On Mon, Feb 25, 2013 at 03:12:19PM +0100, Martin Kosek wrote:
> On 02/25/2013 03:09 PM, Rob Crittenden wrote:
> > Martin Kosek wrote:
> ...
> >> 4) What does "NOTE: We will need to be clear that this range has nothing 
> >> to do
> >> with Trust ranges." actually mean? AFAIU, IPA should have all local ranges
> >> covered with a local "idrange" range(s).
> > 
> > IPA ranges is completely separate from DNA ranges. You can set/modify all 
> > the
> > local ranges you want and it won't affect the UIDs getting assigned.
> > 
> >> If it does not have it covered, it could happen that for example a new 
> >> trust
> >> would overlap with this user-defined local range and we would have 
> >> colliding
> >> POSIX IDs...
> > 
> > Hmm, that's a good point.
> > 
> >> IMO, dnarange-set and dnanextrange-set should at first check if the range 
> >> is
> >> covered with some local idrange and only then allowed setting the new 
> >> range.
> > 
> > I can do that as well, but again, the local ranges don't really affect the 
> > ids
> > we hand out via DNA.
> > 
> > rob
> 
> You are right, that DNA plugin is really not aware of the idranges we set in
> IPA. But the idrange is still a safeguard for our POSIX IDs to not overlap 
> with
> trust ranges and I think we should respect that with ipa-replica-manage.
> 
> I wonder if there was not even a plan to increase cooperation between our
> idranges and DNA plugin, maybe Sumit or Alexander knows more.

If I understand the use case and design properly, it is about
re-arranging the sub-ranges each replica can use from the original
range, which was given/created at installation time and which is also
stored as idrange in
DOMAIN.NAME_id_range,cn=ranges,cn=etc,dc=domain,dc=name with
objectclass=ipaDomainIDRange.

If the re-arrangement does not result in IDs which are outside of this
range give by the ipaDomainIDRange object, no conflicts with idranges
used by trusted domain will occur, because it is one of the task of the
idrange objects to avoid those conflicts.

If the original given range is exhausted completely and a completely new
DNA range must be created, it should be checked with ipa idrange-find
that the new range is not used and a new ipaDomainIDRange object which
reserves the local range should be added.

There are https://fedorahosted.org/freeipa/ticket/591 which can be used
to track the coordinated creation of DNA and id-range.

bye,
Sumit
> 
> Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to