Chapter 8. Using ID Views in Active Directory Environments

ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
Integration systems other than Identity Management (IdM) sometimes generate UID and GID values based on an algorithm different than the algorithm used in IdM. By overriding the previously generated values to make them compliant with the values used in IdM, a client that used to be a member of another integration system can be fully integrated with IdM.

Note

This chapter only describes ID views functionality related to Active Directory (AD). For general information about ID views, see the Linux Domain Identity, Authentication, and Policy Guide.
You can use ID views in AD environments for the following purposes:
Overriding AD User Attributes, such as POSIX Attributes or SSH Login Details
Migrating from synchronization-based to trust-based integration
Performing per-host group override of the IdM user attributes

8.1. Active Directory Default Trust View

8.1.1. What Is the Default Trust View

The Default Trust View is the default ID view always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using ipa-adtrust-install and cannot be deleted.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.

Table 8.1. Applying the Default Trust View

Values in AD Default Trust View Result
Login ad_user ad_user ad_user
UID 111 222 222
GID 111 (no value) 111

Note

The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups. It is applied on the IdM server and clients and therefore only need to provide overrides for Active Directory users and groups.

8.1.2. Overriding the Default Trust View with Other ID Views

If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID view on top of the Default Trust View.
  • If an attribute is defined in the host-specific ID view, IdM applies the value from this view.
  • If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View.

Table 8.2. Applying a Host-Specific ID View on Top of the Default Trust View

Values in AD Default Trust View Host-Specific View Result
Login ad_user ad_user (no value) ad_user
UID 111 222 333 333
GID 111 (no value) 333 333

8.1.3. ID Overrides on Clients Based on the Client Version

The IdM masters always apply ID overrides from the Default Trust View, regardless of how IdM clients retrieve the values: using SSSD or using Schema Compatibility tree requests.
However, the availability of ID overrides from host-specific ID views is limited:
Legacy clients: RHEL 6.3 and earlier (SSSD 1.8 and earlier)
The clients can request a specific ID view to be applied.
To use a host-specific ID view on a legacy client, change the base DN on the client to: cn=id_view_name,cn=views,cn=compat,dc=example,dc=com.
RHEL 6.4 to 7.0 (SSSD 1.9 to 1.11)
Host-specific ID views on the clients are not supported.
RHEL 7.1 and later (SSSD 1.12 and later)
Full support.