On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: > On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: > > On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > > > > > to keep track of the different ranges we use for UIDs/GIDs for local > > > users/groups and users from trusted domains new range objects are > > > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > > > > > 0022: LDAP schema update > > > > ack > > > > > 0023: Create a range object during installation fir the local ID range > > > > nack, I think we need to find a way to handle adding at least the base > > range on update. Otherwise an updated server won't be able to have IDs > > for most of its users. > > I fully agree, but since we said that we concentrate on update issues in > beta2 I wanted to send the version for the fresh install first to allow > testing.
The reason I'd like updates is that this patchset can be installed on top of existing servers for testing w/o having to reinstall from scratch or manually creating the ipaDomainIDRange object :):) > > > > > 0024: add primary and secondary RID base to the local range object > > > during ipa-adtrust-install > > > > Not sure if setting the range belongs in the previous patch or this one. > > I think it is right here, because a plain IPA server does not need the > RID related attributes. > > > We might decide to ask questions during ipa-adtrust-install if the range > > is not available, maybe presenting a set of pre-canned choices if we can > > detect them. > > I agree here, too. But as above I would like to handle update issues > in a second round. > > > > > Finally I think we need to do a search with uid/gidNmber < base and > > uid/gidNumber > max and prompt/warn the user if we detect any ID the > > falls outside the configured range (either because we failed to detect > > ranges on upgrade and the user botched the question or because the admin > > added arbitrary IDs. > > If a warning we should warn that missing a range that suitably covers > > these IDs, those users/groups will not be available for the trust. > > > > Maybe we should also have a simple ipa command that can list all > > users/groups that fall outside the ranges as well. > > I'm working on the ranges cli plugin to allow 'ipa range-add', 'ipa > range-find' etc. I can add it there. > > bye, > Sumit > > > > > Simo. > > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel