integration

ID Views

Manage ID views for overriding user and group attributes on specific hosts. ID views enable per-host attribute customization including UID, GID, home directory, and shell without modifying the master user entry. Features include view creation, host application, user override management, anchor-based override assignment, and support for Default Trust View for managing AD user attributes across IPA infrastructure.

0 commands
integration

Manage ID Views

ID views provide per-host customization of user and group attributes without modifying master LDAP entries. This capability enables migration from legacy identity systems, accommodates site-specific requirements, and manages Active Directory trust user attributes through the Default Trust View.

An ID view acts as a container of attribute overrides that can be selectively applied to specific hosts. When an ID view is applied to a host, SSSD uses the override values instead of the master LDAP attributes, enabling different hosts to see different attribute values for the same user or group.

Overview

What are ID Views?

ID views solve the challenge of requiring different POSIX attributes for the same user or group across different hosts. In a typical identity management system, users and groups have a single set of attributes stored in LDAP. However, during migrations or in heterogeneous environments, different systems may require different values:

  • UID/GID conflicts: A user may have UID 1000 on legacy systems but 50000 in FreeIPA
  • Home directory variations: Different mount points or filesystem layouts per site
  • Shell differences: Development systems using /bin/bash, production using /bin/sh
  • Login name changes: Username format changes during migration (jsmithjohn.smith)

ID views provide an override layer that keeps the master LDAP entry unchanged while presenting customized values to specific hosts. This architecture enables gradual migrations, supports diverse infrastructure requirements, and maintains a single source of truth.

Architecture

Master LDAP Entry               ID View Override              Effective Attributes
─────────────────               ────────────────              ────────────────────
User: jsmith                    View: legacy-migration        Host A (view applied):
  UID: 50000          ────────→   Override: jsmith              UID: 1000 (override)
  GID: 50000                        UID: 1000                   GID: 1000 (override)
  Home: /home/jsmith                GID: 1000                   Home: /export/home/jsmith
  Shell: /bin/bash                  Home: /export/home/jsmith   Shell: /bin/bash
                                    Shell: [not overridden]
                                                              Host B (no view):
                                                                UID: 50000 (master)
                                                                GID: 50000 (master)
                                                                Home: /home/jsmith
                                                                Shell: /bin/bash

Key architectural concepts:

  1. View container: Named collection of overrides (cn=legacy-migration,cn=views,cn=accounts)
  2. Overrides: Individual user or group attribute customizations within a view
  3. Anchor: Link between an override and its master entry (user/group DN or name)
  4. Application: Assignment of a view to specific hosts or hostgroups
  5. SSSD integration: Client-side override resolution during authentication

ID View Components

User overrides support customizing:

  • uid - User ID number (UID)
  • gidnumber - Primary group ID (GID)
  • login - Login name (username)
  • gecos - Full name/comment field
  • homedir - Home directory path
  • shell - Login shell
  • sshpubkey - SSH public keys (multi-valued)
  • certificate - X.509 certificates (multi-valued)

Group overrides support customizing:

  • gid - Group ID number (GID)
  • group-name - Group name

View metadata:

  • name - Unique view identifier
  • description - Administrative documentation
  • domain-resolution-order - Short name qualification order for trusted domains

The Anchor Mechanism

Anchors link overrides to their master entries. FreeIPA uses the master entry’s DN or name as the anchor value:

For IPA users/groups:

Anchor: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com

For AD trust users (in Default Trust View):

Anchor: jsmith@ad.example.com
Anchor: AD\\jsmith

When SSSD resolves a user, it:

  1. Retrieves the master entry from LDAP
  2. Checks if an ID view is applied to the host
  3. If yes, looks up an override matching the master entry’s DN
  4. Merges override attributes over master attributes
  5. Returns the effective attribute set

This anchor-based indirection keeps overrides portable across topology replicas and resilient to master entry modifications (except DN changes).

Default Trust View

The Default Trust View is a special built-in ID view automatically applied to all IPA masters and clients for Active Directory trust users. It cannot be deleted or unapplied.

Purpose: Override attributes for AD users accessed through trusts without requiring manual view application.

