Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 6. SSSD client-side view
SSSD provides the sss_override utility, which allows you to create a local view that displays values for POSIX user or group attributes that are specific to your local machine. You can configure overrides for all id_provider values, except ipa.
If you are using the ipa provider, define ID views centrally in IPA. For more information, see Using an ID view to override a user attribute value on an IdM client.
For information about a potential negative impact on the SSSD performance, see Potential negative impact of ID views on SSSD performance.
6.1. Overriding the LDAP username attribute
As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP username attribute by defining a local username.
Prerequisites
-
rootaccess -
Have
sssd-toolspackage installed
Procedure
Display the current information for the user:
# id <ldap_username>Replace
<ldap_username>with the LDAPusernameof the user.Add the local username:
# sss_override user-add <ldap_username> -n <local_username>Replace
<ldap_username>with the LDAPusernameand replace<local_username>with the desired local username.After creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local username is added:
# id <local_username>Optional: Display the overrides for the user:
# sss_override user-show <ldap_username> user@ldap.example.com:_<local_username>_::::::Example 6.1. Defining a local username
To add a local username
sarahfor the LDAP usersjones:Display the current information for the LDAP user
sjones:# id sjones uid=1001(sjones) gid=6003 groups=6003,10(wheel)Add a local username
sarah:# sss_override user-add sjones -n sarahVerify that the local username has been added and that the overrides for the user display correctly:
# id sarah uid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel) # sss_override user-show sjones user@ldap.example.com:sarah::::::
6.2. Overriding the LDAP UID attribute
As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP UID attribute by defining a different UID with the following procedure.
Prerequisites
-
rootaccess -
Have
sssd-toolspackage installed
Procedure
Display the current UID of the user:
# id -u <ldap_username>Replace
<ldap_username>with the LDAPusernameof the user.Override the UID of the user’s account:
# sss_override user-add <ldap_username> -u <local_uid>Replace
<ldap_username>with the LDAPusernameof the user and replace<local_uid>with the new UID number.Expire the in-memory cache:
# sss_cache --usersAfter creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local UID has been applied:
# id -u <ldap_username>Optional: Display the overrides for the user:
# sss_override user-show <ldap_username> user@ldap.example.com::_<local_uid>_:::::Example 6.2. Overriding the LDAP UID of the user
To override the LDAP UID of the user
sarahwith local UID6666:Display the current UID of the LDAP user
sarah:# id -u sarah 1001Override the UID of the user sarah’s account with UID 6666:
# sss_override user-add sarah -u 6666Manually expire the in-memory cache:
# sss_cache --usersRestart SSSD for the changes to take effect:
# systemctl restart sssdVerify that the new UID is applied and overrides for the user display correctly:
# id sarah 6666 # sss_override user-show sarah user@ldap.example.com::6666:::::
6.3. Overriding the LDAP GID attribute
As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP GID attribute by defining a different GID with the following procedure.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current GID of the user:
# id -g <ldap_username>Replace
<ldap_username>with the name of the user.Override the GID of the user’s account:
# sss_override user-add <ldap_username> -g <local_gid>Replace
<ldap_username>with the name of the user and replace<local_gid>with the local GID number.Expire the in-memory cache:
# sss_cache --usersAfter creating the first override using the
sss_override user-addcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
Verification
Verify that the local GID is applied:
# id -g <ldap_username>Optional: Display the overrides for the user:
# sss_override user-show <ldap_username> user@ldap.example.com::: 6666::::Example 6.3. Overriding the LDAP GID of the user
To override the GID of the user
sarahwith GID6666:Display the current GID of the user
sarah:# id -g sarah 6003Override the GID of the user sarah’s account with GID
6666:# sss_override user-add sarah -g 6666Manually expire the in-memory cache:
# sss_cache --usersIf this is your first override, restart SSSD for the changes to take effect:
# systemctl restart sssdVerify that the new GID is applied and overrides for the user display correctly:
# id -g sarah 6666 # sss_override user-show sarah user@ldap.example.com::6666:::::
6.4. Overriding the LDAP home directory attribute
As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP might be different from the values on the local system. You can override the LDAP home directory attribute by defining a different home directory.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current home directory of the user as stored locally:
# getent passwd <ldap_username> <ldap_username>:x:XXXX:XXXX::/home/<home_directory>:/bin/bashReplace
<ldap_username>with the name of the user. The output shows the home directory value as seen locally, which might be different from the LDAP record.Override the home directory of the user:
# sss_override user-add <ldap_username> -h <new_home_directory>Replace
<ldap_username>with the name of the user and replace<new_home_directory>with the new home directory.Restart SSSD for the changes to take effect:
# systemctl restart sssd
Verification
Verify that the new home directory is defined:
# getent passwd <ldap_username> <ldap_username>:x:XXXX:XXXX::/home/<new_home_directory>:/bin/bashOptional: Display the overrides for the user:
# sss_override user-show <ldap_username> user@ldap.example.com:::::::<new_home_directory>::Example 6.4. Overriding the home directory of the user
To override the home directory of the user
sarahwithadmin:Display the current home directory of the user
sarah:# getent passwd sarah sarah:x:1001:6003::sarah:/bin/bashOverride the home directory of the user
sarahwith new home directoryadmin:# sss_override user-add sarah -h adminRestart SSSD for the changes to take effect:
# systemctl restart sssdVerify that the new home directory is defined and overrides for the user display correctly:
# getent passwd sarah sarah:x:1001:6003::admin:/bin/bash # sss_override user-show sarah user@ldap.example.com:::::::admin::
6.5. Overriding the LDAP shell attribute
As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP shell attribute by defining a different shell.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
Display the current shell of the user as stored locally:
# getent passwd <ldap_username> <ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<currentshell>_Replace
<ldap_username>with the name of the user.Override the shell of the user:
# sss_override user-add <ldap_username> -s <new_shell>Replace
<ldap_username>with the name of the user and replace<new_shell>with the new shell.Restart SSSD for the changes to take effect:
# systemctl restart sssd
Verification
Verify that the new shell is defined:
# getent passwd <ldap_username> <ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<new_shell>_Optional: Display the overrides for the user:
# sss_override user-show <ldap_username> user@ldap.example.com::::::_<new_shell>_:Example 6.5. Overriding the shell of the user
To change the shell of the user
sarahfrom/bin/bashtosbin/nologin:Display the current shell of the user
sarah:# getent passwd sarah sarah:x:1001:6003::sarah:/bin/bashOverride the shell of the user sarah with new
/sbin/nologinshell:# sss_override user-add sarah -s /sbin/nologinRestart SSSD for the changes to take effect:
# systemctl restart sssdVerify that the new shell is defined and overrides for the user display correctly:
# getent passwd sarah sarah:x:1001:6003::sarah:/sbin/nologin # sss_override user-show sarah user@ldap.example.com::::::/sbin/nologin:
6.6. Listing overrides on a host
As an administrator, you can list all user and group overrides on a host to verify that the correct attributes have been overridden.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
List all user overrides:
# sss_override user-find user1@ldap.example.com::8000::::/bin/zsh: user2@ldap.example.com::8001::::/bin/bash: ...List all group overrides:
# sss_override group-find group1@ldap.example.com::7000 group2@ldap.example.com::7001 ...
6.7. Removing a local override
You can remove local override that is defined in the global LDAP directory.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
To remove the override for a user account, use:
# sss_override user-del <local_username>Replace <local_username> with the name of the user. The changes take effect immediately.
To remove an override for a group, use:
# sss_override group-del <group_name>After removing the first override using the
sss_override user-delorsss_override group-delcommand, restart SSSD for the changes to take effect:# systemctl restart sssd
When you remove overrides for a user or group, all overrides for this object are removed.
6.8. Exporting and importing local view
Your local overrides are stored in the local SSSD cache. You can export user and group overrides from this cache to a file to create a backup. This ensures that even if the cache is cleared, you can restore the configurations later.
Prerequisites
-
rootaccess -
Installed
sssd-tools
Procedure
To back up user and group view, use:
# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bakTo restore user and group view, use:
# sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak # sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}