红帽全球峰会36.5. Using an ID view to override the login name of an IdM user on a specific host
Create an ID view for a specific IdM client that overrides a POSIX attribute value associated with a specific IdM user. The procedure uses the example of an ID view that enables an IdM user named idm_user to log in to an IdM client named client1 using the user_1234 login name.
Prerequisites
- You are logged in as IdM administrator.
Procedure
On the IdM server, create a new ID view. For example, to create an ID view named
example_for_client1:$ ipa idview-add example_for_client1 --------------------------- Added ID View "example_for_client1" --------------------------- ID View Name: example_for_client1Add a user override to the example_for_client1 ID view. To override the user login:
-
Enter the
ipa idoverrideuser-addcommand - Add the name of the ID view
- Add the user name, also called the anchor
Add the
--loginoption:$ ipa idoverrideuser-add example_for_client1 idm_user --login=user_1234 ----------------------------- Added User ID override "idm_user" ----------------------------- Anchor to override: idm_user User login: user_1234For a list of the available options, run
ipa idoverrideuser-add --help.注意The
ipa idoverrideuser-add --certificatecommand replaces all existing certificates for the account in the specified ID view. To append an additional certificate, use theipa idoverrideuser-add-certcommand instead:$ ipa idoverrideuser-add-cert example_for_client1 user --certificate="MIIEATCC..."
-
Enter the
-
Optional: Using the
ipa idoverrideuser-modcommand, you can specify new attribute values for an existing user override. Apply
example_for_client1to theclient1.idm.example.comhost:$ ipa idview-apply example_for_client1 --hosts=client1.idm.example.com ----------------------------- Applied ID View "example_for_client1" ----------------------------- hosts: client1.idm.example.com --------------------------------------------- Number of hosts the ID View was applied to: 1 ---------------------------------------------注意The
ipa idview-applycommand also accepts the--hostgroupsoption. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the--hostgroupsoption expands the members of the specified host group and applies the--hostsoption individually to every one of them.This means that if a host is added to the host group in the future, the ID view does not apply to the new host.
To apply the new configuration to the IdM client system immediately:
SSH to the client system as root:
$ ssh root@client1 Password:On the IdM client, clear the SSSD cache:
# sss_cache -E- On the IdM client, restart the SSSD daemon:
# systemctl restart sssd
Verification
If you have the credentials of user_1234, you can use them to log in to the IdM client:
SSH to the client system using user_1234 as the login name:
# ssh user_1234@client1.idm.example.com Password: Last login: Sun Jun 21 22:34:25 2020 from 192.168.122.229 $On the client system, display the working directory:
$ pwd /home/idm_user/
Alternatively, if you have root credentials on the IdM client, you can use them to check the output of the
idcommand for idm_user and user_1234:# id idm_user uid=779800003(user_1234) gid=779800003(idm_user) groups=779800003(idm_user) # user_1234 uid=779800003(user_1234) gid=779800003(idm_user) groups=779800003(idm_user)
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}