On 02/25/2013 03:09 PM, Rob Crittenden wrote: > Martin Kosek wrote: ... >> 4) What does "NOTE: We will need to be clear that this range has nothing to >> do >> with Trust ranges." actually mean? AFAIU, IPA should have all local ranges >> covered with a local "idrange" range(s). > > IPA ranges is completely separate from DNA ranges. You can set/modify all the > local ranges you want and it won't affect the UIDs getting assigned. > >> If it does not have it covered, it could happen that for example a new trust >> would overlap with this user-defined local range and we would have colliding >> POSIX IDs... > > Hmm, that's a good point. > >> IMO, dnarange-set and dnanextrange-set should at first check if the range is >> covered with some local idrange and only then allowed setting the new range. > > I can do that as well, but again, the local ranges don't really affect the ids > we hand out via DNA. > > rob
You are right, that DNA plugin is really not aware of the idranges we set in IPA. But the idrange is still a safeguard for our POSIX IDs to not overlap with trust ranges and I think we should respect that with ipa-replica-manage. I wonder if there was not even a plan to increase cooperation between our idranges and DNA plugin, maybe Sumit or Alexander knows more. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
