Lead Image © Nigel Silcock, Fotolia.com
ID Views smooth migration to a new identity management system
Masquerading
Numerous attributes are assigned to a user account when it is created, including user and group IDs, the user's home directory, and the login shell. Things get problematic when user data moves from one system to another and the POSIX attributes change in the process. Another issue arises when the environment lacks a central system for user administration, in which case, the account is local to the respective system. As a result, the same user might well be using a different user ID on each system. If users then move to a central system, the account has just a single ID and access to files that belong to an unknown user are lost because the changed user ID cannot be correlated with an account.
The POSIX attributes stored in Active Directory (AD) are usually used to synchronize user accounts from AD on an LDAP server. If you want to try other techniques of providing users access to Linux resources from AD, then you might want to try using different IDs for each account. For example, the FreeIPA identity management framework can assign its own IDs for users from the active directory during configuration of Kerberos cross-realm trusts, which means the framework is not reliant on POSIX attributes that already exist. However, the prospects are not good for those wanting to use particular IDs, because the IDs are arbitrarily selected from a defined range.
ID Views can help. These are available with both FreeIPA and from the client system security services daemon (SSSD). The POSIX attributes for an account are simply overridden with other values, whether you want to change only the user ID or other attributes.
If the ID Views for a system are active, then attributes that were previously saved in a different view will be used when a user logs in. Here, the possibility exists for setting up multiple views for a single user or for a group of users, which is very practical because different attributes can be connected to particular hosts. Even if central
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Migration from LDAP to FreeIPA
The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort. -
Integrating FreeIPA with Active Directory
Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain. -
A REST interface for FreeIPA
Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API. -
Integrating a Linux system with Active Directory
Your Active Directory system doesn't have to be a walled garden. A few easy steps are all you need to integrate Linux with AD. -
Samba domain controller in a heterogeneous environment
The open source Samba service can act as an Active Directory domain controller in a heterogeneous environment.