ID Views
Manage ID views for overriding user and group attributes on specific hosts. ID views enable per-host attribute customization including UID, GID, home directory, and shell without modifying the master user entry. Features include view creation, host application, user override management, anchor-based override assignment, and support for Default Trust View for managing AD user attributes across IPA infrastructure.
Manage ID Views
ID views provide per-host customization of user and group attributes without modifying master LDAP entries. This capability enables migration from legacy identity systems, accommodates site-specific requirements, and manages Active Directory trust user attributes through the Default Trust View.
An ID view acts as a container of attribute overrides that can be selectively applied to specific hosts. When an ID view is applied to a host, SSSD uses the override values instead of the master LDAP attributes, enabling different hosts to see different attribute values for the same user or group.
Overview
What are ID Views?
ID views solve the challenge of requiring different POSIX attributes for the same user or group across different hosts. In a typical identity management system, users and groups have a single set of attributes stored in LDAP. However, during migrations or in heterogeneous environments, different systems may require different values:
- UID/GID conflicts: A user may have UID 1000 on legacy systems but 50000 in FreeIPA
- Home directory variations: Different mount points or filesystem layouts per site
- Shell differences: Development systems using
/bin/bash, production using/bin/sh - Login name changes: Username format changes during migration (
jsmith→john.smith)
ID views provide an override layer that keeps the master LDAP entry unchanged while presenting customized values to specific hosts. This architecture enables gradual migrations, supports diverse infrastructure requirements, and maintains a single source of truth.
Architecture
Master LDAP Entry ID View Override Effective Attributes
───────────────── ──────────────── ────────────────────
User: jsmith View: legacy-migration Host A (view applied):
UID: 50000 ────────→ Override: jsmith UID: 1000 (override)
GID: 50000 UID: 1000 GID: 1000 (override)
Home: /home/jsmith GID: 1000 Home: /export/home/jsmith
Shell: /bin/bash Home: /export/home/jsmith Shell: /bin/bash
Shell: [not overridden]
Host B (no view):
UID: 50000 (master)
GID: 50000 (master)
Home: /home/jsmith
Shell: /bin/bash
Key architectural concepts:
- View container: Named collection of overrides (
cn=legacy-migration,cn=views,cn=accounts) - Overrides: Individual user or group attribute customizations within a view
- Anchor: Link between an override and its master entry (user/group DN or name)
- Application: Assignment of a view to specific hosts or hostgroups
- SSSD integration: Client-side override resolution during authentication
ID View Components
User overrides support customizing:
uid- User ID number (UID)gidnumber- Primary group ID (GID)login- Login name (username)gecos- Full name/comment fieldhomedir- Home directory pathshell- Login shellsshpubkey- SSH public keys (multi-valued)certificate- X.509 certificates (multi-valued)
Group overrides support customizing:
gid- Group ID number (GID)group-name- Group name
View metadata:
name- Unique view identifierdescription- Administrative documentationdomain-resolution-order- Short name qualification order for trusted domains
The Anchor Mechanism
Anchors link overrides to their master entries. FreeIPA uses the master entry’s DN or name as the anchor value:
For IPA users/groups:
Anchor: uid=jsmith,cn=users,cn=accounts,dc=example,dc=com
For AD trust users (in Default Trust View):
Anchor: jsmith@ad.example.com
Anchor: AD\\jsmith
When SSSD resolves a user, it:
- Retrieves the master entry from LDAP
- Checks if an ID view is applied to the host
- If yes, looks up an override matching the master entry’s DN
- Merges override attributes over master attributes
- Returns the effective attribute set
This anchor-based indirection keeps overrides portable across topology replicas and resilient to master entry modifications (except DN changes).
Default Trust View
The Default Trust View is a special built-in ID view automatically applied to all IPA masters and clients for Active Directory trust users. It cannot be deleted or unapplied.
Purpose: Override attributes for AD users accessed through trusts without requiring manual view application.
