Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. SSSD client-side view

SSSD provides the sss_override utility, which allows you to create a local view that displays values for POSIX user or group attributes that are specific to your local machine. You can configure overrides for all id_provider values, except ipa.

If you are using the ipa provider, define ID views centrally in IPA. For more information, see Using an ID view to override a user attribute value on an IdM client.

For information about a potential negative impact on the SSSD performance, see Potential negative impact of ID views on SSSD performance.

6.1. Overriding the LDAP username attribute
Copia collegamento

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP username attribute by defining a local username.

Prerequisites

  • root access
  • Have sssd-tools package installed

Procedure

  1. Display the current information for the user: 

    # id <ldap_username>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the LDAP username of the user.

  2. Add the local username: 

    # sss_override user-add <ldap_username> -n <local_username>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the LDAP username and replace <local_username> with the desired local username.

  3. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the local username is added: 

    # id <local_username>
    Copy to Clipboard Toggle word wrap

  • Optional: Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com:_<local_username>_::::::
    Copy to Clipboard Toggle word wrap

    Example 6.1. Defining a local username

    To add a local username sarah for the LDAP user sjones:

    1. Display the current information for the LDAP user sjones: 

      # id sjones
uid=1001(sjones) gid=6003 groups=6003,10(wheel)
      Copy to Clipboard Toggle word wrap

    2. Add a local username sarah: 

      # sss_override user-add sjones -n sarah
      Copy to Clipboard Toggle word wrap

    3. Verify that the local username has been added and that the overrides for the user display correctly: 

      # id sarah
uid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel)

# sss_override user-show sjones
user@ldap.example.com:sarah::::::
      Copy to Clipboard Toggle word wrap

6.2. Overriding the LDAP UID attribute
Copia collegamento

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP UID attribute by defining a different UID with the following procedure.

Prerequisites

  • root access
  • Have sssd-tools package installed

Procedure

  1. Display the current UID of the user: 

    # id -u <ldap_username>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the LDAP username of the user.

  2. Override the UID of the user’s account: 

    # sss_override user-add <ldap_username> -u <local_uid>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the LDAP username of the user and replace <local_uid> with the new UID number.

  3. Expire the in-memory cache: 

    # sss_cache --users
    Copy to Clipboard Toggle word wrap

  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the local UID has been applied: 

    # id -u <ldap_username>
    Copy to Clipboard Toggle word wrap

  • Optional: Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::_<local_uid>_:::::
    Copy to Clipboard Toggle word wrap

    Example 6.2. Overriding the LDAP UID of the user

    To override the LDAP UID of the user sarah with local UID 6666:

    1. Display the current UID of the LDAP user sarah: 

      # id -u sarah
1001
      Copy to Clipboard Toggle word wrap

    2. Override the UID of the user sarah’s account with UID 6666: 

      # sss_override user-add sarah -u 6666
      Copy to Clipboard Toggle word wrap

    3. Manually expire the in-memory cache: 

      # sss_cache --users
      Copy to Clipboard Toggle word wrap

    4. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap

    5. Verify that the new UID is applied and overrides for the user display correctly: 

      # id sarah
6666

# sss_override user-show sarah
user@ldap.example.com::6666:::::
      Copy to Clipboard Toggle word wrap

6.3. Overriding the LDAP GID attribute
Copia collegamento

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP GID attribute by defining a different GID with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current GID of the user: 

    # id -g <ldap_username>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user.

  2. Override the GID of the user’s account: 

    # sss_override user-add <ldap_username> -g <local_gid>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user and replace <local_gid> with the local GID number.

  3. Expire the in-memory cache: 

    # sss_cache --users
    Copy to Clipboard Toggle word wrap

  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the local GID is applied: 

    # id -g <ldap_username>
    Copy to Clipboard Toggle word wrap

  • Optional: Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::: 6666::::
    Copy to Clipboard Toggle word wrap

    Example 6.3. Overriding the LDAP GID of the user

    To override the GID of the user sarah with GID 6666:

    1. Display the current GID of the user sarah: 

      # id -g sarah
6003
      Copy to Clipboard Toggle word wrap

    2. Override the GID of the user sarah’s account with GID 6666: 

      # sss_override user-add sarah -g 6666
      Copy to Clipboard Toggle word wrap

    3. Manually expire the in-memory cache: 

      # sss_cache --users
      Copy to Clipboard Toggle word wrap

    4. If this is your first override, restart SSSD for the changes to take effect: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap

    5. Verify that the new GID is applied and overrides for the user display correctly: 

      # id -g sarah
6666

# sss_override user-show sarah
user@ldap.example.com::6666:::::
      Copy to Clipboard Toggle word wrap

6.4. Overriding the LDAP home directory attribute
Copia collegamento

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP might be different from the values on the local system. You can override the LDAP home directory attribute by defining a different home directory.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current home directory of the user as stored locally: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:/bin/bash
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user. The output shows the home directory value as seen locally, which might be different from the LDAP record.

