Chapter 4. SSSD Client-side View

SSSD provides the sss_override utility, which allows you to create a local view that displays values for POSIX user or group attributes that are specific to your local machine. You can configure overrides for all id_provider values, except ipa.

If you are using the ipa provider, define ID views centrally in IPA. For more information, see ID Views section.

For information about a potential negative impact on the SSSD performance, see Potential Negative Impact on SSSD Performance section.

4.1. Overriding the LDAP username attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP username attribute by defining a secondary username with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current information for the user:

    # id username

    Replace username with the name of the user.

  2. Add the secondary username:

    # sss_override user-add username -n secondary-username

    Replace username with the name of the user and replace secondary-username with the new username.

  3. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:

    # systemctl restart sssd

Verification steps

  • Verify that the new username is added:

    # id secondary-username
  • Optional. Display the overrides for the user:

    # sss_override user-show user-name
    user@ldap.example.com:secondary-username::::::

    Example 4.1. Defining a secondary username

    To add a secondary username sarah for the user sjones:

    1. Display the current information for the user sjones:

      # id sjones
      uid=1001(sjones) gid=6003 groups=6003,10(wheel)
    2. Add the secondary username:

      # sss_override user-add sjones -n sarah
    3. Verify that the new username has been added and overrides for the user display correctly:

      # id sarah
      uid=1001(sjones) gid=6003(sjones) groups=6003(sjones),10(wheel)
      
      # sss_override user-show sjones
      user@ldap.example.com:sarah::::::

Additional resources

  • sss_override man page

4.2. Overriding the LDAP UID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP UID attribute by defining a different UID with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current UID of the user:

    # id -u user-name

    Replace user-name with the name of the user.

  2. Override the UID of the user’s account:

    # sss_override user-add user-name -u new-UID

    Replace user-name with the name of the user and replace new-UID with the new UID number.

  3. Expire the in-memory cache:

    # sss_cache --users
  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:

    # systemctl restart sssd

Verification steps

  • Verify that the new UID has been applied:

    # id -u user-name
  • Optional. Display the overrides for the user:

    # sss_override user-show user-name
    user@ldap.example.com::new-UID:::::

    Example 4.2. Overriding the UID of the user

    To override the UID of the user sarah with UID 6666:

    1. Display the current UID of the user sarah:

      # id -u sarah
      1001
    2. Override the UID of the user sarah's account with UID 6666:

      # sss_override user-add sarah -u 6666
    3. Manually expire the in-memory cache:

      # sss_cache --users
    4. Restart SSSD for the changes to take effect:

      # systemctl restart sssd
    5. Verify that the new UID is applied and overrides for the user display correctly:

      # id sarah
      6666
      
      # sss_override user-show sarah
      user@ldap.example.com::6666:::::

Additional resources

  • sss_override man page

4.3. Overriding the LDAP GID attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP GID attribute by defining a different GID with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current GID of the user:

    # id -g user-name

    Replace user-name with the name of the user.

  2. Override the GID of the user’s account:

    # sss_override user-add user-name -u new-GID

    Replace user-name with the name of the user and replace new-GID with the new GID number.

  3. Expire the in-memory cache:

    # sss_cache --users
  4. After creating the first override using the sss_override user-add command, restart SSSD for the changes to take effect:

    # systemctl restart sssd

Verification steps

  • Verify that the new GID is applied:

    # id -g user-name
  • Optional. Display the overrides for the user:

    # sss_override user-show user-name
    user@ldap.example.com:::6666::::

    Example 4.3. Overriding the GID of the user

    To override the GID of the user sarah with GID 6666:

    1. Display the current GID of the user sarah:

      # id -g sarah
      6003
    2. Override the GID of the user sarah's account with GID 6666:

      # sss_override user-add sarah -g 6666
    3. Manually expire the in-memory cache:

      # sss_cache --users
    4. If this is your first override, restart SSSD for the changes to take effect:

      # systemctl restart sssd
    5. Verify that the new GID is applied and overrides for the user display correctly:

      # id -g sarah
      6666
      
      # sss_override user-show sarah
      user@ldap.example.com::6666:::::

Additional resources

  • sss_override man page

4.4. Overriding the LDAP home directory attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP home directory attribute by defining a different home directory with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current home directory of the user:

    # getent passwd user-name
    user-name:x:XXXX:XXXX::/home/home-directory:/bin/bash

    Replace user-name with the name of the user.

  2. Override the home directory of the user:

    # sss_override user-add user-name -h new-home-directory

    Replace user-name with the name of the user and replace new-home-directory with the new home directory.

  3. Restart SSSD for the changes to take effect:

    # systemctl restart sssd

Verification steps

  • Verify that the new home directory is defined:

    # getent passwd user-name
    user-name:x:XXXX:XXXX::/home/new-home-directory:/bin/bash
  • Optional. Display the overrides for the user:

    # sss_override user-show user-name
    user@ldap.example.com:::::::new-home-directory::

    Example 4.4. Overriding the home directory of the user

    To override the home directory of the user sarah with admin:

    1. Display the current home directory of the user sarah:

      # getent passwd sarah
      sarah:x:1001:6003::sarah:/bin/bash
    2. Override the home directory of the user sarah with new home directory admin:

      # sss_override user-add sarah -h admin
    3. Restart SSSD for the changes to take effect:

      # systemctl restart sssd
    4. Verify that the new home directory is defined and overrides for the user display correctly:

      # getent passwd sarah
      sarah:x:1001:6003::admin:/bin/bash
      
      # sss_override user-show user-name
      user@ldap.example.com:::::::admin::

Additional resources

  • sss_override man page

4.5. Overriding the LDAP shell attribute

As an administrator, you can configure an existing host to use accounts from LDAP. However, the values for a user (name, UID, GID, home directory, shell) in LDAP are different from the values on the local system. You can override the LDAP shell attribute by defining a different shell with the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  1. Display the current shell of the user:

    # getent passwd user-name
    user-name:x:XXXX:XXXX::/home/home-directory:/bin/bash

    Replace user-name with the name of the user.

  2. Override the shell of the user:

    # sss_override user-add user-name -s new-shell

    Replace user-name with the name of the user and replace new-shell with the new shell.

  3. Restart SSSD for the changes to take effect:

    # systemctl restart sssd

Verification steps

  • Verify that the new shell is defined:

    # getent passwd user-name
    user-name:x:XXXX:XXXX::/home/home-directory:new-shell
  • Optional. Display the overrides for the user:

    # sss_override user-show user-name
    user@ldap.example.com::::::new-shell:

    Example 4.5. Overriding the shell of the user

    To change the shell of the user sarah from /bin/bash to sbin/nologin:

    1. Display the current shell of the user sarah:

      # getent passwd sarah
      sarah:x:1001:6003::sarah:/bin/bash
    2. Override the shell of the user sarah with new /sbin/nologin shell:

      # sss_override user-add sarah -s /sbin/nologin
    3. Restart SSSD for the changes to take effect:

      # systemctl restart sssd
    4. Verify that the new shell is defined and overrides for the user display correctly:

      # getent passwd sarah
      sarah:x:1001:6003::sarah:/sbin/nologin
      
      # sss_override user-show user-name
      user@ldap.example.com::::::/sbin/nologin:

Additional resources

  • sss_override man page

4.6. Listing overrides on a host

As an administrator, you can list all user and group overrides on a host to verify that the correct attributes have been overridden.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • List all user overrides:

    # sss_override user-find
    user1@ldap.example.com::8000::::/bin/zsh:
    user2@ldap.example.com::8001::::/bin/bash:
    ...
  • List all group overrides:

    # sss_override group-find
    group1@ldap.example.com::7000
    group2@ldap.example.com::7001
    ...

4.7. Removing a local override

If you want to remove local override that is defined in the global LDAP directory, use the following procedure.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To remove the override for a user account, use:

    # sss_override user-del user-name

    Replace user-name with the name of the user. The changes take effect immediately.

  • To remove an override for a group, use:

    # sss_override group-del group-name
  • After removing the first override using the sss_override user-del or sss_override group-del command, restart SSSD for the changes to take effect:

    # systemctl restart sssd

When you remove overrides for a user or group, all overrides for this object are removed.

4.8. Exporting and importing local view

Your local overrides are stored in the local SSSD cache. You can export user and group overrides from this cache to a file to create a backup. This ensures that even if the cache is cleared, you can restore the configurations later.

Prerequisites

  • root access
  • Installed sssd-tools

Procedure

  • To back up user and group view, use:

    # sss_override user-export /var/lib/sss/backup/sssd_user_overrides.bak
    # sss_override group-export /var/lib/sss/backup/sssd_group_overrides.bak
  • To restore user and group view, use:

    # sss_override user-import /var/lib/sss/backup/sssd_user_overrides.bak
    # sss_override group-import /var/lib/sss/backup/sssd_group_overrides.bak