[Freeipa-devel] Modifying ID Range

Petr Vobornik pvoborni at redhat.com
Tue Jan 6 12:17:03 UTC 2015 

On 01/05/2015 09:41 AM, Sumit Bose wrote:
> On Wed, Dec 24, 2014 at 08:50:29AM +0530, Prashant Bapat wrote:
>> Hi,
>>
>> What I'm trying to do is to modify the Range FreeIPA uses. I removed the
>> random Range Id created during install, added a new range that I wanted.
>> But problem is when I try to add a new user or a group now its still using
>> the old range that was created during installation.
>>
>> I tried restarting the ipa service but still no help.
>>
>> Any pointers to this will be appreciated.
>
> sorry, ID ranges changes at runtime are currently not supported because
> of the implications on the running system, e.g. users might not be able
> to access their home directory anymore.
>
> To use the new range the easiest way is to remove the SSSD cache on all
> systems, i.e. systemctl stop sssd.server; rm /var/lib/sssd/db/cache_* ;
> systemctl start sssd.service. Please note that with this scheme you will
> loose the cached password, i.e. offline authentication might fail if the
> given users hasn't logged in successfully after the cache was removed.
>
> HTH
>

I think a confusion comes from a fact that IPA has "ID range" objects 
which look like that they could be used for configuration of DNA 
plugin[1]. IIUC that's not the case - ID range object are for managining 
rids for trusts [2].

The only way how to change UID allocation is to manually modify DNA 
plugin configuration - 'cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config' entry + related object defined in 
dnaSharedCfgDN.

CLI's `ipa help idrange` contains this information. Maybe we should also 
consider adding this info to idrange-mod --help command and also to Web 
UI to prevent future confusions. Another approach is to raise  "This 
change does not affect UID allocation. It has to be done in DNA plugin 
configuration." warning when modifying base id or a size of a local IPA 
range. Such warning would be visible in both CLI and Web UI.

[1] http://directory.fedoraproject.org/docs/389ds/design/dna-plugin.html
[2] http://www.freeipa.org/page/V3/ID_Ranges
-- 
Petr Vobornik

More information about the Freeipa-devel mailing list