Use cases:

  • Override AD user UIDs to avoid conflicts with IPA ID ranges
  • Customize home directories for AD users (AD provides none)
  • Set login shells for AD users (AD provides none)
  • Change GECOS fields for display consistency
  • Add SSH public keys for AD users

Characteristics:

  • Always active for trusted domain users
  • Applied automatically, no idview-apply needed
  • Overrides are managed like any other view
  • Uses AD user principal or SAM account name as anchor

Example workflow:

# AD user jdoe@ad.example.com logs in
# FreeIPA finds no override, AD provides UID 10001, no home, no shell

# Add override in Default Trust View
ipa idoverrideuser-add 'Default Trust View' jdoe@ad.example.com \
    --uid 60001 \
    --homedir /home/ad/jdoe \
    --shell /bin/bash

# Next login: UID 60001, home /home/ad/jdoe, shell /bin/bash

Migration Workflow

ID views enable zero-downtime migrations by allowing legacy and new systems to coexist:

Phase 1: Preparation

  1. Create ID view for legacy attribute mappings
  2. Add overrides matching legacy UID/GID/home/shell values
  3. Test view on pilot systems

Phase 2: Gradual Migration

  1. Apply view to migrating hosts
  2. Validate user login and file ownership
  3. Migrate users to new systems with overrides active
  4. Expand view application to more hosts

Phase 3: Cleanup

  1. After all hosts migrated, begin removing overrides
  2. Update file ownership to master UID/GID values
  3. Unapply view from hosts
  4. Delete view when no longer needed

This phased approach prevents UID/GID mismatches during migration, maintains file ownership integrity, and allows rollback at any stage.

View Application Model

ID views use explicit host assignment, not automatic propagation:

Direct host assignment:

ipa idview-apply legacy-view --hosts=server1.example.com,server2.example.com

Hostgroup member assignment (snapshot):

ipa idview-apply legacy-view --hostgroups=legacy-servers

# Only current members receive the view
# Hosts added to legacy-servers later DO NOT automatically receive the view
# Must run idview-apply again or assign view directly to new hosts

This snapshot behavior provides control and predictability but requires administrative diligence when adding hosts to groups.

Checking view application:

# Which view is applied to a host?
ipa host-show server1.example.com --all | grep ipasshpubkey

# Which hosts use a view?
ipa idview-show legacy-view --show-hosts

SSSD Integration

SSSD retrieves and caches ID view overrides for efficient resolution:

Configuration (automatic when IPA client is enrolled):

[domain/example.com]
id_provider = ipa
ipa_server = ipa.example.com
cache_credentials = True

Resolution process:

  1. User login triggers SSSD lookup
  2. SSSD queries IPA for master user entry
  3. SSSD checks host’s assigned ID view (cached from IPA)
  4. If view exists, SSSD queries for matching override
  5. SSSD merges override over master attributes
  6. SSSD returns effective attributes to NSS/PAM
  7. SSSD caches both master and override for offline operation

Cache behavior:

  • Overrides cached separately from master entries
  • Cache invalidation triggers on override changes
  • Offline mode uses last cached override values
  • Cache timeout controlled by entry_cache_timeout

Troubleshooting SSSD view resolution:

# Increase SSSD debug level
sssctl debug-level 6

# Check cached view assignment
sssctl cache-expire -v

# View override cache entries
ldbsearch -H /var/lib/sss/db/cache_example.com.ldb \
    '(objectClass=override)'

Use Cases

Legacy System Migration

Scenario: Migrating 500 users from NIS with UIDs 1000-1500 to FreeIPA with UIDs 50000-50500.

Challenge: File ownership uses legacy UIDs; changing all files risks errors and downtime.

Solution:

# Create migration view
ipa idview-add nis-migration --desc "NIS UID/GID preservation"

# Add overrides for each user (can be automated)
ipa idoverrideuser-add nis-migration jsmith \
    --uid 1000 \
    --gidnumber 1000 \
    --homedir /export/home/jsmith

# Apply to legacy fileservers
ipa idview-apply nis-migration --hostgroups=nis-fileservers

# Result: Files remain owned by UID 1000, which resolves to jsmith
# New systems use master UID 50000
# Gradual file ownership migration can proceed independently

Site-Specific Requirements

Scenario: European datacenter uses /data/home mount point, US datacenter uses /home.

Solution:

# Create EU-specific view
ipa idview-add eu-datacenter --desc "European home directory layout"

# Override home directories
for user in $(ipa user-find --raw --pkey-only | grep 'uid:' | cut -d: -f2); do
    ipa idoverrideuser-add eu-datacenter "$user" \
        --homedir "/data/home/$user"
done

# Apply to EU hosts
ipa idview-apply eu-datacenter --hostgroups=eu-servers

Development vs Production Shells

Scenario: Developers need /bin/bash for interactive work, production uses /bin/sh for security.

Solution:

# Production shell restriction
ipa idview-add production --desc "Production shell restrictions"

ipa idoverrideuser-add production alice --shell /bin/sh
ipa idoverrideuser-add production bob --shell /bin/sh

ipa idview-apply production --hostgroups=production-servers

# Development systems use master /bin/bash, production uses /bin/sh

Active Directory Trust UID Conflicts

Scenario: AD trust provides UIDs 10000-20000, conflicting with local user range 10000-60000.

Solution:

# Use Default Trust View for AD user overrides
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
    --uid 70001 \
    --gidnumber 70001 \
    --homedir /home/ad/jdoe \
    --shell /bin/bash

# Override automatically applies to all IPA clients
# No idview-apply needed for Default Trust View

Username Format Standardization

Scenario: Acquired company uses firstname.lastname format, parent company uses flastname.

Solution:

# Create login name override view
ipa idview-add unified-login --desc "Standardized login names"

# Override login names for acquired users
ipa idoverrideuser-add unified-login john.smith --login jsmith
ipa idoverrideuser-add unified-login jane.doe --login jdoe

# Apply to integrated systems
ipa idview-apply unified-login --hostgroups=integrated-infrastructure

# Users can now use jsmith on integrated systems
# Master entry preserves john.smith for other systems

Shared System Special Accounts

Scenario: Shared jump host requires specific UIDs for audit logging consistency across sites.

Solution:

# Create jump host view
ipa idview-add jumphost-audit --desc "Jump host audit UID consistency"

# Override admin accounts to fixed UIDs
ipa idoverrideuser-add jumphost-audit admin-alice --uid 9001
ipa idoverrideuser-add jumphost-audit admin-bob --uid 9002

# Apply only to jump hosts
ipa idview-apply jumphost-audit --hosts=jump1.example.com,jump2.example.com

# Audit logs always show UID 9001/9002 for consistent correlation

Examples

Creating and Managing Views

Create a new ID view:

ipa idview-add migration-2024 \
    --desc "Q1 2024 datacenter migration"

List all ID views:

ipa idview-find
ipa idview-find --all  # Include built-in Default Trust View

Show view details including applied hosts:

ipa idview-show migration-2024
ipa idview-show migration-2024 --show-hosts  # Enumerate all hosts

Modify view description:

ipa idview-mod migration-2024 \
    --desc "Q1 2024 datacenter migration - extended to Q2"

Delete an ID view (must unapply first):

ipa idview-unapply --hostgroups=migration-group
ipa idview-del migration-2024

User Override Management

Add user override with basic attributes:

ipa idoverrideuser-add migration-2024 jsmith \
    --uid 1000 \
    --gidnumber 1000

Add user override with full attribute set:

ipa idoverrideuser-add migration-2024 alice \
    --uid 2001 \
    --gidnumber 2001 \
    --login alice.smith \
    --gecos "Alice Smith (Legacy Account)" \
    --homedir /export/home/alice \
    --shell /bin/ksh

Add user override for AD trust user in Default Trust View:

ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
    --uid 60001 \
    --gidnumber 60001 \
    --homedir /home/ad/jdoe \
    --shell /bin/bash \
    --gecos "John Doe (AD)"

Add user override using AD SAM account name:

ipa idoverrideuser-add 'Default Trust View' 'AD\jdoe' \
    --uid 60001 \
    --homedir /home/ad/jdoe

Add SSH public key to user override:

ipa idoverrideuser-mod migration-2024 jsmith \
    --sshpubkey "ssh-rsa AAAAB3NzaC1yc2EA... jsmith@oldhost"

Add certificate to user override:

# From file
ipa idoverrideuser-add-cert migration-2024 alice \
    --certificate "$(cat alice-cert.pem)"

# Direct base64
ipa idoverrideuser-add-cert migration-2024 alice \
    --certificate "MIIEXzCCA0egAwIBAgIUfTx..."

Remove certificate from user override:

ipa idoverrideuser-remove-cert migration-2024 alice \
    --certificate "MIIEXzCCA0egAwIBAgIUfTx..."

Find all user overrides in a view:

ipa idoverrideuser-find migration-2024
ipa idoverrideuser-find migration-2024 --all
ipa idoverrideuser-find migration-2024 --uid 1000  # Filter by UID

Find user overrides by home directory:

ipa idoverrideuser-find migration-2024 --homedir /export/home/jsmith

Show user override details:

ipa idoverrideuser-show migration-2024 jsmith
ipa idoverrideuser-show migration-2024 jsmith --all --raw

Modify user override:

ipa idoverrideuser-mod migration-2024 jsmith \
    --shell /bin/bash \
    --homedir /home/jsmith

Delete user override:

ipa idoverrideuser-del migration-2024 jsmith
ipa idoverrideuser-del migration-2024 jsmith alice bob --continue  # Batch delete

Group Override Management

Add group override with GID:

ipa idoverridegroup-add migration-2024 developers \
    --gid 5000

Add group override with name change:

ipa idoverridegroup-add migration-2024 'legacy-admins' \
    --group-name admins \
    --gid 1001

Find all group overrides:

ipa idoverridegroup-find migration-2024
ipa idoverridegroup-find migration-2024 --gid 5000  # Filter by GID

Show group override:

ipa idoverridegroup-show migration-2024 developers

Modify group override:

ipa idoverridegroup-mod migration-2024 developers \
    --gid 5001 \
    --desc "Updated GID for conflict resolution"

Delete group override:

ipa idoverridegroup-del migration-2024 developers

Applying and Unapplying Views

Apply view to specific hosts:

ipa idview-apply migration-2024 \
    --hosts=server1.example.com,server2.example.com

Apply view to hostgroup members (snapshot):

ipa idview-apply migration-2024 \
    --hostgroups=legacy-servers

# Only current members receive the view
# New hostgroup members added later need separate idview-apply

Apply view to combination of hosts and hostgroups:

ipa idview-apply production-shell \
    --hosts=prod1.example.com,prod2.example.com \
    --hostgroups=production-web,production-db

Check which view is applied to a host:

ipa host-show server1.example.com --all | grep -i "ID view"

Check which hosts use a view:

ipa idview-show migration-2024 --show-hosts

Unapply view from specific hosts:

ipa idview-unapply \
    --hosts=server1.example.com,server2.example.com

Unapply view from hostgroup members (snapshot):

ipa idview-unapply \
    --hostgroups=legacy-servers

# Only current members lose the view
# Must specify hosts individually to unapply from hosts added after initial apply

Clear view from all hosts before deletion:

# Show hosts first
ipa idview-show migration-2024 --show-hosts

# Unapply from listed hosts
ipa idview-unapply --hosts=host1.example.com,host2.example.com

# Delete view
ipa idview-del migration-2024

Bulk Override Creation

Create overrides from CSV file:

# Format: username,uid,gid,home,shell
# jsmith,1000,1000,/export/home/jsmith,/bin/bash
# alice,1001,1001,/export/home/alice,/bin/ksh

while IFS=, read -r user uid gid home shell; do
    ipa idoverrideuser-add migration-2024 "$user" \
        --uid "$uid" \
        --gidnumber "$gid" \
        --homedir "$home" \
        --shell "$shell"
done < migration-users.csv

Create overrides for all existing users with formula:

# Override all users with UID = master_UID - 49000
for user in $(ipa user-find --raw --pkey-only | grep 'uid:' | awk '{print $2}'); do
    master_uid=$(ipa user-show "$user" --raw | grep 'uidnumber:' | awk '{print $2}')
    override_uid=$((master_uid - 49000))

    ipa idoverrideuser-add legacy-view "$user" \
        --uid "$override_uid" \
        --gidnumber "$override_uid"
done

Create group overrides for all groups:

# Override all groups with GID = master_GID - 49000
for group in $(ipa group-find --raw --pkey-only | grep 'cn:' | awk '{print $2}'); do
    master_gid=$(ipa group-show "$group" --raw | grep 'gidnumber:' | awk '{print $2}')
    override_gid=$((master_gid - 49000))

    ipa idoverridegroup-add legacy-view "$group" \
        --gid "$override_gid"
done

Default Trust View Management

Add override for AD user (UPN anchor):

ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
    --uid 70001 \
    --gidnumber 70001 \
    --homedir /home/ad/jdoe \
    --shell /bin/bash

Add override for AD user (SAM account name anchor):

ipa idoverrideuser-add 'Default Trust View' 'AD\jdoe' \
    --uid 70001 \
    --homedir /home/ad/jdoe

List all AD user overrides:

ipa idoverrideuser-find 'Default Trust View'
ipa idoverrideuser-find 'Default Trust View' --all

Add SSH key for AD user:

ipa idoverrideuser-mod 'Default Trust View' 'jdoe@ad.example.com' \
    --sshpubkey "ssh-rsa AAAAB3NzaC1yc2EA... jdoe@ad-workstation"

Batch create AD user overrides for home directories:

# Get all AD users from trust
ipa user-find --user-auth-type=password --all | grep 'uid:' | \
while read -r line; do
    aduser=$(echo "$line" | awk '{print $2}')

    # Only process AD trust users
    if [[ "$aduser" == *@ad.example.com ]]; then
        username=$(echo "$aduser" | cut -d@ -f1)

        ipa idoverrideuser-add 'Default Trust View' "$aduser" \
            --homedir "/home/ad/$username" \
            --shell /bin/bash
    fi
done

Advanced Workflows

Migration with progressive rollout:

# Week 1: Create view with all overrides
ipa idview-add migration-phase1
# ... add all overrides ...

# Week 2: Apply to pilot group
ipa idview-apply migration-phase1 --hosts=pilot1.example.com

# Week 3: Validate, apply to department
ipa idview-apply migration-phase1 --hostgroups=dept-engineering

# Week 4: Apply to all legacy hosts
ipa idview-apply migration-phase1 --hostgroups=all-legacy-systems

# Month 2: Begin removing overrides as files are migrated
ipa idoverrideuser-del migration-phase1 jsmith  # Files updated
ipa idoverrideuser-del migration-phase1 alice   # Files updated

# Month 3: Unapply view from migrated hosts
ipa idview-unapply --hostgroups=dept-engineering

# Month 4: Delete view when empty
ipa idoverrideuser-find migration-phase1  # Verify empty
ipa idview-del migration-phase1

Per-environment customization:

# Create environment-specific views
ipa idview-add dev-environment
ipa idview-add staging-environment
ipa idview-add production-environment

# Development: generous shells and home directories
ipa idoverrideuser-add dev-environment alice --shell /bin/bash
ipa idoverrideuser-add dev-environment bob --shell /bin/zsh

# Staging: production-like restrictions
ipa idoverrideuser-add staging-environment alice --shell /bin/sh

# Production: strict lockdown
ipa idoverrideuser-add production-environment alice --shell /bin/rbash

# Apply views
ipa idview-apply dev-environment --hostgroups=dev-servers
ipa idview-apply staging-environment --hostgroups=staging-servers
ipa idview-apply production-environment --hostgroups=prod-servers

Temporary override for troubleshooting:

# Grant developer temporary root-like UID for debugging
ipa idview-add debug-session
ipa idoverrideuser-add debug-session alice --uid 0 --gidnumber 0

# Apply to single debug host
ipa idview-apply debug-session --hosts=debug1.example.com

# After debugging, remove view
ipa idview-unapply --hosts=debug1.example.com
ipa idview-del debug-session

Disaster recovery override:

# Emergency: admin locked out, need different UID
ipa idview-add emergency-access
ipa idoverrideuser-add emergency-access admin-backup \
    --uid 0 \
    --gidnumber 0 \
    --shell /bin/bash

# Apply to affected hosts
ipa idview-apply emergency-access --hosts=locked-server.example.com

# Log in as admin-backup (appears as UID 0)
# Fix original admin account
# Remove emergency view
ipa idview-unapply --hosts=locked-server.example.com
ipa idview-del emergency-access

Best Practices

Planning

Design views for specific purposes: Create separate views for different use cases (migration, environment, site-specific) rather than one monolithic view. This improves clarity and reduces blast radius of changes.

Document override rationale: Use --desc to explain why each override exists and when it should be removed. Future administrators will need this context.

Plan migration exit strategy: ID views should be temporary for migrations. Define success criteria and override removal process before implementation.

Test on pilot systems: Apply new views to non-critical hosts first to validate override behavior and identify issues before broad rollout.

Understand the snapshot model: View application to hostgroups is a snapshot, not a dynamic assignment. New hostgroup members need explicit view application.

Override Management

Minimize override scope: Only override attributes that truly need customization. Overriding everything reduces flexibility and complicates troubleshooting.

Use consistent anchors: For IPA users, anchors are automatic (DN-based). For AD users, decide on UPN or SAM account name format and use consistently.

Prefer master entry updates: If all hosts need the same attribute change, update the master entry instead of creating view overrides. Views are for per-host variation.

Avoid login name overrides: Changing login names via overrides can confuse users and administrators. Prefer other identity unification approaches.

Batch create overrides: Use scripting for bulk override creation to ensure consistency and reduce manual errors.

View Application

Explicit is better than group-based: Directly assigning views to hosts provides clearer audit trail and avoids hostgroup snapshot confusion.

Document applied hosts: Maintain documentation of which hosts use which views, as this isn’t always obvious from hostgroup membership.

Verify application: After applying a view, test user login on affected hosts to validate override behavior.

Coordinate with SSSD cache: After applying/unapplying views, clear SSSD cache on clients: sssctl cache-expire -E

Plan unapplication: Before deleting a view, unapply it from all hosts and verify master attributes are acceptable.

Default Trust View

Use sparingly: Default Trust View applies to all clients automatically. Only add overrides for attributes genuinely needed everywhere.

Provide shells and home directories: AD doesn’t supply these POSIX attributes. Adding them via Default Trust View improves AD user experience.

Avoid UID conflicts: If AD trust UID ranges overlap with IPA ranges, use Default Trust View to map AD users to non-conflicting UIDs.

Test with AD users: Default Trust View changes affect all AD user logins. Validate overrides thoroughly before adding them.

Operational Practices

Monitor override count: Large numbers of overrides may indicate design issues. Consider whether master entry changes or ID range planning would be better.

Review periodically: Regularly audit views and overrides to remove obsolete entries and identify cleanup opportunities.

Version control view definitions: Export view override lists to version control for disaster recovery and change tracking.

Integrate with provisioning: Automate override creation in user provisioning workflows for migrations and special environments.

Communicate view changes: Inform affected users and administrators before applying or removing views, as attribute changes can affect login and file access.

Security Considerations

UID 0 overrides are dangerous: Granting UID 0 via override gives root privileges without normal root account safeguards. Avoid except in emergencies.

Shell overrides affect security posture: Overriding a restricted shell (/bin/rbash) with an unrestricted shell (/bin/bash) on specific hosts creates security inconsistencies.

Home directory overrides can expose data: Changing home directories via overrides may grant unintended access to files in the new location.

View application is a privilege operation: Only trusted administrators should have idview-apply permissions, as it can alter security context across systems.

Default Trust View affects all clients: Changes to Default Trust View immediately impact all IPA clients. Thoroughly validate AD user overrides before creation.

Anchor tampering: Overrides are keyed by anchor (DN or name). Renaming master entries may break override linkage, causing unexpected attribute changes.

SSSD cache poisoning risk: Compromised SSSD cache could serve malicious override values. Ensure SSSD cache permissions are restrictive (root-only).

Override visibility: Overrides are visible to any authenticated IPA user via idoverrideuser-show. Don’t store sensitive data in override descriptions.

