ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
Integration systems other than Identity Management (IdM) sometimes generate UID and GID values based on an algorithm different than the algorithm used in IdM. By overriding the previously generated values to make them compliant with the values used in IdM, a client that used to be a member of another integration system can be fully integrated with IdM.
8.1. Active Directory Default Trust View
The Default Trust View is the default ID view always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using
ipa-adtrust-install and cannot be deleted.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.
Table 8.1. Applying the Default Trust View
| || Values in AD || Default Trust View || || Result |
| Login || ad_user || ad_user || → || ad_user |
| UID || 111 || 222 || → || 222 |
| GID || 111 || (no value) || → || 111 |
The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups. It is applied on the IdM server and clients and therefore only need to provide overrides for Active Directory users and groups.
Overriding Default Trust View with Other ID Views
If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID view on top of the Default Trust View.
If an attribute is defined in the host-specific ID view, IdM applies the value from this view.
If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View.
Table 8.2. Applying a Host-Specific ID View on Top of the Default Trust View
| || Values in AD || Default Trust View || Host-Specific View || || Result |
| Login || ad_user || ad_user || (no value) || → || ad_user |
| UID || 111 || 222 || 333 || → || 333 |
| GID || 111 || (no value) || 333 || → || 333 |
Default Trust View on Clients with Earlier Versions of IdM
Clients running IdM versions earlier than Red Hat Enterprise Linux 7.1 only see the Default Trust View, because ID views are applied on the client side. If you need a client to apply a different ID view, update SSSD on the client to a version with ID views support or have the client use the compat LDAP tree.
The compat LDAP tree offers a simplified LDAP tree with user and group data for legacy clients.