Chapter 8. Using ID Views in Active Directory Environments
ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
Integration systems other than Identity Management (IdM) sometimes generate UID and GID values based on an algorithm different than the algorithm used in IdM. By overriding the previously generated values to make them compliant with the values used in IdM, a client that used to be a member of another integration system can be fully integrated with IdM.
Note
This chapter only describes ID views functionality related to Active Directory (AD). For general information about ID views, see the Linux Domain Identity, Authentication, and Policy Guide.
You can use ID views in AD environments for the following purposes:
- Overriding AD User Attributes, such as POSIX Attributes or SSH Login Details
- See Section 8.3, “Using ID Views to Define AD User Attributes” for details.
- Migrating from synchronization-based to trust-based integration
- Performing per-host group override of the IdM user attributes
- See Section 8.4, “Migrating NIS Domains to IdM” for details.
8.1. Active Directory Default Trust View
8.1.1. What Is the Default Trust View
The Default Trust View is the default ID view always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using
ipa-adtrust-install
and cannot be deleted.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.
Values in AD | Default Trust View | Result | ||
---|---|---|---|---|
Login | ad_user | ad_user | | ad_user |
UID | 111 | 222 | | 222 |
GID | 111 | (no value) | | 111 |
Note
The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups. It is applied on the IdM server and clients and therefore only need to provide overrides for Active Directory users and groups.
8.1.2. Overriding the Default Trust View with Other ID Views
If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID view on top of the Default Trust View.
- If an attribute is defined in the host-specific ID view, IdM applies the value from this view.
- If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View.
Values in AD | Default Trust View | Host-Specific View | Result | ||
---|---|---|---|---|---|
Login | ad_user | ad_user | (no value) | | ad_user |
UID | 111 | 222 | 333 | | 333 |
GID | 111 | (no value) | 333 | | 333 |
8.1.3. ID Overrides on Clients Based on the Client Version
The IdM masters always apply ID overrides from the Default Trust View, regardless of how IdM clients retrieve the values: using SSSD or using Schema Compatibility tree requests.
However, the availability of ID overrides from host-specific ID views is limited:
- Legacy clients: RHEL 6.3 and earlier (SSSD 1.8 and earlier)
- The clients can request a specific ID view to be applied.To use a host-specific ID view on a legacy client, change the base DN on the client to:
cn=id_view_name,cn=views,cn=compat,dc=example,dc=com
. - RHEL 6.4 to 7.0 (SSSD 1.9 to 1.11)
- Host-specific ID views on the clients are not supported.
- RHEL 7.1 and later (SSSD 1.12 and later)
- Full support.