Use cases:
- Override AD user UIDs to avoid conflicts with IPA ID ranges
- Customize home directories for AD users (AD provides none)
- Set login shells for AD users (AD provides none)
- Change GECOS fields for display consistency
- Add SSH public keys for AD users
Characteristics:
- Always active for trusted domain users
- Applied automatically, no
idview-applyneeded - Overrides are managed like any other view
- Uses AD user principal or SAM account name as anchor
Example workflow:
# AD user jdoe@ad.example.com logs in
# FreeIPA finds no override, AD provides UID 10001, no home, no shell
# Add override in Default Trust View
ipa idoverrideuser-add 'Default Trust View' jdoe@ad.example.com \
--uid 60001 \
--homedir /home/ad/jdoe \
--shell /bin/bash
# Next login: UID 60001, home /home/ad/jdoe, shell /bin/bash
Migration Workflow
ID views enable zero-downtime migrations by allowing legacy and new systems to coexist:
Phase 1: Preparation
- Create ID view for legacy attribute mappings
- Add overrides matching legacy UID/GID/home/shell values
- Test view on pilot systems
Phase 2: Gradual Migration
- Apply view to migrating hosts
- Validate user login and file ownership
- Migrate users to new systems with overrides active
- Expand view application to more hosts
Phase 3: Cleanup
- After all hosts migrated, begin removing overrides
- Update file ownership to master UID/GID values
- Unapply view from hosts
- Delete view when no longer needed
This phased approach prevents UID/GID mismatches during migration, maintains file ownership integrity, and allows rollback at any stage.
View Application Model
ID views use explicit host assignment, not automatic propagation:
Direct host assignment:
ipa idview-apply legacy-view --hosts=server1.example.com,server2.example.com
Hostgroup member assignment (snapshot):
ipa idview-apply legacy-view --hostgroups=legacy-servers
# Only current members receive the view
# Hosts added to legacy-servers later DO NOT automatically receive the view
# Must run idview-apply again or assign view directly to new hosts
This snapshot behavior provides control and predictability but requires administrative diligence when adding hosts to groups.
Checking view application:
# Which view is applied to a host?
ipa host-show server1.example.com --all | grep ipasshpubkey
# Which hosts use a view?
ipa idview-show legacy-view --show-hosts
SSSD Integration
SSSD retrieves and caches ID view overrides for efficient resolution:
Configuration (automatic when IPA client is enrolled):
[domain/example.com]
id_provider = ipa
ipa_server = ipa.example.com
cache_credentials = True
Resolution process:
- User login triggers SSSD lookup
- SSSD queries IPA for master user entry
- SSSD checks host’s assigned ID view (cached from IPA)
- If view exists, SSSD queries for matching override
- SSSD merges override over master attributes
- SSSD returns effective attributes to NSS/PAM
- SSSD caches both master and override for offline operation
Cache behavior:
- Overrides cached separately from master entries
- Cache invalidation triggers on override changes
- Offline mode uses last cached override values
- Cache timeout controlled by
entry_cache_timeout
Troubleshooting SSSD view resolution:
# Increase SSSD debug level
sssctl debug-level 6
# Check cached view assignment
sssctl cache-expire -v
# View override cache entries
ldbsearch -H /var/lib/sss/db/cache_example.com.ldb \
'(objectClass=override)'
Use Cases
Legacy System Migration
Scenario: Migrating 500 users from NIS with UIDs 1000-1500 to FreeIPA with UIDs 50000-50500.
Challenge: File ownership uses legacy UIDs; changing all files risks errors and downtime.
Solution:
# Create migration view
ipa idview-add nis-migration --desc "NIS UID/GID preservation"
# Add overrides for each user (can be automated)
ipa idoverrideuser-add nis-migration jsmith \
--uid 1000 \
--gidnumber 1000 \
--homedir /export/home/jsmith
# Apply to legacy fileservers
ipa idview-apply nis-migration --hostgroups=nis-fileservers
# Result: Files remain owned by UID 1000, which resolves to jsmith
# New systems use master UID 50000
# Gradual file ownership migration can proceed independently
Site-Specific Requirements
Scenario: European datacenter uses /data/home mount point, US datacenter uses /home.
Solution:
# Create EU-specific view
ipa idview-add eu-datacenter --desc "European home directory layout"
# Override home directories
for user in $(ipa user-find --raw --pkey-only | grep 'uid:' | cut -d: -f2); do
ipa idoverrideuser-add eu-datacenter "$user" \
--homedir "/data/home/$user"
done
# Apply to EU hosts
ipa idview-apply eu-datacenter --hostgroups=eu-servers
Development vs Production Shells
Scenario: Developers need /bin/bash for interactive work, production uses /bin/sh for security.
Solution:
# Production shell restriction
ipa idview-add production --desc "Production shell restrictions"
ipa idoverrideuser-add production alice --shell /bin/sh
ipa idoverrideuser-add production bob --shell /bin/sh
ipa idview-apply production --hostgroups=production-servers
# Development systems use master /bin/bash, production uses /bin/sh
Active Directory Trust UID Conflicts
Scenario: AD trust provides UIDs 10000-20000, conflicting with local user range 10000-60000.
Solution:
# Use Default Trust View for AD user overrides
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
--uid 70001 \
--gidnumber 70001 \
--homedir /home/ad/jdoe \
--shell /bin/bash
# Override automatically applies to all IPA clients
# No idview-apply needed for Default Trust View
Username Format Standardization
Scenario: Acquired company uses firstname.lastname format, parent company uses flastname.
Solution:
# Create login name override view
ipa idview-add unified-login --desc "Standardized login names"
# Override login names for acquired users
ipa idoverrideuser-add unified-login john.smith --login jsmith
ipa idoverrideuser-add unified-login jane.doe --login jdoe
# Apply to integrated systems
ipa idview-apply unified-login --hostgroups=integrated-infrastructure
# Users can now use jsmith on integrated systems
# Master entry preserves john.smith for other systems
Shared System Special Accounts
Scenario: Shared jump host requires specific UIDs for audit logging consistency across sites.
Solution:
# Create jump host view
ipa idview-add jumphost-audit --desc "Jump host audit UID consistency"
# Override admin accounts to fixed UIDs
ipa idoverrideuser-add jumphost-audit admin-alice --uid 9001
ipa idoverrideuser-add jumphost-audit admin-bob --uid 9002
# Apply only to jump hosts
ipa idview-apply jumphost-audit --hosts=jump1.example.com,jump2.example.com
# Audit logs always show UID 9001/9002 for consistent correlation
Examples
Creating and Managing Views
Create a new ID view:
ipa idview-add migration-2024 \
--desc "Q1 2024 datacenter migration"
List all ID views:
ipa idview-find
ipa idview-find --all # Include built-in Default Trust View
Show view details including applied hosts:
ipa idview-show migration-2024
ipa idview-show migration-2024 --show-hosts # Enumerate all hosts
Modify view description:
ipa idview-mod migration-2024 \
--desc "Q1 2024 datacenter migration - extended to Q2"
Delete an ID view (must unapply first):
ipa idview-unapply --hostgroups=migration-group
ipa idview-del migration-2024
User Override Management
Add user override with basic attributes:
ipa idoverrideuser-add migration-2024 jsmith \
--uid 1000 \
--gidnumber 1000
Add user override with full attribute set:
ipa idoverrideuser-add migration-2024 alice \
--uid 2001 \
--gidnumber 2001 \
--login alice.smith \
--gecos "Alice Smith (Legacy Account)" \
--homedir /export/home/alice \
--shell /bin/ksh
Add user override for AD trust user in Default Trust View:
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
--uid 60001 \
--gidnumber 60001 \
--homedir /home/ad/jdoe \
--shell /bin/bash \
--gecos "John Doe (AD)"
Add user override using AD SAM account name:
ipa idoverrideuser-add 'Default Trust View' 'AD\jdoe' \
--uid 60001 \
--homedir /home/ad/jdoe
Add SSH public key to user override:
ipa idoverrideuser-mod migration-2024 jsmith \
--sshpubkey "ssh-rsa AAAAB3NzaC1yc2EA... jsmith@oldhost"
Add certificate to user override:
# From file
ipa idoverrideuser-add-cert migration-2024 alice \
--certificate "$(cat alice-cert.pem)"
# Direct base64
ipa idoverrideuser-add-cert migration-2024 alice \
--certificate "MIIEXzCCA0egAwIBAgIUfTx..."