Integration Points

SSSD: Client-side daemon retrieves and caches overrides, merges them over master attributes during user resolution

Active Directory Trusts: Default Trust View provides override mechanism for AD user POSIX attributes across all IPA clients

Host/Hostgroup Management: View application tied to host objects; hosts can have at most one view applied (plus Default Trust View for AD users)

User/Group Management: Overrides reference master entries by anchor; master entry deletion doesn’t cascade to overrides (creating orphans)

LDAP: Overrides stored in cn=views,cn=accounts,dc=example,dc=com subtree; clients query via LDAP for override retrieval

Migration Tools: ipa-server-upgrade creates Default Trust View automatically when AD trusts are established

Replication: Views and overrides replicate across topology like other LDAP objects; view application is server-side metadata

DNS: No direct integration; view-based home directory changes may need corresponding automount or NFS export updates

Troubleshooting

Override not taking effect:

# Verify view is applied to host
ipa idview-show migration-2024 --show-hosts

# Verify override exists
ipa idoverrideuser-show migration-2024 jsmith

# Clear SSSD cache on client
sssctl cache-expire -E

# Test resolution
getent passwd jsmith
id jsmith

Wrong anchor used for AD user:

# Determine correct anchor format
ipa user-show 'jdoe@ad.example.com' --raw | grep dn

# Delete incorrect override
ipa idoverrideuser-del 'Default Trust View' 'wrong-anchor'

# Re-create with correct anchor
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' --uid 70001

View deletion fails with “view is applied to hosts”:

# Find applied hosts
ipa idview-show problematic-view --show-hosts

# Unapply from all hosts
ipa idview-unapply --hosts=host1.example.com,host2.example.com

# Delete view
ipa idview-del problematic-view

Hostgroup view application didn’t affect new members:

# View application to hostgroups is a snapshot
# Manually apply to new hosts

# Find new hostgroup members
ipa hostgroup-show legacy-servers

# Apply view directly to new hosts
ipa idview-apply migration-2024 --hosts=newhost.example.com

User override orphaned after user deletion:

# Overrides remain after master user deletion
# Find orphaned overrides

ipa idoverrideuser-find migration-2024 --all | \
while read -r anchor; do
    # Check if master user exists
    ipa user-show "$anchor" 2>/dev/null || echo "Orphaned: $anchor"
done

# Delete orphaned overrides
ipa idoverrideuser-del migration-2024 orphaned-user-dn

File ownership broken after override removal:

# Removing override changes effective UID back to master
# Files owned by override UID become orphaned

# Before removing override, update file ownership
ssh server1.example.com
find /home/jsmith -uid 1000 -exec chown 50000:50000 {} \;

# After ownership updated, safe to remove override
ipa idoverrideuser-del migration-2024 jsmith

SSSD not seeing override updates:

# SSSD caches overrides with entry_cache_timeout
# Force cache refresh

sssctl cache-expire -E          # Expire all cached entries
systemctl restart sssd           # Restart SSSD
sssctl cache-expire -u jsmith    # Expire specific user

Commands

idoverridegroup-add

Usage: ipa [global-options] idoverridegroup-add IDVIEW ANCHOR [options]

Add a new Group ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--desc DESCDescription
--group-name GROUP-NAMEGroup name
--gid GIDGroup ID Number
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idoverridegroup-del

Usage: ipa [global-options] idoverridegroup-del IDVIEW ANCHOR [options]

Delete an Group ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.

idoverridegroup-find

Usage: ipa [global-options] idoverridegroup-find IDVIEW [CRITERIA] [options]

Search for an Group ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--anchor ANCHORAnchor to override
--desc DESCDescription
--group-name GROUP-NAMEGroup name
--gid GIDGroup ID Number
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“anchor”)

idoverridegroup-mod

Usage: ipa [global-options] idoverridegroup-mod IDVIEW ANCHOR [options]

Modify an Group ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--desc DESCDescription
--group-name GROUP-NAMEGroup name
--gid GIDGroup ID Number
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--rename RENAMERename the Group ID override object

idoverridegroup-show

Usage: ipa [global-options] idoverridegroup-show IDVIEW ANCHOR [options]

Display information about an Group ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idoverrideuser-add

Usage: ipa [global-options] idoverrideuser-add IDVIEW ANCHOR [options]

