On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: > > to keep track of the different ranges we use for UIDs/GIDs for local > users/groups and users from trusted domains new range objects are > introduced which are stored below cn=range,cn=etc,$SUFFIX. > > 0022: LDAP schema update
ack > 0023: Create a range object during installation fir the local ID range nack, I think we need to find a way to handle adding at least the base range on update. Otherwise an updated server won't be able to have IDs for most of its users. > 0024: add primary and secondary RID base to the local range object > during ipa-adtrust-install Not sure if setting the range belongs in the previous patch or this one. We might decide to ask questions during ipa-adtrust-install if the range is not available, maybe presenting a set of pre-canned choices if we can detect them. Finally I think we need to do a search with uid/gidNmber < base and uid/gidNumber > max and prompt/warn the user if we detect any ID the falls outside the configured range (either because we failed to detect ranges on upgrade and the user botched the question or because the admin added arbitrary IDs. If a warning we should warn that missing a range that suitably covers these IDs, those users/groups will not be available for the trust. Maybe we should also have a simple ipa command that can list all users/groups that fall outside the ranges as well. Simo. > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel