Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 6. SSSD client-side view

SSSD provides the sss_override utility, which allows you to create a local view that displays values for POSIX user or group attributes that are specific to your local machine. You can configure overrides for all id_provider values, except ipa.

If you are using the ipa provider, define ID views centrally in IPA. For more information, see Using an ID view to override a user attribute value on an IdM client.

For information about a potential negative impact on the SSSD performance, see Potential negative impact of ID views on SSSD performance.

6.1. Overriding the LDAP username attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP username attribute by defining a local username.

Prerequisites

  • root access
  • Have sssd-tools package installed

Procedure

  1. Display the current information for the user: 

    # id <ldap_username>

    Replace <ldap_username> with the LDAP username of the user.

  2. Add the local username: 

    # sss_override user-add <ldap_username> -n <local_username>

    Replace <ldap_username> with the LDAP username and replace <local_username> with the desired local username.

  3. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd

Verification

  • Verify that the local username is added: 

    # id <local_username>

  • Optional. Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com:_<local_username>_::::::

    Example 6.1. Defining a local username

    To add a local username sarah for the LDAP user sjones:

    1. Display the current information for the LDAP user sjones: 

      # id sjones
uid=1001(sjones) gid=6003 groups=6003,10(wheel)

    2. Add a local username sarah: 

      # sss_override user-add sjones -n sarah

    3. Verify that the local username has been added and that the overrides for the user display correctly: 

      # id sarah
uid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel)

# sss_override user-show sjones
user@ldap.example.com:sarah::::::

Additional resources

  • sss_override man page on your system

6.2. Overriding the LDAP UID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP UID attribute by defining a different UID with the following procedure.

Prerequisites

  • root access
  • Have sssd-tools package installed

Procedure

  1. Display the current UID of the user: 

    # id -u <ldap_username>

    Replace <ldap_username> with the LDAP username of the user.

  2. Override the UID of the user’s account: 

    # sss_override user-add <ldap_username> -u <local_uid>

    Replace <ldap_username> with the LDAP username of the user and replace <local_uid> with the new UID number.

  3. Expire the in-memory cache: 

    # sss_cache --users

  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd

Verification

  • Verify that the local UID has been applied: 

    # id -u <ldap_username>

  • Optional. Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::_<local_uid>_:::::

    Example 6.2. Overriding the LDAP UID of the user

    To override the LDAP UID of the user sarah with local UID 6666:

    1. Display the current UID of the LDAP user sarah: 

      # id -u sarah
1001

    2. Override the UID of the user sarah’s account with UID 6666: 

      # sss_override user-add sarah -u 6666

    3. Manually expire the in-memory cache: 

      # sss_cache --users

    4. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd

    5. Verify that the new UID is applied and overrides for the user display correctly: 

      # id sarah
6666

# sss_override user-show sarah
user@ldap.example.com::6666:::::

Additional resources

  • sss_override man page on your system

6.3. Overriding the LDAP GID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP GID attribute by defining a different GID with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current GID of the user: 

    # id -g <ldap_username>

    Replace <ldap_username> with the name of the user.

  2. Override the GID of the user’s account: 

    # sss_override user-add <ldap_username> -g <local_gid>

    Replace <ldap_username> with the name of the user and replace <local_gid> with the local GID number.

  3. Expire the in-memory cache: 

    # sss_cache --users

  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd

Verification

  • Verify that the local GID is applied: 

    # id -g <ldap_username>

  • Optional. Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::: 6666::::

    Example 6.3. Overriding the LDAP GID of the user

    To override the GID of the user sarah with GID 6666:

    1. Display the current GID of the user sarah: 

      # id -g sarah
6003

    2. Override the GID of the user sarah’s account with GID 6666: 

      # sss_override user-add sarah -g 6666

    3. Manually expire the in-memory cache: 

      # sss_cache --users

    4. If this is your first override, restart SSSD for the changes to take effect: 

      # systemctl restart sssd

    5. Verify that the new GID is applied and overrides for the user display correctly: 

      # id -g sarah
6666

# sss_override user-show sarah
user@ldap.example.com::6666:::::

Additional resources

  • sss_override man page on your system

6.4. Overriding the LDAP home directory attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP might be different from the values on the local system. You can override the LDAP home directory attribute by defining a different home directory.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current home directory of the user as stored locally: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:/bin/bash

    Replace <ldap_username> with the name of the user. The output shows the home directory value as seen locally, which might be different from the LDAP record.

  2. Override the home directory of the user: 

    # sss_override user-add <ldap_username> -h <new_home_directory>

    Replace <ldap_username> with the name of the user and replace <new_home_directory> with the new home directory.

  3. Restart SSSD for the changes to take effect: 

    # systemctl restart sssd

Verification

  • Verify that the new home directory is defined: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<new_home_directory>:/bin/bash

  • Optional. Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com:::::::<new_home_directory>::

    Example 6.4. Overriding the home directory of the user

    To override the home directory of the user sarah with admin:

    1. Display the current home directory of the user sarah: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/bin/bash

    2. Override the home directory of the user sarah with new home directory admin: 

      # sss_override user-add sarah -h admin

    3. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd

    4. Verify that the new home directory is defined and overrides for the user display correctly: 

      # getent passwd sarah
sarah:x:1001:6003::admin:/bin/bash

# sss_override user-show sarah
user@ldap.example.com:::::::admin::

Additional resources

  • sss_override man page on your system

6.5. Overriding the LDAP shell attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are likely to be different from the values on the local system. You can override the LDAP shell attribute by defining a different shell.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current shell of the user as stored locally: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<currentshell>_

    Replace <ldap_username> with the name of the user.

  2. Override the shell of the user: 

    # sss_override user-add <ldap_username> -s <new_shell>

    Replace <ldap_username> with the name of the user and replace <new_shell> with the new shell.

  3. Restart SSSD for the changes to take effect: 

    # systemctl restart sssd

Verification

  • Verify that the new shell is defined: 

    # getent passwd <ldap_username>
<ldap_username>:x:XXXX:XXXX::/home/<home_directory>:_<new_shell>_

  • Optional. Display the overrides for the user: 

    # sss_override user-show <ldap_username>
user@ldap.example.com::::::_<new_shell>_:

    Example 6.5. Overriding the shell of the user

    To change the shell of the user sarah from /bin/bash to sbin/nologin:

    1. Display the current shell of the user sarah: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/bin/bash

    2. Override the shell of the user sarah with new /sbin/nologin shell: 

      # sss_override user-add sarah -s /sbin/nologin

    3. Restart SSSD for the changes to take effect: 

      # systemctl restart sssd

    4. Verify that the new shell is defined and overrides for the user display correctly: 

      # getent passwd sarah
sarah:x:1001:6003::sarah:/sbin/nologin

# sss_override user-show sarah
user@ldap.example.com::::::/sbin/nologin:

Additional resources

  • sss_override man page on your system

6.6. Listing overrides on a host

As an administrator, you can list all user and group overrides on a host to verify that the correct attributes have been overridden.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • List all user overrides: 

    # sss_override user-find
user1@ldap.example.com::8000::::/bin/zsh:
user2@ldap.example.com::8001::::/bin/bash:
...

  • List all group overrides: 

    # sss_override group-find
group1@ldap.example.com::7000
group2@ldap.example.com::7001
...

6.7. Removing a local override

You can remove local override that is defined in the global LDAP directory.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To remove the override for a user account, use: 

    # sss_override user-del <local_username>

    Replace <local_username> with the name of the user. The changes take effect immediately.

  • To remove an override for a group, use: 

    # sss_override group-del <group_name>

  • After removing the first override using the sss_override user-del or sss_override group-del command, restart SSSD for the changes to take effect: 

    # systemctl restart sssd

When you remove overrides for a user or group, all overrides for this object are removed.

6.8. Exporting and importing local view

Your local overrides are stored in the local SSSD cache. You can export user and group overrides from this cache to a file to create a backup. This ensures that even if the cache is cleared, you can restore the configurations later.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To back up user and group view, use: 

    # sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak

  • To restore user and group view, use: 

    # sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.