Add a new User ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--desc DESCDescription
--login LOGINUser login
--uid UIDUser ID Number
--gecos GECOSGECOS
--gidnumber GIDNUMBERGroup ID Number
--homedir HOMEDIRHome directory
--shell SHELLLogin shell
--sshpubkey SSHPUBKEYSSH public key
--certificate CERTIFICATEBase-64 encoded user certificate
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

idoverrideuser-add-cert

Usage: ipa [global-options] idoverrideuser-add-cert IDVIEW ANCHOR [options]

Add one or more certificates to the idoverrideuser entry

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--certificate CERTIFICATEBase-64 encoded user certificate

idoverrideuser-del

Usage: ipa [global-options] idoverrideuser-del IDVIEW ANCHOR [options]

Delete an User ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.

idoverrideuser-find

Usage: ipa [global-options] idoverrideuser-find IDVIEW [CRITERIA] [options]

Search for an User ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--anchor ANCHORAnchor to override
--desc DESCDescription
--login LOGINUser login
--uid UIDUser ID Number
--gecos GECOSGECOS
--gidnumber GIDNUMBERGroup ID Number
--homedir HOMEDIRHome directory
--shell SHELLLogin shell
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“anchor”)

idoverrideuser-mod

Usage: ipa [global-options] idoverrideuser-mod IDVIEW ANCHOR [options]

Modify an User ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--desc DESCDescription
--login LOGINUser login
--uid UIDUser ID Number
--gecos GECOSGECOS
--gidnumber GIDNUMBERGroup ID Number
--homedir HOMEDIRHome directory
--shell SHELLLogin shell
--sshpubkey SSHPUBKEYSSH public key
--certificate CERTIFICATEBase-64 encoded user certificate
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--rename RENAMERename the User ID override object

idoverrideuser-remove-cert

Usage: ipa [global-options] idoverrideuser-remove-cert IDVIEW ANCHOR [options]

Remove one or more certificates to the idoverrideuser entry

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.
--certificate CERTIFICATEBase-64 encoded user certificate

idoverrideuser-show

Usage: ipa [global-options] idoverrideuser-show IDVIEW ANCHOR [options]

Display information about an User ID override.

Arguments

ArgumentRequiredDescription
IDVIEWyesID View Name

ANCHOR yes Anchor to override

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--fallback-to-ldapAllow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--no-membersSuppress processing of membership attributes.

idview-add

Usage: ipa [global-options] idview-add NAME [options]

Add a new ID View.

Arguments

ArgumentRequiredDescription
NAMEyesID View Name

Options

OptionDescription
--desc DESCDescription
--domain-resolution-order DOMAIN-RESOLUTION-ORDERcolon-separated list of domains used for short name qualification
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idview-apply

Usage: ipa [global-options] idview-apply NAME [options]

Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.

Arguments

ArgumentRequiredDescription
NAMEyesID View Name

Options

OptionDescription
--hosts HOSTSHosts to apply the ID View to
--hostgroups HOSTGROUPSHostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.

idview-del

Usage: ipa [global-options] idview-del NAME [options]

Delete an ID View.

Arguments

ArgumentRequiredDescription
NAMEyesID View Name

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

idview-find

Usage: ipa [global-options] idview-find [CRITERIA] [options]

Search for an ID View.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMEID View Name
--desc DESCDescription
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

idview-mod

Usage: ipa [global-options] idview-mod NAME [options]

Modify an ID View.

Arguments

ArgumentRequiredDescription
NAMEyesID View Name

Options

OptionDescription
--desc DESCDescription
--domain-resolution-order DOMAIN-RESOLUTION-ORDERcolon-separated list of domains used for short name qualification
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--rename RENAMERename the ID View object

idview-show

Usage: ipa [global-options] idview-show NAME [options]

Display information about an ID View.

Arguments

ArgumentRequiredDescription
NAMEyesID View Name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--show-hostsEnumerate all the hosts the view applies to.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idview-unapply

Usage: ipa [global-options] idview-unapply [options]

Clears ID View from specified hosts or current members of specified hostgroups.

Options

OptionDescription
--hosts HOSTSHosts to clear (any) ID View from.
--hostgroups HOSTGROUPSHostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.

Related Topics