Hi, you can use ldapmodify to update the range:
ldapmodify -D "cn=directory manager" -w $PWD dn: cn=asterisk_system_user,cn=ranges,cn=etc,dc=example,dc=test changetype: modify add: ipabaserid ipabaserid: xxx - add: ipasecondarybaserid ipasecondarybaserid: yyy Don't forget to replace dc=example,dc=test with your suffix and pick proper values for ipabaserid and ipasecondarybaserid. The directory server must be restarted after this ldapmodify operation. flo On Mon, Oct 13, 2025 at 4:49 PM Brian J. Murrell via FreeIPA-users < [email protected]> wrote: > On Mon, 2025-10-13 at 10:54 +0200, Florence Blanc-Renaud wrote: > > Hi, > > Hi. > > > I really have no idea if the wheel group will cause any issue as it > > is > > defined in IPA and probably also locally. > > Indeed. Apologies for the confusion. I have already dealt with the > wheel group. I removed the one defined in IPA with the really low GID. > So I think that issue is resolved. > > What I have left is a low UID (112) system account that I do need to be > in IPA as it needs to have a Kerberos credential. I figured the > simplest thing to do was to give 112 it's own ID range since it's the > only low UID I have a need for. Thus I (incorrectly it seems) created: > > Range name: asterisk_system_user > First Posix ID of the range: 112 > Number of IDs in the range: 1 > Range type: local domain range > > But as you can see it has no RID ranges and I was getting an error > about RID overlap or somesuch. So I tried to add them but was told I > could not modify that range name. So I tried to delete it to recreate > it but was told I could not delete it: > > # ipa idrange-del asterisk_system_user > ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving > objects with ID out of the defined range is not allowed > > You subsequently suggested that the existing range might be fixable, > which is also a reasonable solution. So that's where we are now. The > total of all ranges is currently: > > > the > > idrange needs to have primary and secondary rid bases. > > Right. I think I tried to add those but was given an error about not > being able to modify that range. > > > The following RIDs are already taken: [1,000-201,000] [301,000- > > 340,000], > > [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any > > value > > outside of those ranges and it won't complain about overlaps. > > Right. So what is the command that will allow me to add new RIDs to > that range? > > > Sorry I'm not able to provide a definite answer, but it's hard to > > know if > > removing your wheel group from IPA would break anything. Maybe you > > have > > applications that rely on it, maybe it was added un-intentionally. > > Without > > clear understanding I can't really advise. > > So yeah. It's not really about the wheel group at this point. It's > just about being able to add the RIDs to that range that does not have > them. Not sure how to go about doing that. > > Cheers, > b. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
