7.6. SSSD Client-side Views
SSSD enables you to create a client-side view to specify new values for POSIX user or group attributes. The view takes effect only on the local machine where the overrides are configured. You can configure client-side overrides for all
id_provider
values, except ipa
. If you are using the ipa
provider, define ID views centrally in IdM. See the corresponding section in the Linux Domain Identity, Authentication, and Policy Guide.
For more information, see the Potential Negative Impact on SSSD Performance section in the Linux Domain Identity, Authentication, and Policy Guide.
Note
After creating the first override using the
sss_override user-add
, sss_override group-add
, or sss_override user-import
command, restart SSSD for the changes to take effect:
# systemctl restart sssd
7.6.1. Defining a Different Attribute Value for a User Account
As an administrator, you configured an existing host to use accounts from LDAP. However, a user's new ID in LDAP is different from the user's previous ID on the local system. You can configure a client-side view to override the UID instead of changing the permissions on existing files.
To override the UID of the user account with UID 6666:
- Optional. Display the current UID of the user account:
# id user uid=1241400014(user_name) gid=1241400014(user_name) Groups=1241400014(user_name)
- Override the account's UID with 6666:
# sss_override user-add user -u 6666
- Wait until the in-memory cache has been expired. To expire it manually:
# sss_cache --users
- Verify that the new UID is applied:
# id user uid=6666(user_name) gid=1241400014(user_name) Groups=1241400014(user_name)
- Optional. Display the overrides for the user:
# sss_override user-show user user@ldap.example.com::6666:::::
For a list of attributes you can override, list the command-line options by adding
--help
to the command:
# sss_override user-add --help
7.6.2. Listing All Overrides on a Host
As an administrator, you want to list all user and group overrides on a host to verify that the correct attributes are overridden.
To list all user overrides:
# sss_override user-find user1@ldap.example.com::8000::::/bin/zsh: user2@ldap.example.com::8001::::/bin/bash: ...
To list all group overrides:
# sss_override group-find group1@ldap.example.com::7000 group2@ldap.example.com::7001 ...
7.6.3. Removing a Local Override
You previously created an override for the shell of the user account, that is defined in the global LDAP directory. To remove the override for the account, run:
# sss_override user-del user
The changes take effect immediately.
To remove an override for a group, run:
# sss_override group-del group
Note
When you remove overrides for a user or group, all overrides for this object are removed.
7.6.4. Exporting and Importing Local Views
Client-side views are stored in the local SSSD cache. You can export user and group views from the cache to a file to create a backup. For example, when you remove the SSSD cache, you can restore the views later again.
To back up user and group views:
# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
To restore user and group view:
# sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak