would like to re-create the admin account in FreeIPA or not.
With the Web UI -- 1.8.3.1