[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

Fri Jun 29 19:16:39 UTC 2012

Alexander Bokovoy wrote:
> On Fri, 29 Jun 2012, Sumit Bose wrote:
>> On Wed, Jun 27, 2012 at 09:19:36PM +0200, Sumit Bose wrote:
>>> On Tue, Jun 26, 2012 at 12:30:14PM +0200, Sumit Bose wrote:
>>> > On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote:
>>> > > On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote:
>>> > > > On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote:
>>> > > > > On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote:
>>> > > > > > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote:
>>> > > > > > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote:
>>> > > > > > > >
>>> > > > > > > > to keep track of the different ranges we use for
>>> UIDs/GIDs for local
>>> > > > > > > > users/groups and users from trusted domains new range
>>> objects are
>>> > > > > > > > introduced which are stored below cn=range,cn=etc,$SUFFIX.
>>> > > > > > > >
>>> > > > > > > > 0022: LDAP schema update
>>> > > > > > >
>>> > > > > > > ack
>>> > > > > > >
>>> > > > > > > > 0023: Create a range object during installation fir the
>>> local ID range
>>> > > > > > >
>>> > > > > > > nack, I think we need to find a way to handle adding at
>>> least the base
>>> > > > > > > range on update. Otherwise an updated server won't be
>>> able to have IDs
>>> > > > > > > for most of its users.
>>> > > > > >
>>> > > > > > I fully agree, but since we said that we concentrate on
>>> update issues in
>>> > > > > > beta2 I wanted to send the version for the fresh install
>>> first to allow
>>> > > > > > testing.
>>> > > > >
>>> > > > > The reason I'd like updates is that this patchset can be
>>> installed on
>>> > > > > top of existing servers for testing w/o having to reinstall
>>> from scratch
>>> > > > > or manually creating the ipaDomainIDRange object :):)
>>> > > >
>>> > > > ok, will do.
>>> > > >
>>> > > > Do you otherwise agree with the patches or is there something I
>>> should
>>> > > > change while adding the updates?
>>> > > >
>>> > > > bye,
>>> > > > Sumit
>>> > > >
>>> > > > >
>>> > > > > > >
>>> > > > > > > > 0024: add primary and secondary RID base to the local
>>> range object
>>> > > > > > > >       during ipa-adtrust-install
>>> > > > > > >
>>> > > > > > > Not sure if setting the range belongs in the previous
>>> patch or this one.
>>> > > > > >
>>> > > > > > I think it is right here, because a plain IPA server does
>>> not need the
>>> > > > > > RID related attributes.
>>> > > > > >
>>> > > > > > > We might decide to ask questions during
>>> ipa-adtrust-install if the range
>>> > > > > > > is not available, maybe presenting a set of pre-canned
>>> choices if we can
>>> > > > > > > detect them.
>>> > > > > >
>>> > > > > > I agree here, too. But as above I would like to handle
>>> update issues
>>> > > > > > in a second round.
>>> > > > > >
>>> > > > > > >
>>> > > > > > > Finally I think we need to do a search with uid/gidNmber
>>> < base and
>>> > > > > > > uid/gidNumber > max and prompt/warn the user if we detect
>>> any ID the
>>> > > > > > > falls outside the configured range (either because we
>>> failed to detect
>>> > > > > > > ranges on upgrade and the user botched the question or
>>> because the admin
>>> > > > > > > added arbitrary IDs.
>>> > > > > > > If a warning we should warn that missing a range that
>>> suitably covers
>>> > > > > > > these IDs, those users/groups will not be available for
>>> the trust.
>>> > > > > > >
>>> > > > > > > Maybe we should also have a simple ipa command that can
>>> list all
>>> > > > > > > users/groups that fall outside the ranges as well.
>>> > > > > >
>>> > > > > > I'm working on the ranges cli plugin to allow 'ipa
>>> range-add', 'ipa
>>> > > > > > range-find' etc. I can add it there.
>>> > > > > >
>>> > >
>>> > > Hi,
>>> > >
>>> > > this new series of patches add the cli plugin to create the ID
>>> ranges
>>> > > manually. I'm still working on a detection of the locally used id
>>> range
>>> > > of an upgrade domain in ipa-adtrust-install and an plugin which
>>> rejects
>>> > > new ranges which overlaps with existing ones.
>>> > >
>>> > > bye,
>>> > > Sumit
>>> >
>>> > the attached patch adds a preop plugin which checks for overlaps with
>>> > existing ranges.
>>> >
>>> > bye,
>>> > Sumit
>>>
>>> Finally I added a method to guess and create the initial ID range, if no
>>> one is preset, e.g. when updating from an older version of freeIPA. A
>>> full series of patches is attached.
>>>
>>> bye,
>>> Sumit
>>
>> This version of patches fixes review comments by Alexander and also adds
>> some test for the range CLI plugin which were kindly provided by
>> Alexander.
> ACK
>

These patches aren't applying for me.

rob