Remove certificate from user override:
ipa idoverrideuser-remove-cert migration-2024 alice \
--certificate "MIIEXzCCA0egAwIBAgIUfTx..."
Find all user overrides in a view:
ipa idoverrideuser-find migration-2024
ipa idoverrideuser-find migration-2024 --all
ipa idoverrideuser-find migration-2024 --uid 1000 # Filter by UID
Find user overrides by home directory:
ipa idoverrideuser-find migration-2024 --homedir /export/home/jsmith
Show user override details:
ipa idoverrideuser-show migration-2024 jsmith
ipa idoverrideuser-show migration-2024 jsmith --all --raw
Modify user override:
ipa idoverrideuser-mod migration-2024 jsmith \
--shell /bin/bash \
--homedir /home/jsmith
Delete user override:
ipa idoverrideuser-del migration-2024 jsmith
ipa idoverrideuser-del migration-2024 jsmith alice bob --continue # Batch delete
Group Override Management
Add group override with GID:
ipa idoverridegroup-add migration-2024 developers \
--gid 5000
Add group override with name change:
ipa idoverridegroup-add migration-2024 'legacy-admins' \
--group-name admins \
--gid 1001
Find all group overrides:
ipa idoverridegroup-find migration-2024
ipa idoverridegroup-find migration-2024 --gid 5000 # Filter by GID
Show group override:
ipa idoverridegroup-show migration-2024 developers
Modify group override:
ipa idoverridegroup-mod migration-2024 developers \
--gid 5001 \
--desc "Updated GID for conflict resolution"
Delete group override:
ipa idoverridegroup-del migration-2024 developers
Applying and Unapplying Views
Apply view to specific hosts:
ipa idview-apply migration-2024 \
--hosts=server1.example.com,server2.example.com
Apply view to hostgroup members (snapshot):
ipa idview-apply migration-2024 \
--hostgroups=legacy-servers
# Only current members receive the view
# New hostgroup members added later need separate idview-apply
Apply view to combination of hosts and hostgroups:
ipa idview-apply production-shell \
--hosts=prod1.example.com,prod2.example.com \
--hostgroups=production-web,production-db
Check which view is applied to a host:
ipa host-show server1.example.com --all | grep -i "ID view"
Check which hosts use a view:
ipa idview-show migration-2024 --show-hosts
Unapply view from specific hosts:
ipa idview-unapply \
--hosts=server1.example.com,server2.example.com
Unapply view from hostgroup members (snapshot):
ipa idview-unapply \
--hostgroups=legacy-servers
# Only current members lose the view
# Must specify hosts individually to unapply from hosts added after initial apply
Clear view from all hosts before deletion:
# Show hosts first
ipa idview-show migration-2024 --show-hosts
# Unapply from listed hosts
ipa idview-unapply --hosts=host1.example.com,host2.example.com
# Delete view
ipa idview-del migration-2024
Bulk Override Creation
Create overrides from CSV file:
# Format: username,uid,gid,home,shell
# jsmith,1000,1000,/export/home/jsmith,/bin/bash
# alice,1001,1001,/export/home/alice,/bin/ksh
while IFS=, read -r user uid gid home shell; do
ipa idoverrideuser-add migration-2024 "$user" \
--uid "$uid" \
--gidnumber "$gid" \
--homedir "$home" \
--shell "$shell"
done < migration-users.csv
Create overrides for all existing users with formula:
# Override all users with UID = master_UID - 49000
for user in $(ipa user-find --raw --pkey-only | grep 'uid:' | awk '{print $2}'); do
master_uid=$(ipa user-show "$user" --raw | grep 'uidnumber:' | awk '{print $2}')
override_uid=$((master_uid - 49000))
ipa idoverrideuser-add legacy-view "$user" \
--uid "$override_uid" \
--gidnumber "$override_uid"
done
Create group overrides for all groups:
# Override all groups with GID = master_GID - 49000
for group in $(ipa group-find --raw --pkey-only | grep 'cn:' | awk '{print $2}'); do
master_gid=$(ipa group-show "$group" --raw | grep 'gidnumber:' | awk '{print $2}')
override_gid=$((master_gid - 49000))
