[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

Simo Sorce simo at redhat.com
Thu Jun 14 11:54:40 UTC 2012 

On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote:
> On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote:
> > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote:
> > > 
> > > to keep track of the different ranges we use for UIDs/GIDs for local
> > > users/groups and users from trusted domains new range objects are
> > > introduced which are stored below cn=range,cn=etc,$SUFFIX.
> > > 
> > > 0022: LDAP schema update
> > 
> > ack
> > 
> > > 0023: Create a range object during installation fir the local ID range
> > 
> > nack, I think we need to find a way to handle adding at least the base
> > range on update. Otherwise an updated server won't be able to have IDs
> > for most of its users.
> 
> I fully agree, but since we said that we concentrate on update issues in
> beta2 I wanted to send the version for the fresh install first to allow
> testing.

The reason I'd like updates is that this patchset can be installed on
top of existing servers for testing w/o having to reinstall from scratch
or manually creating the ipaDomainIDRange object :):)

> > 
> > > 0024: add primary and secondary RID base to the local range object
> > >       during ipa-adtrust-install
> > 
> > Not sure if setting the range belongs in the previous patch or this one.
> 
> I think it is right here, because a plain IPA server does not need the
> RID related attributes.
> 
> > We might decide to ask questions during ipa-adtrust-install if the range
> > is not available, maybe presenting a set of pre-canned choices if we can
> > detect them.
> 
> I agree here, too. But as above I would like to handle update issues
> in a second round.
> 
> > 
> > Finally I think we need to do a search with uid/gidNmber < base and
> > uid/gidNumber > max and prompt/warn the user if we detect any ID the
> > falls outside the configured range (either because we failed to detect
> > ranges on upgrade and the user botched the question or because the admin
> > added arbitrary IDs.
> > If a warning we should warn that missing a range that suitably covers
> > these IDs, those users/groups will not be available for the trust.
> > 
> > Maybe we should also have a simple ipa command that can list all
> > users/groups that fall outside the ranges as well.
> 
> I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa
> range-find' etc. I can add it there.
> 
> bye,
> Sumit
> 
> > 
> > Simo.
> > > 
> > -- 
> > Simo Sorce * Red Hat, Inc * New York
> > 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list