ID views enable you to specify new values for POSIX user or group attributes, as well as to define on which client host or hosts the new values will apply.
Integration systems other than Identity Management (IdM) sometimes generate UID and GID values based on an algorithm different than the algorithm used in IdM. By overriding the previously generated values to make them compliant with the values used in IdM, a client that used to be a member of another integration system can be fully integrated with IdM.
You can use ID views in AD environments for the following purposes:
- Overriding AD User Attributes, such as POSIX Attributes or SSH Login Details
- Migrating from synchronization-based to trust-based integration
- Performing per-host group override of the IdM user attributes
8.1. Active Directory Default Trust View
The Default Trust View is the default ID view always applied to AD users and groups in trust-based setups. It is created automatically when you establish the trust using
ipa-adtrust-install and cannot be deleted.
Using the Default Trust View, you can define custom POSIX attributes for AD users and groups, thus overriding the values defined in AD.
Table 8.1. Applying the Default Trust View
| || Values in AD || Default Trust View || || Result |
| Login || ad_user || ad_user || → || ad_user |
| UID || 111 || 222 || → || 222 |
| GID || 111 || (no value) || → || 111 |
The Default Trust View only accepts overrides for AD users and groups, not for IdM users and groups. It is applied on the IdM server and clients and therefore only need to provide overrides for Active Directory users and groups.
Overriding Default Trust View with Other ID Views
If another ID view applied to the host overrides the attribute values in the Default Trust View, IdM applies the values from the host-specific ID view on top of the Default Trust View.
If an attribute is defined in the host-specific ID view, IdM applies the value from this view.
If an attribute is not defined in the host-specific ID view, IdM applies the value from the Default Trust View.
The Default Trust View is always applied to IdM servers and replicas as well as to AD users and groups. You cannot assign a different ID view to them: they always apply the values from the Default Trust View.
Table 8.2. Applying a Host-Specific ID View on Top of the Default Trust View
| || Values in AD || Default Trust View || Host-Specific View || || Result |
| Login || ad_user || ad_user || (no value) || → || ad_user |
| UID || 111 || 222 || 333 || → || 333 |
| GID || 111 || (no value) || 333 || → || 333 |