  2. Override the home directory of the user: 

    # sss_override user-add <ldap_username> -h <new_home_directory>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user and replace <new_home_directory> with the new home directory.

  3. Restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the new home directory is defined: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<new_home_directory>:/bin/bash
    Copy to Clipboard Toggle word wrap

  • Optional: Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com:::::::<new_home_directory>::
    Copy to Clipboard Toggle word wrap

    Example 6.4. Overriding the home directory of the user

    To override the home directory of the user sarah with admin:

    1. Display the current home directory of the user sarah: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/bin/bash
      Copy to Clipboard Toggle word wrap

    2. Override the home directory of the user sarah with new home directory admin: 

      # sss_override user-add sarah -h admin
      Copy to Clipboard Toggle word wrap

    3. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap

    4. Verify that the new home directory is defined and overrides for the user display correctly: 

      # getent passwd sarah
sarah:x:1001:6003::admin:/bin/bash

# sss_override user-show sarah
user@ldap.example.com:::::::admin::
      Copy to Clipboard Toggle word wrap

6.5. Overriding the LDAP shell attribute
Copia collegamento

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP shell attribute by defining a different shell.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current shell of the user as stored locally: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<currentshell>_
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user.

  2. Override the shell of the user: 

    # sss_override user-add <ldap_username> -s <new_shell>
    Copy to Clipboard Toggle word wrap

    Replace <ldap_username> with the name of the user and replace <new_shell> with the new shell.

  3. Restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the new shell is defined: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<new_shell>_
    Copy to Clipboard Toggle word wrap

  • Optional: Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::::::_<new_shell>_:
    Copy to Clipboard Toggle word wrap

    Example 6.5. Overriding the shell of the user

    To change the shell of the user sarah from /bin/bash to sbin/nologin:

    1. Display the current shell of the user sarah: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/bin/bash
      Copy to Clipboard Toggle word wrap

    2. Override the shell of the user sarah with new /sbin/nologin shell: 

      # sss_override user-add sarah -s /sbin/nologin
      Copy to Clipboard Toggle word wrap

    3. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd
      Copy to Clipboard Toggle word wrap

    4. Verify that the new shell is defined and overrides for the user display correctly: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/sbin/nologin

# sss_override user-show sarah
user@ldap.example.com::::::/sbin/nologin:
      Copy to Clipboard Toggle word wrap

6.6. Listing overrides on a host
Copia collegamento

As an administrator, you can list all user and group overrides on a host to verify that the correct attributes have been overridden.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • List all user overrides: 

    # sss_override user-find
user1@ldap.example.com::8000::::/bin/zsh:
user2@ldap.example.com::8001::::/bin/bash:
...
    Copy to Clipboard Toggle word wrap

  • List all group overrides: 

    # sss_override group-find
group1@ldap.example.com::7000
group2@ldap.example.com::7001
...
    Copy to Clipboard Toggle word wrap

6.7. Removing a local override
Copia collegamento

You can remove local override that is defined in the global LDAP directory.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To remove the override for a user account, use: 

    # sss_override user-del <local_username>
    Copy to Clipboard Toggle word wrap

    Replace <local_username> with the name of the user. The changes take effect immediately.

  • To remove an override for a group, use: 

    # sss_override group-del <group_name>
    Copy to Clipboard Toggle word wrap

  • After removing the first override using the sss_override user-del or sss_override group-del command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

When you remove overrides for a user or group, all overrides for this object are removed.

6.8. Exporting and importing local view
Copia collegamento

Your local overrides are stored in the local SSSD cache. You can export user and group overrides from this cache to a file to create a backup. This ensures that even if the cache is cleared, you can restore the configurations later.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To back up user and group view, use: 

    # sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
    Copy to Clipboard Toggle word wrap

  • To restore user and group view, use: 

    # sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak
    Copy to Clipboard Toggle word wrap
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat