On 06/29/2012 07:10 AM, Petr Viktorin wrote:
On 06/29/2012 03:55 PM, Alexander Bokovoy wrote:
On Fri, 29 Jun 2012, Petr Viktorin wrote:
On 06/29/2012 03:04 PM, Alexander Bokovoy wrote:
On Thu, 28 Jun 2012, sysad...@noboost.org wrote:
Hi All,

Is there a weird restriction to UID 999 in ipa, as IPA keeps changing
the UID when I add a user with that number? (I've already checked the
UID isn't in use)
We use 999 as a marker for DNA plugin. UID/GID 999 is replaced by
an allocated one with the help of the 389-ds plugin

The documentation mentions that the magic value can be a word
("magic"), or it doesn't have to exist at all (it's added for
objectClass:posixAccount entries). Is there a reason IPA is using 999
uidNumber and gidNumber field use integer value syntax:
OID value:

OID description:
Values in this syntax are encoded as the decimal representation of their
values, with each decimal digit represented by the its character
equivalent. So the number 1321 is represented by the character string
So, you can't have string there that does not evaluate to integer.

That's true, but according to the documentation you linked, uidNumber/gidNumber syntax doesn't matter. The dnaMagicRegen field is in fact a DirectoryString. I assume the DNA plugin sees and modifies the value before it's validated as an integer.
I wouldn't trust this, as DNA was initially designed/implemented before we added syntax validation to 389. DNA was also written to be able to work with non integer attributes, where values have some sort of prefix followed by an integer (such as "user1", "user2", etc.). For this reason, dnaMagicRegen was left as "Directory String" syntax. I personally feel that it is safer to have the magic value be syntactically valid for the attribute that DNA is configured to generate.

If there is, the command should fail instead of silently assigning a
different number than asked for. I'll file a bug for this.
DNA_MAGIC in user.py is defined to 999 and it is default value to
uidNumber and gidNumber options. We have no way to differentiate between
default and entered by user but the same value.

Yes, the server would need to verify if the client has been fixed.
This means either waiting for the next major API version, or looking at the version/capabilities the client sends us. (See Martin's message from 2012-06-20 in thread "[Freeipa-devel] [PATCH] 0062 Don't crash when server returns extra output").

[root@sysvm-ipa ~]# ipa user-add administrator --uid=999
--first=administrator --last=administrator
Added user "administrator"
User login: administrator
First name: administrator
Last name: administrator
Full name: administrator administrator
Display name: administrator administrator
Initials: aa
Home directory: /home/administrator
GECOS field: administrator administrator
Login shell: /bin/bash
Kerberos principal: administra...@example.com
UID: 721000062
GID: 132
Keytab: False
Password: False



Freeipa-users mailing list


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to