Red Hat SummitChapter 6. SSSD client-side view
The sss_override utility helps you to create a local view of user data. This tool modifies POSIX attributes on a specific machine without altering the central identity provider, handling conflicts or local requirements effectively.
You can configure overrides for all id_provider values, except ipa.
If you are using the ipa provider, define ID views centrally in IPA. For more information, see Using an ID view to override a user attribute value on an IdM client.
For information about a potential negative impact on the SSSD performance, see Potential negative impact of ID views on SSSD performance.
6.1. Overriding the LDAP username attribute
LDAP user names may conflict with local system policies or naming conventions. Use the sss_override command to map a remote LDAP user name to a distinct local alias, ensuring compatibility with the specific host.
Prerequisites
-
rootaccess -
Have
sssd-toolspackage installed
Procedure
Display the current information for the user:
# id <ldap_username>Replace
<ldap_username>with the LDAPusernameof the user. For example:# id sjonesuid=1001(sjones) gid=6003 groups=6003,10(wheel)Add the local username:
# sss_override user-add <ldap_username> -n <local_username>Replace
<ldap_username>with the LDAPusernameand replace<local_username>with the desired local username. For example:# sss_override user-add sjones -n sarahAfter creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local username is added:
# id <local_username>For example:
# id sarahuid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel)# sss_override user-show sjones user@ldap.example.com:sarah::::::Optional: Display the overrides for the user:
# sss_override user-show <ldap_username>user@ldap.example.com:_<local_username>_::::::
6.2. Overriding the LDAP UID attribute
Conflicting numeric identifiers can cause file permission errors. You can override the unique identifier (UID) provided by LDAP with a specific local value using sss_override, ensuring the user matches local file ownership requirements.
Prerequisites
-
rootaccess -
Have
sssd-toolspackage installed
Procedure
Display the current UID of the user:
# id -u <ldap_username>Replace
<ldap_username>with the LDAPusernameof the user. For example:# id -u sarah1001Override the UID of the user’s account:
# sss_override user-add <ldap_username> -u <local_uid>Replace
<ldap_username>with the LDAPusernameof the user and replace<local_uid>with the new UID number. For example:# sss_override user-add sarah -u 6666Expire the in-memory cache:
# sss_cache --usersAfter creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local UID has been applied:
# id -u <ldap_username>Optional: Display the overrides for the user:
# sss_override user-show <ldap_username>user@ldap.example.com::_<local_uid>_:::::
6.3. Overriding the LDAP GID attribute
You can change the group identifier (GID) for an LDAP user on the local system. This action ensures the user’s primary group matches specific local requirements, facilitating correct file access and group membership.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current GID of the user:
# id -g <ldap_username>Replace
<ldap_username>with the name of the user. For example:# id -g sarah6003Override the GID of the user’s account:
# sss_override user-add <ldap_username> -g <local_gid>Replace
<ldap_username>with the name of the user and replace<local_gid>with the local GID number. For example:# sss_override user-add sarah -g 6666Expire the in-memory cache:
# sss_cache --usersAfter creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local GID is applied:
# id -g <ldap_username>Optional: Display the overrides for the user:
# sss_override user-show <ldap_username>user@ldap.example.com::: 6666::::
6.4. Overriding the LDAP home directory attribute
Remote home directory paths often do not exist on every client machine. Overriding this attribute helps you to map users to a valid local path, ensuring they land in an existing directory upon login.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current home directory of the user as stored locally:
# getent passwd <ldap_username><ldap_username>:x:XXXX:XXXX::/home/<home_directory>:/bin/bashReplace
<ldap_username>with the name of the user. The output shows the home directory value as seen locally, which might be different from the LDAP record. For example:# getent passwd sarahsarah:x:1001:6003::sarah:/bin/bashOverride the home directory of the user:
# sss_override user-add <ldap_username> -h <new_home_directory>Replace
<ldap_username>with the name of the user and replace<new_home_directory>with the new home directory. For example:# sss_override user-add sarah -h adminRestart SSSD for the changes to take effect:
# systemctl restart sssd
Verification
Verify that the new home directory is defined:
# getent passwd <ldap_username><ldap_username>:x:XXXX:XXXX::/home/<new_home_directory>:/bin/bashOptional: Display the overrides for the user:
# sss_override user-show <ldap_username>user@ldap.example.com:::::::<new_home_directory>::
6.5. Overriding the LDAP shell attribute
The default shell assigned in LDAP may be restricted or unavailable on specific clients. You can override this attribute to assign a valid local shell, such as /bin/bash or /sbin/nologin, appropriate for the host’s specific purpose.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current shell of the user as stored locally:
# getent passwd <ldap_username><ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<currentshell>_Replace
<ldap_username>with the name of the user.Override the shell of the user:
# sss_override user-add <ldap_username> -s <new_shell>Replace
<ldap_username>with the name of the user and replace<new_shell>with the new shell.Restart SSSD for the changes to take effect:
# systemctl restart sssd
Verification
Verify that the new shell is defined:
# getent passwd <ldap_username><ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<new_shell>_Optional: Display the overrides for the user:
# sss_override user-show <ldap_username>user@ldap.example.com::::::_<new_shell>_:For example, to change the shell of the user
sarahfrom/bin/bashtosbin/nologin:Display the current shell of the user
sarah:# getent passwd sarahsarah:x:1001:6003::sarah:/bin/bashOverride the shell of the user sarah with new
/sbin/nologinshell:# sss_override user-add sarah -s /sbin/nologinRestart SSSD for the changes to take effect:
# systemctl restart sssdVerify that the new shell is defined and overrides for the user display correctly:
# getent passwd sarahsarah:x:1001:6003::sarah:/sbin/nologin# sss_override user-show sarahuser@ldap.example.com::::::/sbin/nologin:
6.6. Listing overrides on a host
You must audit local modifications to ensure configuration consistency. The sss_override tool provides search functions to list all currently active user and group overrides stored in the local cache.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
List all user overrides:
# sss_override user-finduser1@ldap.example.com::8000::::/bin/zsh: user2@ldap.example.com::8001::::/bin/bash: ...List all group overrides:
# sss_override group-findgroup1@ldap.example.com::7000 group2@ldap.example.com::7001 ...
6.7. Removing a local override
Removing an override reverts the user or group attributes to the values provided by the central directory. Use deletion commands to clean up obsolete configurations or restore default identity data immediately.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
To remove the override for a user account, use:
# sss_override user-del <local_username>Replace <local_username> with the name of the user. The changes take effect immediately.
To remove an override for a group, use:
# sss_override group-del <group_name>After removing the first override using the
sss_override user-delorsss_override group-delcommand, restart SSSD for the changes to take effect:# systemctl restart sssdWhen you remove overrides for a user or group, all overrides for this object are removed.
6.8. Exporting and importing local view
Local overrides reside in the SSSD cache and risk deletion during cache clearing. Exporting these configurations to a backup file helps you to restore custom views quickly after system maintenance or migrations.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
To back up user and group view, use:
# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bakTo restore user and group view, use:
# sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}