ID Views
Manage ID views for overriding user and group attributes on specific hosts. ID views enable per-host attribute customization including UID, GID, home directory, and shell without modifying the master user entry. Features include view creation, host application, user override management, anchor-based override assignment, and support for Default Trust View for managing AD user attributes across IPA infrastructure.
Manage ID Views
IPA allows to override certain properties of users and groups per each host. This functionality is primarily used to allow migration from older systems or other Identity Management solutions.
Commands
Command Description
idoverridegroup-add Add a new Group ID override.
idoverridegroup-del Delete an Group ID override.
idoverridegroup-find Search for an Group ID override.
idoverridegroup-mod Modify an Group ID override.
idoverridegroup-show Display information about an Group ID override.
idoverrideuser-add Add a new User ID override.
idoverrideuser-add-cert Add one or more certificates to the idoverrideuser entry
idoverrideuser-del Delete an User ID override.
idoverrideuser-find Search for an User ID override.
idoverrideuser-mod Modify an User ID override.
idoverrideuser-remove-cert Remove one or more certificates to the idoverrideuser entry
idoverrideuser-show Display information about an User ID override.
idview-add Add a new ID View.
idview-apply Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.
idview-del Delete an ID View.
idview-find Search for an ID View.
idview-mod Modify an ID View.
idview-show Display information about an ID View.
idview-unapply Clears ID View from specified hosts or current members of specified hostgroups.
idoverridegroup-add
Usage:
ipa [global-options] idoverridegroup-add IDVIEW ANCHOR [options]
Add a new Group ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--desc DESC Description
--group-name GROUP-NAME Group name
--gid GID Group ID Number
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
idoverridegroup-del
Usage:
ipa [global-options] idoverridegroup-del IDVIEW ANCHOR [options]
Delete an Group ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
idoverridegroup-find
Usage:
ipa [global-options] idoverridegroup-find IDVIEW [CRITERIA] [options]
Search for an Group ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--anchor ANCHOR Anchor to override
--desc DESC Description
--group-name GROUP-NAME Group name
--gid GID Group ID Number
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“anchor”)
idoverridegroup-mod
Usage:
ipa [global-options] idoverridegroup-mod IDVIEW ANCHOR [options]
Modify an Group ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--desc DESC Description
--group-name GROUP-NAME Group name
--gid GID Group ID Number
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--rename RENAME Rename the Group ID override object
idoverridegroup-show
Usage:
ipa [global-options] idoverridegroup-show IDVIEW ANCHOR [options]
Display information about an Group ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
idoverrideuser-add
Usage:
ipa [global-options] idoverrideuser-add IDVIEW ANCHOR [options]
Add a new User ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--desc DESC Description
--login LOGIN User login
--uid UID User ID Number
--gecos GECOS GECOS
--gidnumber GIDNUMBER Group ID Number
--homedir HOMEDIR Home directory
--shell SHELL Login shell
--sshpubkey SSHPUBKEY SSH public key
--certificate CERTIFICATE Base-64 encoded user certificate
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
idoverrideuser-add-cert
Usage:
ipa [global-options] idoverrideuser-add-cert IDVIEW ANCHOR [options]
Add one or more certificates to the idoverrideuser entry
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
--certificate CERTIFICATE Base-64 encoded user certificate
idoverrideuser-del
Usage:
ipa [global-options] idoverrideuser-del IDVIEW ANCHOR [options]
Delete an User ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
idoverrideuser-find
Usage:
ipa [global-options] idoverrideuser-find IDVIEW [CRITERIA] [options]
Search for an User ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--anchor ANCHOR Anchor to override
--desc DESC Description
--login LOGIN User login
--uid UID User ID Number
--gecos GECOS GECOS
--gidnumber GIDNUMBER Group ID Number
--homedir HOMEDIR Home directory
--shell SHELL Login shell
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“anchor”)
idoverrideuser-mod
Usage:
ipa [global-options] idoverrideuser-mod IDVIEW ANCHOR [options]
Modify an User ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--desc DESC Description
--login LOGIN User login
--uid UID User ID Number
--gecos GECOS GECOS
--gidnumber GIDNUMBER Group ID Number
--homedir HOMEDIR Home directory
--shell SHELL Login shell
--sshpubkey SSHPUBKEY SSH public key
--certificate CERTIFICATE Base-64 encoded user certificate
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
--rename RENAME Rename the User ID override object
idoverrideuser-remove-cert
Usage:
ipa [global-options] idoverrideuser-remove-cert IDVIEW ANCHOR [options]
Remove one or more certificates to the idoverrideuser entry
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
--certificate CERTIFICATE Base-64 encoded user certificate
idoverrideuser-show
Usage:
ipa [global-options] idoverrideuser-show IDVIEW ANCHOR [options]
Display information about an User ID override.
Arguments
Argument Required Description
IDVIEW yes ID View Name
ANCHOR yes Anchor to override
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--fallback-to-ldap Allow falling back to AD DC LDAP when resolving
AD trusted objects. For two-way trusts only.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
idview-add
Usage: ipa [global-options] idview-add NAME [options]
Add a new ID View.
Arguments
Argument Required Description
NAME yes ID View Name
Options
Option Description
--desc DESC Description
--domain-resolution-order DOMAIN-RESOLUTION-ORDER colon-separated list of domains used for short
name qualification
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
idview-apply
Usage: ipa [global-options] idview-apply NAME [options]
Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.
Arguments
Argument Required Description
NAME yes ID View Name
Options
Option Description
--hosts HOSTS Hosts to apply the ID View to
--hostgroups HOSTGROUPS Hostgroups to whose hosts apply the ID View to.
Please note that view is not applied
automatically to any hosts added to the hostgroup
after running the idview-apply command.
idview-del
Usage: ipa [global-options] idview-del NAME [options]
Delete an ID View.
Arguments
Argument Required Description
NAME yes ID View Name
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
idview-find
Usage: ipa [global-options] idview-find [CRITERIA] [options]
Search for an ID View.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--name NAME ID View Name
--desc DESC Description
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“name”)
idview-mod
Usage: ipa [global-options] idview-mod NAME [options]
Modify an ID View.
Arguments
Argument Required Description
NAME yes ID View Name
Options
Option Description
--desc DESC Description
--domain-resolution-order DOMAIN-RESOLUTION-ORDER colon-separated list of domains used for short
name qualification
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--rename RENAME Rename the ID View object
idview-show
Usage: ipa [global-options] idview-show NAME [options]
Display information about an ID View.
Arguments
Argument Required Description
NAME yes ID View Name
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--show-hosts Enumerate all the hosts the view applies to.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
idview-unapply
Usage: ipa [global-options] idview-unapply [options]
Clears ID View from specified hosts or current members of specified hostgroups.
Options
Option Description
--hosts HOSTS Hosts to clear (any) ID View from.