Overlays

Overlays

Overlays may be used to substitute the value of certain attributes for a list of users or groups. They have a similar use-case to [Transformation Rules] but allow individual users and groups to be targetted and modified on-the-fly, as the data from LDAP search operations are populated in the in-memory cache.

Overlays are enabled by providing the dbisOverlayDN attribute on a configuration map entry for a passwd or group database (see [Configuration Maps]). This should point to a location in the DIT underneath which the overlay entries can be found. Overlay entries for the passwd database are identified by the dbisPasswdOverlay class, while those for the group database are identified by the dbisGroupOverlay class.

Overlays almost always need to be used together with [Netgroup Constraints], and are often also used alongside [Transformation Rules].

Passwd overlays

If overlays are configured and a dbisPasswdOverlay object can be found for a user with a matching username (en attribute), then the attributes provided on the overlay object will replace those on the posixUserAccount object. If a matching username cannot be found, but a default overlay is found instead (en=*), then those overlay attributes will be used instead.

A named passwd overlay may override the uidNumber, homeDirectory and loginShell attributes. A default overlay (en=*) may override homeDirectory and loginShell only.

In the following example, the user julie who logs into hosts that are part of the sales-merger netgroup will get an alternative UID of 5001 and /bin/sh as the login shell. If julie logs into any other host, she will get her normal UID and login shell:

dn: cn=passwd,en=sales.corp,ou=domain-mappings,o=infra
objectClass: top
objectClass: dbisMapConfig
objectClass: dbisPasswdConfig
cn: passwd
dbisMapDN: cn=passwd,ou=dbis,o=infra
dbisMapFilter: objectClass=posixUserAccount
dbisMapGecos: displayName
notNetgroup: sales-merger
profileTTL: 900
description: Primary passwd database

dn: cn=passwd2,en=sales.corp,ou=domain-mappings,o=infra
objectClass: top
objectClass: dbisMapConfig
objectClass: dbisPasswdConfig
cn: passwd2
dbisMapDN: cn=passwd,ou=dbis,o=infra
dbisMapFilter: objectClass=posixUserAccount
dbisMapGecos: displayName
dbisOverlayDN: ou=passwd,ou=overlays,ou=sales-merger,o=infra
profileTTL: 900
description: Primary passwd database for Sales merger

dn: en=julie,ou=passwd,ou=overlays,ou=sales-merger,o=infra
objectClass: top
objectClass: dbisPasswdOverlay
en: julie
uidNumber: 5001
loginShell: /bin/sh

Group overlays

If overlays are configured and a dbisGroupOverlay object can be found for a group with a matching name (en attribute), then the gidNumber provided on the overlay object will replace that on the posixGroupAccount object.

The following is an example of a dbisGroupOverlay entry which modifies the GID for the finance group when used in a configuration map entry:

dn: en=finance,ou=group,ou=overlays,ou=sales-merger,o=infra
objectClass: top
objectClass: dbisGroupOverlay
en: finance
gidNumber: 7308

Next Steps

Return to [Configuring DBIS] for the next steps in setting up a new installation.