Chapter 7. SSSD client-side view

SSSD provides the sss_override utility, which allows you to create a local view that displays values for POSIX user or group attributes that are specific to your local machine. You can configure overrides for all id_provider values, except ipa.

If you are using the ipa provider, define ID views centrally in IPA. For more information, see Using an ID view to override a user attribute value on an IdM client.

For information about a potential negative impact on the SSSD performance, see Potential negative impact of ID views on SSSD performance.

7.1. Overriding the LDAP username attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP username attribute by defining a secondary username with the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

Display the current information for the user:
```
# id username
```
Replace username with the name of the user.
Add the secondary username:
```
# sss_override user-add username -n secondary-username
```
Replace username with the name of the user and replace secondary-username with the new username.
After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

Verification

Verify that the new username is added:
```
# id secondary-username
```

Optional. Display the overrides for the user:

# sss_override user-show user-name
user@ldap.example.com:secondary-username::::::

Example 7.1. Defining a secondary username

To add a secondary username sarah for the user sjones:

Display the current information for the user sjones:

# id sjones
uid=1001(sjones) gid=6003 groups=6003,10(wheel)

Add the secondary username:
```
# sss_override user-add sjones -n sarah
```

Verify that the new username has been added and overrides for the user display correctly:

# id sarah
uid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel)

# sss_override user-show sjones
user@ldap.example.com:sarah::::::

Additional resources

sss_override man page on your system

7.2. Overriding the LDAP UID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP UID attribute by defining a different UID with the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

Display the current UID of the user:
```
# id -u user-name
```
Replace user-name with the name of the user.
Override the UID of the user’s account:
```
# sss_override user-add user-name -u new-UID
```
Replace user-name with the name of the user and replace new-UID with the new UID number.
Expire the in-memory cache:
```
# sss_cache --users
```
After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

Verification

Verify that the new UID has been applied:
```
# id -u user-name
```
Optional. Display the overrides for the user:
```
# sss_override user-show user-name
user@ldap.example.com::new-UID:::::
```
Example 7.2. Overriding the UID of the user
To override the UID of the user sarah with UID 6666:
1. Display the current UID of the user sarah:
  # id -u sarah 1001
2. Override the UID of the user sarah's account with UID 6666:
  # sss_override user-add sarah -u 6666
3. Manually expire the in-memory cache:
  # sss_cache --users
4. Restart SSSD for the changes to take effect:
  # systemctl restart sssd
5. Verify that the new UID is applied and overrides for the user display correctly:
  # id sarah 6666 # sss_override user-show sarah user@ldap.example.com::6666:::::

Additional resources

sss_override man page on your system

7.3. Overriding the LDAP GID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP GID attribute by defining a different GID with the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

Display the current GID of the user:
```
# id -g user-name
```
Replace user-name with the name of the user.
Override the GID of the user’s account:
```
# sss_override user-add user-name -g new-GID
```
Replace user-name with the name of the user and replace new-GID with the new GID number.
Expire the in-memory cache:
```
# sss_cache --users
```
After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

Verification

Verify that the new GID is applied:
```
# id -g user-name
```
Optional. Display the overrides for the user:
```
# sss_override user-show user-name
user@ldap.example.com:::6666::::
```
Example 7.3. Overriding the GID of the user
To override the GID of the user sarah with GID 6666:
1. Display the current GID of the user sarah:
  # id -g sarah 6003
2. Override the GID of the user sarah's account with GID 6666:
  # sss_override user-add sarah -g 6666
3. Manually expire the in-memory cache:
  # sss_cache --users
4. If this is your first override, restart SSSD for the changes to take effect:
  # systemctl restart sssd
5. Verify that the new GID is applied and overrides for the user display correctly:
  # id -g sarah 6666 # sss_override user-show sarah user@ldap.example.com::6666:::::

Additional resources

sss_override man page on your system

7.4. Overriding the LDAP home directory attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP home directory attribute by defining a different home directory with the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

Display the current home directory of the user:
```
# getent passwd user-name
user-name:x:XXXX:XXXX::/home/home-directory:/bin/bash
```
Replace user-name with the name of the user.
Override the home directory of the user:
```
# sss_override user-add user-name -h new-home-directory
```
Replace user-name with the name of the user and replace new-home-directory with the new home directory.
Restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

Verification

Verify that the new home directory is defined:

# getent passwd user-name
user-name:x:XXXX:XXXX::/home/new-home-directory:/bin/bash

Optional. Display the overrides for the user:
```
# sss_override user-show user-name
user@ldap.example.com:::::::new-home-directory::
```
Example 7.4. Overriding the home directory of the user
To override the home directory of the user sarah with admin:
1. Display the current home directory of the user sarah:
  # getent passwd sarah sarah:x:1001:6003::sarah:/bin/bash
2. Override the home directory of the user sarah with new home directory admin:
  # sss_override user-add sarah -h admin
3. Restart SSSD for the changes to take effect:
  # systemctl restart sssd
4. Verify that the new home directory is defined and overrides for the user display correctly:
  # getent passwd sarah sarah:x:1001:6003::admin:/bin/bash # sss_override user-show user-name user@ldap.example.com:::::::admin::

Additional resources

sss_override man page on your system

7.5. Overriding the LDAP shell attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP shell attribute by defining a different shell with the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

Display the current shell of the user:

# getent passwd user-name
user-name:x:XXXX:XXXX::/home/home-directory:/bin/bash

Replace user-name with the name of the user.

Override the shell of the user:
```
# sss_override user-add user-name -s new-shell
```
Replace user-name with the name of the user and replace new-shell with the new shell.
Restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

Verification

Verify that the new shell is defined:

# getent passwd user-name
user-name:x:XXXX:XXXX::/home/home-directory:new-shell

Optional. Display the overrides for the user:
```
# sss_override user-show user-name
user@ldap.example.com::::::new-shell:
```
Example 7.5. Overriding the shell of the user
To change the shell of the user sarah from /bin/bash to sbin/nologin:
1. Display the current shell of the user sarah:
  # getent passwd sarah sarah:x:1001:6003::sarah:/bin/bash
2. Override the shell of the user sarah with new /sbin/nologin shell:
  # sss_override user-add sarah -s /sbin/nologin
3. Restart SSSD for the changes to take effect:
  # systemctl restart sssd
4. Verify that the new shell is defined and overrides for the user display correctly:
  # getent passwd sarah sarah:x:1001:6003::sarah:/sbin/nologin # sss_override user-show user-name user@ldap.example.com::::::/sbin/nologin:

Additional resources

sss_override man page on your system

7.6. Listing overrides on a host

As an administrator, you can list all user and group overrides on a host to verify that the correct attributes have been overridden.

Prerequisites

root access
Installed sssd-tools

Procedure

List all user overrides:

# sss_override user-find
user1@ldap.example.com::8000::::/bin/zsh:
user2@ldap.example.com::8001::::/bin/bash:
...

List all group overrides:

# sss_override group-find
group1@ldap.example.com::7000
group2@ldap.example.com::7001
...

7.7. Removing a local override

If you want to remove local override that is defined in the global LDAP directory, use the following procedure.

Prerequisites

root access
Installed sssd-tools

Procedure

To remove the override for a user account, use:
```
# sss_override user-del user-name
```
Replace user-name with the name of the user. The changes take effect immediately.
To remove an override for a group, use:
```
# sss_override group-del group-name
```
After removing the first override using the sss_override user-del or sss_override group-del command, restart SSSD for the changes to take effect:
```
# systemctl restart sssd
```

When you remove overrides for a user or group, all overrides for this object are removed.

7.8. Exporting and importing local view

Your local overrides are stored in the local SSSD cache. You can export user and group overrides from this cache to a file to create a backup. This ensures that even if the cache is cleared, you can restore the configurations later.

Prerequisites

root access
Installed sssd-tools

Procedure

To back up user and group view, use:

# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak

To restore user and group view, use:

# sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak

Chapter 7. SSSD client-side view

7.1. Overriding the LDAP username attribute

7.2. Overriding the LDAP UID attribute

7.3. Overriding the LDAP GID attribute

7.4. Overriding the LDAP home directory attribute

7.5. Overriding the LDAP shell attribute

7.6. Listing overrides on a host

7.7. Removing a local override

7.8. Exporting and importing local view

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Red Hat legal and privacy links

Red Hat legal and privacy links