Chapter 8. Using ID Views in Active Directory Environments

ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
Integration systems other than Identity Management (IdM) sometimes generate UID and GID values based on an algorithm different than the algorithm used in IdM. By overriding the previously generated values to make them compliant with the values used in IdM, a client that used to be a member of another integration system can be fully integrated with IdM.

Note

This chapter only describes ID views functionality related to Active Directory (AD). For general information about ID views, see the Linux Domain Identity, Authentication, and Policy Guide.
You can use ID views in AD environments for the following purposes:
Overriding AD User Attributes, such as POSIX Attributes or SSH Login Details
Migrating from synchronization-based to trust-based integration
Performing per-host group override of the IdM user attributes

8.1. Active Directory Default Trust View

The Default Trust View is the default ID view always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using ipa-adtrust-install and cannot be deleted.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.

Table 8.1. Applying the Default Trust View

Values in AD Default Trust View Result
Login ad_user ad_user ad_user
UID 111 222 222
GID 111 (no value) 111

Note

The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups. It is applied on the IdM server and clients and therefore only need to provide overrides for Active Directory users and groups.

Overriding Default Trust View with Other ID Views

If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID view on top of the Default Trust View.
  • If an attribute is defined in the host-specific ID view, IdM applies the value from this view.
  • If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View.

Table 8.2. Applying a Host-Specific ID View on Top of the Default Trust View

Values in AD Default Trust View Host-Specific View Result
Login ad_user ad_user (no value) ad_user
UID 111 222 333 333
GID 111 (no value) 333 333

Default Trust View on Clients with Earlier Versions of IdM

Clients running IdM versions earlier than Red Hat Enterprise Linux 7.1 only see the Default Trust View, because ID views are applied on the client side. If you need a client to apply a different ID view, update SSSD on the client to a version with ID views support or have the client use the compat LDAP tree.

Note

The compat LDAP tree offers a simplified LDAP tree with user and group data for legacy clients.