Migrating legacy servers to FreeIPA authentication using ID-views

ID-Views are a new feature of FreeIPA4 which allows you to map UID/GID user/group names to another. This is a very handy solution when migrating legacy servers.

There are legacy servers in the field with a lot of history. They have been migrated from one operating system to another since the last decade(s). It is unfortunately also not uncommon on those legacy servers to find software with hardcoded UID/GID and/or user/group names. Along with an unknown number of scripts installed on such servers, its always problematic to migrate such systems when it comes to users and authentication. Another issue is that in the early years it was very common to have regular users with UID of >=500 while it is >=1000 as of today.

Unfortunately, almost nobody has the time to clean up the mess. Here is solution: ID-views. ID-Views can be applied to single hosts or group of hosts.

At the moment ID-Views are only working with newer SSSD versions as it is available with RHEL 7.1.

Creating a view

[root@ipa1 ~]# ipa idview-add --desc "Old servers with legacy users" oldservers
--------------------------
Added ID View "oldservers"
--------------------------
  ID View Name: oldservers
  Description: Old servers with legacy users
[root@ipa1 ~]# 

Override a group

[root@ipa1 ~]# ipa idoverridegroup-add --desc "Old group" --gid=500 --group-name=users oldservers users
-------------------------------
Added Group ID override "users"
-------------------------------
  Anchor to override: users
  Description: Old group
  Group name: users
  GID: 500
[root@ipa1 ~]#

Override a user
If you ommit the --login parameter (or any other) then the value in question is not overridden. Ususally you just override the numeric UID and/or GID.

[root@ipa1 ~]# ipa idoverrideuser-add --desc="John Doe is actually Hans Tester" --login=jdoe --uid=500 --gidnumber=500 --homedir=/home/jdoe --shell=/bin/csh oldservers tester
-------------------------------
Added User ID override "tester"
-------------------------------
  Anchor to override: tester
  Description: John Doe is actually Hans Tester
  User login: jdoe
  UID: 500
  GID: 500
  Home directory: /home/jdoe
  Login shell: /bin/csh
[root@ipa1 ~]# 

Apply the ID-View to a server

[root@ipa1 ~]# ipa idview-apply --hosts=legacy.example.com oldservers
----------------------------
Applied ID View "oldservers"
----------------------------
  hosts: legacy.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------
[root@ipa1 ~]# 

To enable the view on the client side, clean the SSSD cache and restart the sssd service. Login to legacy.example.com.

[root@legacy ~]# sss_cache -E
[root@legacy ~]# systemctl restart sssd

You also need to change the PAM configuration to accept logins with UID &lt1000.

Now do some tests. Both users, “jdoe” and “tester” have UID 500.

[root@legacy ~]# getent passwd jdoe
jdoe:*:500:500:Hans Tester:/home/jdoe:/bin/csh
[root@legacy ~]# getent passwd tester
jdoe:*:500:500:Hans Tester:/home/jdoe:/bin/csh
[root@legacy ~]# 

On other servers, the “jdoe” login is unknown, and “tester” has the normal UID assigned by IPA

[root@ipa1 ~]# getent passwd jdoe
[root@ipa1 ~]# echo $?
2
[root@ipa1 ~]# getent passwd tester
tester:*:1225800004:1225800004:Hans Tester:/home/tester:/bin/bash
[root@ipa1 ~]# 

Please keep in mind that not cleaning up a messy system is just a workaround 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *