18.3. Defining a Different Attribute Value for a User Account on Different Hosts

An administrator can create multiple ID views that override an attribute value used by a user account and apply these ID views to different client hosts. Example: A service account is configured to use different SSH public keys when authenticating on different hosts.
This section includes the following procedures:
The procedures show how to create an ID view for a client host named host1.example.com. To override the attribute values on the other hosts as well, use the procedures to create multiple ID views, one for each host.
In the following procedures:
  • user is the user account whose attribute needs to be overridden
  • host1.example.com is the host on which the ID view will be applied

Important

After you create a new ID view, restart SSSD on all clients where the ID view is applied.
If the new ID view changes a UID or GID, clear the SSSD cache on these clients as well.

18.3.1. Web UI: Overriding an Attribute Value for a Specific Host

Before managing ID views, log in to the IdM web UI as a user with the required privileges, such as admin.

Creating a New ID View

  1. Under the Identity tab, select the ID Views subtab.
  2. Click Add and provide a name for the ID view.
    Adding an ID View

    Figure 18.1. Adding an ID View

  3. Click Add to confirm.
The new ID view is now displayed in the list of ID views.
List of ID Views

Figure 18.2. List of ID Views

Adding a User Override to the ID View

  1. In the list of ID views, click the name of the ID view.
    Editing an ID View

    Figure 18.3. Editing an ID View

  2. Under the Users tab, click Add to add the user override.
  3. Select the user account whose attribute value to override, and click Add.
The user override is now displayed on the example_for_host1 ID view page.
List of Overrides

Figure 18.4. List of Overrides

Specifying the Attribute to Override

  1. Click the override that you want to use to change the attribute value.
    Editing an Override

    Figure 18.5. Editing an Override

  2. Define the new value for the attribute.
    For example, to override the SSH public key used by the user account:
    1. Click SSH public keys: Add.
      Adding an SSH Public Key

      Figure 18.6. Adding an SSH Public Key

    2. Paste in the public key.

    Note

    For details on adding SSH keys to IdM, see Section 22.5, “Managing Public SSH Keys for Users”.
  3. Click Save to update the override.

Applying the ID View to a Specific Host

  1. In the list of ID views, click the name of the ID view.
    Editing an ID View

    Figure 18.7. Editing an ID View

  2. Under the Hosts tab, click Apply to hosts.
  3. Select the host1.example.com host, and move it to the Prospective column.
  4. Click Apply.
The host is now displayed in the list of hosts to which the ID view applies.
Listing Hosts to Which an ID View Applies

Figure 18.8. Listing Hosts to Which an ID View Applies

18.3.2. Command Line: Overriding an Attribute Value for a Specific Host

Before managing ID views, request a ticket for a user with the required privileges. For example: 
$ kinit admin
  1. Create a new ID view. For example, the create an ID view named example_for_host1: 
    $ ipa idview-add example_for_host1
---------------------------
Added ID View "example_for_host1"
---------------------------
  ID View Name: example_for_host1
  2. Add a user override to the example_for_host1 ID view. The ipa idoverrideuser-add command requires the name of the ID view and the user to override.
    • To specify the new attribute value, add the corresponding command-line option as well. For a list of the available options, run ipa idoverrideuser-add --help. For example, use the --sshpubkey option to override the SSH public key value: 
      $ ipa idoverrideuser-add example_for_host1 user --sshpubkey="ssh-rsa AAAAB3NzaC1yrRqFE...gWRL71/miPIZ user@example.com"
-----------------------------
Added User ID override "user"
-----------------------------
  Anchor to override: user
  SSH public key: ssh-rsa
                  AAAB3NzaC1yrRqFE...gWRL71/miPIZ
		  user@example.com

      Note

      For details on adding SSH keys to IdM, see Section 22.5, “Managing Public SSH Keys for Users”.
    • The ipa idoverrideuser-add --certificate command replaces all existing certificates for the account in the specified ID view. To append an additional certificate, use the ipa idoverrideuser-add-cert command instead: 
      $ ipa idoverrideuser-add-cert example_for_host1 user --certificate="MIIEATCC..."
    • Using the ipa idoverrideuser-mod command, you can also specify new attribute values for an existing user override.
    • Use the ipa idoverrideuser-del command to delete a user override.

      Note

      If you use this command to delete SSH keys overrides, it does not delete the SSH keys from the cache immediately. With the default cache timeout value (entry_cache_timeout = 5400), the keys remain in cache for one and a half hours.
  3. Apply example_for_host1 to the host1.example.com host: 
    $ ipa idview-apply example_for_host1 --hosts=host1.example.com
-----------------------------
Applied ID View "example_for_host1"
-----------------------------
hosts: host1.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

    Note

    The ipa idview-apply command also accepts the --hostgroups option. The option applies the ID view to hosts that belong to the specified host group, but does not associate the ID view with the host group itself. Instead, the --hostgroups option expands the members of the specified host group and applies the --hosts option individually to every one of them.