Chapter 16. Identity: ID Views and Migrating Existing Environments to Trust
ipa-adtrust-installcommand on the IdM server, the Default Trust View is created. The Default Trust View is always applied to Active Directory users and groups, which allows the administrator to define POSIX attributes for AD users and groups regardless of how AD itself defined them. If you add a host-specific ID view that overrides the AD users or groups, the attributes from the host-specific ID view are applied on top of the Default Trust View. While the new ID view overrides the Default Trust View, the default view itself cannot be deleted. If no specific ID view is applied to a client, the Default Trust View always applies.
ipa-adtrust-installis not run, you can still use the ID Views feature in a pure IdM environment to manage ID views and overrides for IdM users.
- Store POSIX attributes and SSH keys for AD users
- Define POSIX attributes or SSH keys and SSH login information for AD users, and let them be applied when an AD user authenticates to clients running SSSD with ID Views support or when the AD user authenticates using a compat LDAP tree, which offers a simplified LDAP tree with user and group data for legacy clients.This capability is useful for migration from a synchronization-based solution or in a situation when a Linux administrator would like to manually define POSIX attributes for AD users but the AD policy does not allow it.
- Migrate from a synchronization-based to a trust-based integration
- Configure the POSIX attributes for users that are in a synchronization-based environment by creating an ID view override specifying previously used UID or other tools. Then move the users back to AD.
- Perform per-host group override of the IdM user POSIX attributes
- NIS-based infrastructure that is being migrated to an IdM integration with AD still often requires that the original POSIX data remain unchanged on some NIS domains or the company policies might prevent setting the original POSIX data in AD directly. In these situations, you can use ID Views to configure the POSIX data directly on the Identity Management server.
- Set different POSIX attributes or SSH keys for different environments
- Set different POSIX attributes or different user SSH public keys for different production environments – such as development, testing, or production – depending on the corresponding host groups.
16.1. User Overrides and Group Overrides
uid: user login name
uidNumber: user UID number
gidNumber: user GID number
loginShell: user login shell
gecos: user GECOS entry
homeDirectory: user home directory
ipaSshPubkey: user SSH public key or keys
cn: group name
gidNumber: group GID number