[Freeipa-devel] DESIGN: Recover DNA Ranges
Martin Kosek
mkosek at redhat.com
Mon Feb 25 14:12:19 UTC 2013
On 02/25/2013 03:09 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
...
>> 4) What does "NOTE: We will need to be clear that this range has nothing to do
>> with Trust ranges." actually mean? AFAIU, IPA should have all local ranges
>> covered with a local "idrange" range(s).
>
> IPA ranges is completely separate from DNA ranges. You can set/modify all the
> local ranges you want and it won't affect the UIDs getting assigned.
>
>> If it does not have it covered, it could happen that for example a new trust
>> would overlap with this user-defined local range and we would have colliding
>> POSIX IDs...
>
> Hmm, that's a good point.
>
>> IMO, dnarange-set and dnanextrange-set should at first check if the range is
>> covered with some local idrange and only then allowed setting the new range.
>
> I can do that as well, but again, the local ranges don't really affect the ids
> we hand out via DNA.
>
> rob
You are right, that DNA plugin is really not aware of the idranges we set in
IPA. But the idrange is still a safeguard for our POSIX IDs to not overlap with
trust ranges and I think we should respect that with ipa-replica-manage.
I wonder if there was not even a plan to increase cooperation between our
idranges and DNA plugin, maybe Sumit or Alexander knows more.
Martin
More information about the Freeipa-devel
mailing list