Red Hat SummitChapter 37. Using ID views for Active Directory users
You can use ID views to specify new values for the POSIX attributes of your Active Directory (AD) users in an IdM-AD Trust environment.
By default, IdM applies the Default Trust View to all AD users. You can configure additional ID views on individual IdM clients to further adjust which POSIX attributes specific users receive.
37.1. How the Default Trust View works
The Default Trust View is the default ID view that is always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using the ipa-adtrust-install command and cannot be deleted.
The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.
| Values in AD | Default Trust View | Result | |
|---|---|---|---|
| Login | ad_user | ad_user | ad_user |
| UID | 111 | 222 | 222 |
| GID | 111 | (no value) | 111 |
You can also configure additional ID Views to override the Default Trust View on IdM clients. IdM applies the values from the host-specific ID view on top of the Default Trust View:
- If an attribute is defined in the host-specific ID view, IdM applies the value from this ID view.
- If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
| Values in AD | Default Trust View | Host-specific ID view | Result | |
|---|---|---|---|---|
| Login | ad_user | ad_user | (no value) | ad_user |
| UID | 111 | 222 | 333 | 333 |
| GID | 111 | (no value) | 333 | 333 |
You can only apply host-specific ID views to override the Default Trust View on IdM clients. IdM servers and replicas always apply the values from the Default Trust View.
37.2. Defining global attributes for an AD user by modifying the Default Trust View
If you want to override a POSIX attribute for an Active Directory (AD) user throughout your entire IdM deployment, modify the entry for that user in the Default Trust View. This procedure sets the GID for the AD user ad_user@ad.example.com to 732000006.
Prerequisites
- You have authenticated as an IdM administrator.
- A group must exist with the GID or you must set the GID in an ID override for a group.
Procedure
As an IdM administrator, create an ID override for the AD user in the Default Trust View that changes the GID number to 732000006:
ipa idoverrideuser-add 'Default Trust View' ad_user@ad.example.com --gidnumber=732000006
# ipa idoverrideuser-add 'Default Trust View' ad_user@ad.example.com --gidnumber=732000006Copy to Clipboard Copied! Clear the entry for the
ad_user@ad.example.comuser from the SSSD cache on all IdM servers and clients. This removes stale data and allows the new override value to apply.sssctl cache-expire -u ad_user@ad.example.com
# sssctl cache-expire -u ad_user@ad.example.comCopy to Clipboard Copied!
Verification
Retrieve information for the
ad_user@ad.example.comuser to verify the GID reflects the updated value.id ad_user@ad.example.com
# id ad_user@ad.example.com uid=702801456(ad_user@ad.example.com) gid=732000006(ad_admins) groups=732000006(ad_admins),702800513(domain users@ad.example.com)Copy to Clipboard Copied!
37.3. Overriding Default Trust View attributes for an AD user on an IdM client with an ID view
You might want to override some POSIX attributes from the Default Trust View for an Active Directory (AD) user. For example, you might need to give an AD user a different GID on one particular IdM client. You can use an ID view to override a value from the Default Trust View for an AD user and apply it to a single host. This procedure explains how to set the GID for the ad_user@ad.example.com AD user on the client1.idm.example.com IdM client to 732001337.
Prerequisites
- You have root access to the IdM client system.
-
You are logged in as a user with the required privileges, for example the
adminuser.
Procedure
On the IdM server, create an ID view. For example, to create an ID view named example_for_client1:
ipa idview-add example_for_client1
$ ipa idview-add example_for_client1 --------------------------- Added ID View "example_for_client1" --------------------------- ID View Name: example_for_client1Copy to Clipboard Copied! On the IdM server, sdd a user override to the example_for_client1 ID view. To override the user’s GID:
-
Enter the
ipa idoverrideuser-addcommand - Add the name of the ID view
- Add the user name, also called the anchor
-
Add the
--gidnumber=option:
ipa idoverrideuser-add example_for_client1 ad_user@ad.example.com --gidnumber=732001337
$ ipa idoverrideuser-add example_for_client1 ad_user@ad.example.com --gidnumber=732001337 ----------------------------- Added User ID override "ad_user@ad.example.com" ----------------------------- Anchor to override: ad_user@ad.example.com GID: 732001337Copy to Clipboard Copied! -
Enter the
On the IdM server, apply
example_for_client1to theclient1.idm.example.comIdM client:ipa idview-apply example_for_client1 --hosts=client1.idm.example.com
$ ipa idview-apply example_for_client1 --hosts=client1.idm.example.com ----------------------------- Applied ID View "example_for_client1" ----------------------------- hosts: client1.idm.example.com --------------------------------------------- Number of hosts the ID View was applied to: 1 ---------------------------------------------Copy to Clipboard Copied! NoteThe
ipa idview-applycommand also accepts the--hostgroupsoption. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the--hostgroupsoption expands the members of the specified host group and applies the--hostsoption individually to every one of them.This means that if a host is added to the host group in the future, the ID view does not apply to the new host.
On the IdM client, clear the entry for the
ad_user@ad.example.comuser from the SSSD cache on theclient1.idm.example.comIdM client. This removes stale data and allows the new override value to apply.sssctl cache-expire -u ad_user@ad.example.com
# sssctl cache-expire -u ad_user@ad.example.comCopy to Clipboard Copied!
Verification
SSHto the client system as ad_user@ad.example.com:ssh ad_user@ad.example.com@client1.idm.example.com
# ssh ad_user@ad.example.com@client1.idm.example.comCopy to Clipboard Copied! On the client system, retrieve information for the
ad_user@ad.example.comuser to verify the GID reflects the updated value.[ad_user@ad.example.com@client1 ~]$ id ad_user@ad.example.com uid=702801456(ad_user@ad.example.com) gid=732001337(admins2) groups=732001337(admins2),702800513(domain users@ad.example.com)
[ad_user@ad.example.com@client1 ~]$ id ad_user@ad.example.com uid=702801456(ad_user@ad.example.com) gid=732001337(admins2) groups=732001337(admins2),702800513(domain users@ad.example.com)Copy to Clipboard Copied!
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}