Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

7.6. SSSD Client-side Views

SSSD enables you to create a client-side view to specify new values for POSIX user or group attributes. The view takes effect only on the local machine where the overrides are configured. You can configure client-side overrides for all id_provider values, except ipa. If you are using the ipa provider, define ID views centrally in IdM. See the corresponding section in the Linux Domain Identity, Authentication, and Policy Guide.
For information about a potential negative impact on the SSSD performance, see the corresponding section in the Linux Domain Identity, Authentication, and Policy Guide.

Note

After creating the first override using the sss_override user-add, sss_override group-add, or sss_override user-import command, restart SSSD for the changes to take effect:
# systemctl restart sssd

7.6.1. Defining a Different Attribute Value for a User Account

As an administrator, you configured an existing host to use accounts from LDAP. However, a user's new ID in LDAP is different from the user's previous ID on the local system. You can configure a client-side view to override the UID instead of changing the permissions on existing files.
To override the UID of the user account with UID 6666:
  1. Optional. Display the current UID of the user account:
    # id user
    uid=1241400014(user_name) gid=1241400014(user_name) Groups=1241400014(user_name)
  2. Override the account's UID with 6666:
    # sss_override user-add user -u 6666
  3. Wait until the in-memory cache has been expired. To expire it manually:
    # sss_cache --users
  4. Verify that the new UID is applied:
    # id user
    uid=6666(user_name) gid=1241400014(user_name) Groups=1241400014(user_name)
  5. Optional. Display the overrides for the user:
    # sss_override user-show user
    user@ldap.example.com::6666:::::
For a list of attributes you can override, list the command-line options by adding --help to the command:
# sss_override user-add --help

7.6.2. Listing All Overrides on a Host

As an administrator, you want to list all user and group overrides on a host to verify that the correct attributes are overridden.
To list all user overrides:
# sss_override user-find
user1@ldap.example.com::8000::::/bin/zsh:
user2@ldap.example.com::8001::::/bin/bash:
...
To list all group overrides:
# sss_override group-find
group1@ldap.example.com::7000
group2@ldap.example.com::7001
...

7.6.3. Removing a Local Override

You previously created an override for the shell of the user account, that is defined in the global LDAP directory. To remove the override for the account, run:
# sss_override user-del user
The changes take effect immediately.
To remove an override for a group, run:
# sss_override group-del group

Note

When you remove overrides for a user or group, all overrides for this object are removed.

7.6.4. Exporting and Importing Local Views

Client-side views are stored in the local SSSD cache. You can export user and group views from the cache to a file to create a backup. For example, when you remove the SSSD cache, you can restore the views later again.
To back up user and group views:
# sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
To restore user and group view:
# sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
# sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak