[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

[Simo Sorce]

On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote:
> 
> to keep track of the different ranges we use for UIDs/GIDs for local
> users/groups and users from trusted domains new range objects are
> introduced which are stored below cn=range,cn=etc,$SUFFIX.
> 
> 0022: LDAP schema update

ack

> 0023: Create a range object during installation fir the local ID range

nack, I think we need to find a way to handle adding at least the base
range on update. Otherwise an updated server won't be able to have IDs
for most of its users.

> 0024: add primary and secondary RID base to the local range object
>       during ipa-adtrust-install

Not sure if setting the range belongs in the previous patch or this one.
We might decide to ask questions during ipa-adtrust-install if the range
is not available, maybe presenting a set of pre-canned choices if we can
detect them.

Finally I think we need to do a search with uid/gidNmber < base and
uid/gidNumber > max and prompt/warn the user if we detect any ID the
falls outside the configured range (either because we failed to detect
ranges on upgrade and the user botched the question or because the admin
added arbitrary IDs.
If a warning we should warn that missing a range that suitably covers
these IDs, those users/groups will not be available for the trust.

Maybe we should also have a simple ipa command that can list all
users/groups that fall outside the ranges as well.

Simo.
> 
-- 
Simo Sorce * Red Hat, Inc * New York