ipa idoverridegroup-add legacy-view "$group" \
--gid "$override_gid"
done
Default Trust View Management
Add override for AD user (UPN anchor):
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' \
--uid 70001 \
--gidnumber 70001 \
--homedir /home/ad/jdoe \
--shell /bin/bash
Add override for AD user (SAM account name anchor):
ipa idoverrideuser-add 'Default Trust View' 'AD\jdoe' \
--uid 70001 \
--homedir /home/ad/jdoe
List all AD user overrides:
ipa idoverrideuser-find 'Default Trust View'
ipa idoverrideuser-find 'Default Trust View' --all
Add SSH key for AD user:
ipa idoverrideuser-mod 'Default Trust View' 'jdoe@ad.example.com' \
--sshpubkey "ssh-rsa AAAAB3NzaC1yc2EA... jdoe@ad-workstation"
Batch create AD user overrides for home directories:
# Get all AD users from trust
ipa user-find --user-auth-type=password --all | grep 'uid:' | \
while read -r line; do
aduser=$(echo "$line" | awk '{print $2}')
# Only process AD trust users
if [[ "$aduser" == *@ad.example.com ]]; then
username=$(echo "$aduser" | cut -d@ -f1)
ipa idoverrideuser-add 'Default Trust View' "$aduser" \
--homedir "/home/ad/$username" \
--shell /bin/bash
fi
done
Advanced Workflows
Migration with progressive rollout:
# Week 1: Create view with all overrides
ipa idview-add migration-phase1
# ... add all overrides ...
# Week 2: Apply to pilot group
ipa idview-apply migration-phase1 --hosts=pilot1.example.com
# Week 3: Validate, apply to department
ipa idview-apply migration-phase1 --hostgroups=dept-engineering
# Week 4: Apply to all legacy hosts
ipa idview-apply migration-phase1 --hostgroups=all-legacy-systems
# Month 2: Begin removing overrides as files are migrated
ipa idoverrideuser-del migration-phase1 jsmith # Files updated
ipa idoverrideuser-del migration-phase1 alice # Files updated
# Month 3: Unapply view from migrated hosts
ipa idview-unapply --hostgroups=dept-engineering
# Month 4: Delete view when empty
ipa idoverrideuser-find migration-phase1 # Verify empty
ipa idview-del migration-phase1
Per-environment customization:
# Create environment-specific views
ipa idview-add dev-environment
ipa idview-add staging-environment
ipa idview-add production-environment
# Development: generous shells and home directories
ipa idoverrideuser-add dev-environment alice --shell /bin/bash
ipa idoverrideuser-add dev-environment bob --shell /bin/zsh
# Staging: production-like restrictions
ipa idoverrideuser-add staging-environment alice --shell /bin/sh
# Production: strict lockdown
ipa idoverrideuser-add production-environment alice --shell /bin/rbash
# Apply views
ipa idview-apply dev-environment --hostgroups=dev-servers
ipa idview-apply staging-environment --hostgroups=staging-servers
ipa idview-apply production-environment --hostgroups=prod-servers
Temporary override for troubleshooting:
# Grant developer temporary root-like UID for debugging
ipa idview-add debug-session
ipa idoverrideuser-add debug-session alice --uid 0 --gidnumber 0
# Apply to single debug host
ipa idview-apply debug-session --hosts=debug1.example.com
# After debugging, remove view
ipa idview-unapply --hosts=debug1.example.com
ipa idview-del debug-session
Disaster recovery override:
# Emergency: admin locked out, need different UID
ipa idview-add emergency-access
ipa idoverrideuser-add emergency-access admin-backup \
--uid 0 \
--gidnumber 0 \
--shell /bin/bash
# Apply to affected hosts
ipa idview-apply emergency-access --hosts=locked-server.example.com
# Log in as admin-backup (appears as UID 0)
# Fix original admin account
# Remove emergency view
ipa idview-unapply --hosts=locked-server.example.com
ipa idview-del emergency-access
Best Practices
Planning
Design views for specific purposes: Create separate views for different use cases (migration, environment, site-specific) rather than one monolithic view. This improves clarity and reduces blast radius of changes.
