[Freeipa-users] UID 999, not possible?
Petr Viktorin
pviktori at redhat.com
Tue Jul 3 07:38:00 UTC 2012
On 07/03/2012 05:55 AM, Nathan Kinder wrote:
> On 06/29/2012 07:10 AM, Petr Viktorin wrote:
>> On 06/29/2012 03:55 PM, Alexander Bokovoy wrote:
>>> On Fri, 29 Jun 2012, Petr Viktorin wrote:
>>>> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote:
>>>>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing
>>>>>> the UID when I add a user with that number? (I've already checked the
>>>>>> UID isn't in use)
>>>>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by
>>>>> an allocated one with the help of the 389-ds plugin
>>>>> http://directory.fedoraproject.org/wiki/DNA_Plugin
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values
>>>>>
>>>>>
>>>>
>>>> The documentation mentions that the magic value can be a word
>>>> ("magic"), or it doesn't have to exist at all (it's added for
>>>> objectClass:posixAccount entries). Is there a reason IPA is using 999
>>>> here?
>>> uidNumber and gidNumber field use integer value syntax:
>>> OID value: 1.3.6.1.4.1.1466.115.121.1.27
>>>
>>> OID description:
>>> Values in this syntax are encoded as the decimal representation of their
>>> values, with each decimal digit represented by the its character
>>> equivalent. So the number 1321 is represented by the character string
>>> "1321".
>>> So, you can't have string there that does not evaluate to integer.
>>
>> That's true, but according to the documentation you linked,
>> uidNumber/gidNumber syntax doesn't matter.
>> The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA
>> plugin sees and modifies the value before it's validated as an integer.
> I wouldn't trust this, as DNA was initially designed/implemented before
> we added syntax validation to 389. DNA was also written to be able to
> work with non integer attributes, where values have some sort of prefix
> followed by an integer (such as "user1", "user2", etc.). For this
> reason, dnaMagicRegen was left as "Directory String" syntax. I
> personally feel that it is safer to have the magic value be
> syntactically valid for the attribute that DNA is configured to generate.
Best go with a negative number then.
The DS docs should be updated if you don't trust what they say, though.
On 06/29/2012 04:23 PM, Alexander Bokovoy wrote:
> Looks like you are right:
> http://comments.gmane.org/gmane.linux.redhat.fedora.directory.user/10641
>
> We would have issue on our side when using non-integer value as Int()
> parameter does not support non-integer values. However, we could select
> some negative value as default one and use the same value for DNA
> configuration.
The value can be optional, the server can fill in the default if it's
not received from the client.
--
Petr³
More information about the Freeipa-users
mailing list