[Freeipa-users] How to handle users with multiple homedirs on different machines?

Wed Jun 3 07:46:05 UTC 2015

On Wed, Jun 03, 2015 at 08:29:20AM +0200, Lukas Slebodnik wrote:
> On (02/06/15 17:07), swartz wrote:
> >I have a environment that spans across multiple physical locations where
> >there is a mix of Linux and Solaris workstations/servers. So far we've been
> >managing accounts (/etc/password) via Puppet.
> >
> >Problem: FreeIPA allows to store only one homedir path.
> >Q: Is there a way to store/set a different home path based on the system
> >that the user is logged into?
> >
> sssd configuration is quite flexible in this way.
> You can override homedir with configuration option
> man sssd.conf -> "override_homedir"
> 
> However sssd is available just on linux (or FreeBSD)
> I'm not sure which clients do you use on Solaris or other
> old system, maybe there is a way how to override homedir as well.
> Or you can configure home directory attribute to the non-existing
> attribute in FreeIPA and use some fallback (if possible)
> 
> >As an example, I have user Bob.
> >On a Linux box Bob has homedir at /home/b/bob
>                                          ^
>                                 Unfortunatelly, there's no way how to say
>                                 sssd to use just first letter from name.
> >On a Solaris this is likely /export/home/bob
> >While on some other odd system it could be /mnt/nas/users/bob
> Different "prefix" for homedir "/export/home", "/home", "/mnt/nas/users"
> could be addresed with the option homedir_substring in sssd conf.
> https://fedorahosted.org/sssd/ticket/1853
> 
> So you could store "%H" in ldap attribute,
> but clients need to understand such value.
> (sssd >= 1.11.6). I'm not sure about other clients.

As an alternative since version 4.1 FreeIPA has a feature called idviews
which can be used to override home-directories for a group of hosts. See
e.g.
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
or
http://blog.delouw.ch/2015/04/06/migrating-legacy-servers-to-freeipa-authentication-using-id-views/
for details and how to use it.

HTH

bye,
Sumit

> 
> LS
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project