Document override rationale: Use --desc to explain why each override exists and when it should be removed. Future administrators will need this context.
Plan migration exit strategy: ID views should be temporary for migrations. Define success criteria and override removal process before implementation.
Test on pilot systems: Apply new views to non-critical hosts first to validate override behavior and identify issues before broad rollout.
Understand the snapshot model: View application to hostgroups is a snapshot, not a dynamic assignment. New hostgroup members need explicit view application.
Override Management
Minimize override scope: Only override attributes that truly need customization. Overriding everything reduces flexibility and complicates troubleshooting.
Use consistent anchors: For IPA users, anchors are automatic (DN-based). For AD users, decide on UPN or SAM account name format and use consistently.
Prefer master entry updates: If all hosts need the same attribute change, update the master entry instead of creating view overrides. Views are for per-host variation.
Avoid login name overrides: Changing login names via overrides can confuse users and administrators. Prefer other identity unification approaches.
Batch create overrides: Use scripting for bulk override creation to ensure consistency and reduce manual errors.
View Application
Explicit is better than group-based: Directly assigning views to hosts provides clearer audit trail and avoids hostgroup snapshot confusion.
Document applied hosts: Maintain documentation of which hosts use which views, as this isn’t always obvious from hostgroup membership.
Verify application: After applying a view, test user login on affected hosts to validate override behavior.
Coordinate with SSSD cache: After applying/unapplying views, clear SSSD cache on clients: sssctl cache-expire -E
Plan unapplication: Before deleting a view, unapply it from all hosts and verify master attributes are acceptable.
Default Trust View
Use sparingly: Default Trust View applies to all clients automatically. Only add overrides for attributes genuinely needed everywhere.
Provide shells and home directories: AD doesn’t supply these POSIX attributes. Adding them via Default Trust View improves AD user experience.
Avoid UID conflicts: If AD trust UID ranges overlap with IPA ranges, use Default Trust View to map AD users to non-conflicting UIDs.
Test with AD users: Default Trust View changes affect all AD user logins. Validate overrides thoroughly before adding them.
Operational Practices
Monitor override count: Large numbers of overrides may indicate design issues. Consider whether master entry changes or ID range planning would be better.
Review periodically: Regularly audit views and overrides to remove obsolete entries and identify cleanup opportunities.
Version control view definitions: Export view override lists to version control for disaster recovery and change tracking.
Integrate with provisioning: Automate override creation in user provisioning workflows for migrations and special environments.
Communicate view changes: Inform affected users and administrators before applying or removing views, as attribute changes can affect login and file access.
Security Considerations
UID 0 overrides are dangerous: Granting UID 0 via override gives root privileges without normal root account safeguards. Avoid except in emergencies.
Shell overrides affect security posture: Overriding a restricted shell (/bin/rbash) with an unrestricted shell (/bin/bash) on specific hosts creates security inconsistencies.
Home directory overrides can expose data: Changing home directories via overrides may grant unintended access to files in the new location.
View application is a privilege operation: Only trusted administrators should have idview-apply permissions, as it can alter security context across systems.
Default Trust View affects all clients: Changes to Default Trust View immediately impact all IPA clients. Thoroughly validate AD user overrides before creation.
Anchor tampering: Overrides are keyed by anchor (DN or name). Renaming master entries may break override linkage, causing unexpected attribute changes.
SSSD cache poisoning risk: Compromised SSSD cache could serve malicious override values. Ensure SSSD cache permissions are restrictive (root-only).
Override visibility: Overrides are visible to any authenticated IPA user via idoverrideuser-show. Don’t store sensitive data in override descriptions.
