[Freeipa-users] UID 999, not possible?

Petr Viktorin pviktori at redhat.com
Fri Jun 29 14:10:52 UTC 2012 

On 06/29/2012 03:55 PM, Alexander Bokovoy wrote:
> On Fri, 29 Jun 2012, Petr Viktorin wrote:
>> On 06/29/2012 03:04 PM, Alexander Bokovoy wrote:
>>> On Thu, 28 Jun 2012, sysadmin at noboost.org wrote:
>>>> Hi All,
>>>>
>>>> Is there a weird restriction to UID 999 in ipa, as IPA keeps changing
>>>> the UID when I add a user with that number? (I've already checked the
>>>> UID isn't in use)
>>> We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by
>>> an allocated one with the help of the 389-ds plugin
>>> http://directory.fedoraproject.org/wiki/DNA_Plugin
>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Defining_Dynamic_Atrribute_Values.html#about-dunamically-assigning-attribute-values
>>>
>>
>> The documentation mentions that the magic value can be a word
>> ("magic"), or it doesn't have to exist at all (it's added for
>> objectClass:posixAccount entries). Is there a reason IPA is using 999
>> here?
> uidNumber and gidNumber field use integer value syntax:
> OID value: 1.3.6.1.4.1.1466.115.121.1.27
>
> OID description:
> Values in this syntax are encoded as the decimal representation of their
> values, with each decimal digit represented by the its character
> equivalent. So the number 1321 is represented by the character string
> "1321".
> So, you can't have string there that does not evaluate to integer.

That's true, but according to the documentation you linked, 
uidNumber/gidNumber syntax doesn't matter.
The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA 
plugin sees and modifies the value before it's validated as an integer.

>> If there is, the command should fail instead of silently assigning a
>> different number than asked for. I'll file a bug for this.
> DNA_MAGIC in user.py is defined to 999 and it is default value to
> uidNumber and gidNumber options. We have no way to differentiate between
> default and entered by user but the same value.

Yes, the server would need to verify if the client has been fixed.
This means either waiting for the next major API version, or looking at 
the version/capabilities the client sends us. (See Martin's message from 
2012-06-20 in thread "[Freeipa-devel] [PATCH] 0062 Don't crash when 
server returns extra output").

>>
>>>>
>>>> [root at sysvm-ipa ~]# ipa user-add administrator --uid=999
>>>> --gidnumber=132
>>>> --first=administrator --last=administrator
>>>> --------------------------
>>>> Added user "administrator"
>>>> --------------------------
>>>> User login: administrator
>>>> First name: administrator
>>>> Last name: administrator
>>>> Full name: administrator administrator
>>>> Display name: administrator administrator
>>>> Initials: aa
>>>> Home directory: /home/administrator
>>>> GECOS field: administrator administrator
>>>> Login shell: /bin/bash
>>>> Kerberos principal: administrator at EXAMPLE.COM
>>>> UID: 721000062
>>>> GID: 132
>>>> Keytab: False
>>>> Password: False
>>>>
>>>>
>>>> cya
>>>>
>>>> Craig
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>> --
>> Petr³
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>


-- 
Petr³

More information about the Freeipa-users mailing list