====== Web Authentication ======
<code bash>
# ipa permission-add 'userPassword service read' --attrs=userPassword --type=user --right=read
</code>

<code bash>
# ipa privilege-add 'Privilege web services' --desc='Privileges needed to allow web services to operate'
</code>

<code bash>
# ipa privilege-add-permission 'Privilege web services' --permissions='userPassword service read'
</code>

<code bash>
# ipa role-add 'Role web services' --desc="Web server role"
</code>

<code bash>
# ipa role-add-privilege --privileges="Privilege web services" 'Role web services'
</code>

<code bash>
# yes "@btjt(())22" | ipa user-add webadm --first=Web --last=Administrator --title="Enroll web services" --password
</code>

<code bash>
# ipa user-mod webadm --user-auth-type=password
</code>

<code bash>
# yes "@btjt(())22" | ipa user-mod webadm --password-expiration="2050-01-01Z" --password
</code>

<code bash>
# ipa role-add-member 'Role web services' --users=webadm
</code>

<code bash>
# ipa user-show webadm --all --raw
  dn: uid=webadm,cn=users,cn=accounts,dc=juntotelecom,dc=com,dc=br
  uid: webadm
  givenname: Web
  sn: Administrator
  cn: Web Administrator
  initials: WA
  homedirectory: /home/webadm
  gecos: Web Administrator
  loginshell: /usr/bin/false
  krbcanonicalname: webadm@JUNTOTELECOM.COM.BR
  krbprincipalname: webadm@JUNTOTELECOM.COM.BR
  mail: webadm@juntotelecom.com.br
  uidnumber: 187600016
  gidnumber: 187600016
  title: Enroll web services
  ipauserauthtype: password
  nsaccountlock: FALSE
  has_password: TRUE
  has_keytab: TRUE
  displayName: Web Administrator
  ipaNTSecurityIdentifier: S-1-5-21-2731924211-1883941829-2112701219-1016
  ipaUniqueID: 50081d8e-bb2f-11ec-97aa-000c29ad9330
  krbExtraData: AAIX01Zicm9vdC9hZG1pbkBKVU5UT1RFTEVDT00uQ09NLkJSAA==
  krbLastPwdChange: 20220413134143Z
  krbPasswordExpiration: 20220413134143Z
  memberof: cn=Role web services,cn=roles,cn=accounts,dc=juntotelecom,dc=com,dc=br
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
  memberofindirect: cn=Privilege web services,cn=privileges,cn=pbac,dc=juntotelecom,dc=com,dc=br
  memberofindirect: cn=userPassword service read,cn=permissions,cn=pbac,dc=juntotelecom,dc=com,dc=br
  mepManagedEntry: cn=webadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
  objectClass: ipauserauthtypeclass
</code>