Integration Points
SSSD: Client-side daemon retrieves and caches overrides, merges them over master attributes during user resolution
Active Directory Trusts: Default Trust View provides override mechanism for AD user POSIX attributes across all IPA clients
Host/Hostgroup Management: View application tied to host objects; hosts can have at most one view applied (plus Default Trust View for AD users)
User/Group Management: Overrides reference master entries by anchor; master entry deletion doesn’t cascade to overrides (creating orphans)
LDAP: Overrides stored in cn=views,cn=accounts,dc=example,dc=com subtree; clients query via LDAP for override retrieval
Migration Tools: ipa-server-upgrade creates Default Trust View automatically when AD trusts are established
Replication: Views and overrides replicate across topology like other LDAP objects; view application is server-side metadata
DNS: No direct integration; view-based home directory changes may need corresponding automount or NFS export updates
Troubleshooting
Override not taking effect:
# Verify view is applied to host
ipa idview-show migration-2024 --show-hosts
# Verify override exists
ipa idoverrideuser-show migration-2024 jsmith
# Clear SSSD cache on client
sssctl cache-expire -E
# Test resolution
getent passwd jsmith
id jsmith
Wrong anchor used for AD user:
# Determine correct anchor format
ipa user-show 'jdoe@ad.example.com' --raw | grep dn
# Delete incorrect override
ipa idoverrideuser-del 'Default Trust View' 'wrong-anchor'
# Re-create with correct anchor
ipa idoverrideuser-add 'Default Trust View' 'jdoe@ad.example.com' --uid 70001
View deletion fails with “view is applied to hosts”:
# Find applied hosts
ipa idview-show problematic-view --show-hosts
# Unapply from all hosts
ipa idview-unapply --hosts=host1.example.com,host2.example.com
# Delete view
ipa idview-del problematic-view
Hostgroup view application didn’t affect new members:
# View application to hostgroups is a snapshot
# Manually apply to new hosts
# Find new hostgroup members
ipa hostgroup-show legacy-servers
# Apply view directly to new hosts
ipa idview-apply migration-2024 --hosts=newhost.example.com
User override orphaned after user deletion:
# Overrides remain after master user deletion
# Find orphaned overrides
ipa idoverrideuser-find migration-2024 --all | \
while read -r anchor; do
# Check if master user exists
ipa user-show "$anchor" 2>/dev/null || echo "Orphaned: $anchor"
done
# Delete orphaned overrides
ipa idoverrideuser-del migration-2024 orphaned-user-dn
File ownership broken after override removal:
# Removing override changes effective UID back to master
# Files owned by override UID become orphaned
# Before removing override, update file ownership
ssh server1.example.com
find /home/jsmith -uid 1000 -exec chown 50000:50000 {} \;
# After ownership updated, safe to remove override
ipa idoverrideuser-del migration-2024 jsmith
SSSD not seeing override updates:
# SSSD caches overrides with entry_cache_timeout
# Force cache refresh
sssctl cache-expire -E # Expire all cached entries
systemctl restart sssd # Restart SSSD
sssctl cache-expire -u jsmith # Expire specific user
Commands
idoverridegroup-add
Usage:
ipa [global-options] idoverridegroup-add IDVIEW ANCHOR [options]
Add a new Group ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--group-name GROUP-NAME | Group name |
--gid GID | Group ID Number |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idoverridegroup-del
Usage:
ipa [global-options] idoverridegroup-del IDVIEW ANCHOR [options]
Delete an Group ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
idoverridegroup-find
Usage:
ipa [global-options] idoverridegroup-find IDVIEW [CRITERIA] [options]
Search for an Group ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--anchor ANCHOR | Anchor to override |
--desc DESC | Description |
--group-name GROUP-NAME | Group name |
--gid GID | Group ID Number |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“anchor”) |
idoverridegroup-mod
Usage:
ipa [global-options] idoverridegroup-mod IDVIEW ANCHOR [options]
Modify an Group ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--group-name GROUP-NAME | Group name |
--gid GID | Group ID Number |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--rename RENAME | Rename the Group ID override object |
idoverridegroup-show
Usage:
ipa [global-options] idoverridegroup-show IDVIEW ANCHOR [options]
Display information about an Group ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idoverrideuser-add
Usage:
ipa [global-options] idoverrideuser-add IDVIEW ANCHOR [options]
Add a new User ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--login LOGIN | User login |
--uid UID | User ID Number |
--gecos GECOS | GECOS |
--gidnumber GIDNUMBER | Group ID Number |
--homedir HOMEDIR | Home directory |
--shell SHELL | Login shell |
--sshpubkey SSHPUBKEY | SSH public key |
--certificate CERTIFICATE | Base-64 encoded user certificate |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
idoverrideuser-add-cert
Usage:
ipa [global-options] idoverrideuser-add-cert IDVIEW ANCHOR [options]
Add one or more certificates to the idoverrideuser entry
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded user certificate |
idoverrideuser-del
Usage:
ipa [global-options] idoverrideuser-del IDVIEW ANCHOR [options]
Delete an User ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
idoverrideuser-find
Usage:
ipa [global-options] idoverrideuser-find IDVIEW [CRITERIA] [options]
Search for an User ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--anchor ANCHOR | Anchor to override |
--desc DESC | Description |
--login LOGIN | User login |
--uid UID | User ID Number |
--gecos GECOS | GECOS |
--gidnumber GIDNUMBER | Group ID Number |
--homedir HOMEDIR | Home directory |
--shell SHELL | Login shell |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“anchor”) |
idoverrideuser-mod
Usage:
ipa [global-options] idoverrideuser-mod IDVIEW ANCHOR [options]
Modify an User ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--login LOGIN | User login |
--uid UID | User ID Number |
--gecos GECOS | GECOS |
--gidnumber GIDNUMBER | Group ID Number |
--homedir HOMEDIR | Home directory |
--shell SHELL | Login shell |
--sshpubkey SSHPUBKEY | SSH public key |
--certificate CERTIFICATE | Base-64 encoded user certificate |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--rename RENAME | Rename the User ID override object |
idoverrideuser-remove-cert
Usage:
ipa [global-options] idoverrideuser-remove-cert IDVIEW ANCHOR [options]
Remove one or more certificates to the idoverrideuser entry
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--certificate CERTIFICATE | Base-64 encoded user certificate |
idoverrideuser-show
Usage:
ipa [global-options] idoverrideuser-show IDVIEW ANCHOR [options]
Display information about an User ID override.
Arguments
| Argument | Required | Description |
|---|---|---|
IDVIEW | yes | ID View Name |
ANCHOR yes Anchor to override
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--fallback-to-ldap | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
idview-add
Usage: ipa [global-options] idview-add NAME [options]
Add a new ID View.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | ID View Name |
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--domain-resolution-order DOMAIN-RESOLUTION-ORDER | colon-separated list of domains used for short name qualification |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idview-apply
Usage: ipa [global-options] idview-apply NAME [options]
Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | ID View Name |
Options
| Option | Description |
|---|---|
--hosts HOSTS | Hosts to apply the ID View to |
--hostgroups HOSTGROUPS | Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command. |
idview-del
Usage: ipa [global-options] idview-del NAME [options]
Delete an ID View.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | ID View Name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
idview-find
Usage: ipa [global-options] idview-find [CRITERIA] [options]
Search for an ID View.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | ID View Name |
--desc DESC | Description |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
idview-mod
Usage: ipa [global-options] idview-mod NAME [options]
Modify an ID View.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | ID View Name |
Options
| Option | Description |
|---|---|
--desc DESC | Description |
--domain-resolution-order DOMAIN-RESOLUTION-ORDER | colon-separated list of domains used for short name qualification |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--rename RENAME | Rename the ID View object |
idview-show
Usage: ipa [global-options] idview-show NAME [options]
Display information about an ID View.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | ID View Name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--show-hosts | Enumerate all the hosts the view applies to. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idview-unapply
Usage: ipa [global-options] idview-unapply [options]
Clears ID View from specified hosts or current members of specified hostgroups.
Options
| Option | Description |
|---|---|
--hosts HOSTS | Hosts to clear (any) ID View from. |
--hostgroups HOSTGROUPS | Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command. |