Lead Image © Nigel Silcock, Fotolia.com

Lead Image © Nigel Silcock, Fotolia.com

ID Views smooth migration to a new identity management system


Article from ADMIN 38/2017
POSIX attributes are permanently connected to a user account, and they help identify the user; however, this permanent connection can lead to difficulties when migrating from one identity management system to another. ID Views help you make migration go smoothly.

Numerous attributes are assigned to a user account when it is created, including user and group IDs, the user's home directory, and the login shell. Things get problematic when user data moves from one system to another and the POSIX attributes change in the process. Another issue arises when the environment lacks a central system for user administration, in which case, the account is local to the respective system. As a result, the same user might well be using a different user ID on each system. If users then move to a central system, the account has just a single ID and access to files that belong to an unknown user are lost because the changed user ID cannot be correlated with an account.

The POSIX attributes stored in Active Directory (AD) are usually used to synchronize user accounts from AD on an LDAP server. If you want to try other techniques of providing users access to Linux resources from AD, then you might want to try using different IDs for each account. For example, the FreeIPA identity management framework can assign its own IDs for users from the active directory during configuration of Kerberos cross-realm trusts, which means the framework is not reliant on POSIX attributes that already exist. However, the prospects are not good for those wanting to use particular IDs, because the IDs are arbitrarily selected from a defined range.

ID Views can help. These are available with both FreeIPA and from the client system security services daemon (SSSD). The POSIX attributes for an account are simply overridden with other values, whether you want to change only the user ID or other attributes.

If the ID Views for a system are active, then attributes that were previously saved in a different view will be used when a user logs in. Here, the possibility exists for setting up multiple views for a single user or for a group of users, which is very practical because different attributes can be connected to particular hosts. Even if central

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Migration from LDAP to FreeIPA
    The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • A REST interface for FreeIPA
    Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
  • Password management with FreeIPA
    Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.
comments powered by Disqus