Re: [Freeipa-users] Change UID range
8>< Now, in the case of a merger, you have two companies that likely have colliding UID ranges. If you're using IPA, however, which dedicates much higher ranges, there's a significantly greater chance that you will be able to trivially merge the users and groups without forcing one company or the other to change their IDs. (If you've ever had to do this, you'd know that this is usually a multi-month project that invariably misses something.) 8><- Yep, I am about to go through this with 100 production linux servers, 350ish T&D, 100s of desktops and at least 2 pre-existing LDAP solutions (openldap and MAC OS ldap) out there that I know of that clash on UIDs plus use of /etc/passwd. Many of these are described as mission critical, typically financial serversI might take up smoking and large amounts of mental health insurance. ;] Honestly live with the IPA range idea, its a god one. Multi-Months? yeah could easily be an understatement...just for the prod servers alone I will have to do a in depth look at and write out a conversion plan for each one and do it, I think as much as a week each...So Im thinking not less than 6 months and I reckon as I'm on my own probably 1 to 2 years bearing in mind other work will come along..so some of them could be "organic" ie on a hardware refresh, so 5 years... My management hasn't a clue yet..but that's because they haven't wanted to listen for 4+ years regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On Tue, 2011-06-14 at 09:48 -0400, Simo Sorce wrote: > On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: > > The decision to make the range start at 1 billion was made > > specifically > > BECAUSE the chances of a company having that many users was > > statistically unlikely. > > Correction we start at 1Million and we get a 100k range randomly within > the 1M-2B range, so almost 10k different possible buckets. Ah I must correct myself, I changed the values before the 2.0 release so the random range is 200k-2B which makes up the 10k buckets :-) The code is actually this: namespace = random.randint(1, 1) * 20 > The chance 2 installations end up getting the same bucket are very low. > > owever you can always force the UID to be used at user creation by > explicitly specifying the IDs you want. > > Simo. > -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On Tue, 2011-06-14 at 07:42 -0400, Stephen Gallagher wrote: > The decision to make the range start at 1 billion was made > specifically > BECAUSE the chances of a company having that many users was > statistically unlikely. Correction we start at 1Million and we get a 100k range randomly within the 1M-2B range, so almost 10k different possible buckets. The chance 2 installations end up getting the same bucket are very low. owever you can always force the UID to be used at user creation by explicitly specifying the IDs you want. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On Mon, 2011-06-13 at 18:10 -0500, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > Not until I add 1.299 billion users :) I think you've missed the point a little bit. The reason for the high UIDs is to solve a problem that most people don't realize yet that they have. A VERY common situation is for a larger company to acquire a smaller one. When this happens, it becomes necessary to merge their two identity environments. Right now, most small companies (and a disconcerting number of large ones) have UIDs that start at 500 or 1000 in their LDAP servers (because the vast majority of these companies start out by using /etc/passwd and then dump these values to LDAP when they grow to a certain point). Now, in the case of a merger, you have two companies that likely have colliding UID ranges. If you're using IPA, however, which dedicates much higher ranges, there's a significantly greater chance that you will be able to trivially merge the users and groups without forcing one company or the other to change their IDs. (If you've ever had to do this, you'd know that this is usually a multi-month project that invariably misses something.) The decision to make the range start at 1 billion was made specifically BECAUSE the chances of a company having that many users was statistically unlikely. signature.asc Description: This is a digitally signed message part ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
Hi, I was sort of a like mind, but the advantage of the idea of avoiding clashes made enough sense for me to live with it. We will be doing Federation potentially worldwide and if a person from anywhere else has a unique UID and is part of a unique UID range at another Uni site that doesnt clash Im all for making my life easier. regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] Sent: Tuesday, 14 June 2011 10:34 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Change UID range It’s enough of an issue that I’d spend the 1-2 hours to reinstall my server and 1 client. I just find it really odd that the default would be so high. I’m all for avoiding conflicts, but I can’t think of too many systems that would have a billion users. The help on the server installer says the idstart is random. I’d rather skip 1000 UIDs than 1.3 billion, I just find the numbers unwieldy. Browsing the web, it looks like the default is random between 1m and 2^31. I’d just prefer it be in the 4-6 digit range, as I do still use UIDs numerically on occasion. I have no issue with the default being what it is, most people may not care what their UID range actually is. I just want to know if it can be changed manually or if I have to reinstall. I’m still in an evaluation phase with a testing system anyway, so I’ll just add it to my notes when I deploy to something I might use in production. -brian On 6/13/11 3:22 PM, "Steven Jones" > wrote: Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Change UID range After installing, I’ve noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn’t technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
Not until I add 1.299 billion users :) -brian On 6/13/11 4:02 PM, "Dmitri Pal" wrote: Ha! Seems I am wrong... Rob but what about the ID of the first entries created? They will be out of scope potentially and it might have issues down the road. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On 06/13/2011 06:56 PM, Rob Crittenden wrote: > Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: >> >> It’s enough of an issue that I’d spend the 1-2 hours to reinstall my >> server and 1 client. I just find it really odd that the default would be >> so high. I’m all for avoiding conflicts, but I can’t think of too many >> systems that would have a billion users. The help on the server >> installer says the idstart is random. I’d rather skip 1000 UIDs than 1.3 >> billion, I just find the numbers unwieldy. Browsing the web, it looks >> like the default is random between 1m and 2^31. I’d just prefer it be in >> the 4-6 digit range, as I do still use UIDs numerically on occasion. >> >> I have no issue with the default being what it is, most people may not >> care what their UID range actually is. I just want to know if it can be >> changed manually or if I have to reinstall. I’m still in an evaluation >> phase with a testing system anyway, so I’ll just add it to my notes when >> I deploy to something I might use in production. > > Modify the dnanextvalue and dnamaxvalue options in the entry: > > cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config Ha! Seems I am wrong... Rob but what about the ID of the first entries created? They will be out of scope potentially and it might have issues down the road. > > rob > >> >> -brian >> >> On 6/13/11 3:22 PM, "Steven Jones" wrote: >> >> Hi, >> >> The docs say they do this to try and avoid clashes with other >> organisations in case of a merger. >> >> Another reason I can see is possibly Shiboleth (Federation) which >> I/we have to do. So is changing it that much of an issue? >> >> regards >> >> >> >> From: freeipa-users-boun...@redhat.com >> [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. >> (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] >> Sent: Tuesday, 14 June 2011 10:18 a.m. >> To: freeipa-users@redhat.com >> Subject: [Freeipa-users] Change UID range >> >> After installing, I’ve noticed that my UIDs for freeipa start at 1.3 >> billion. Now, this isn’t technically a problem, but it is ... Odd. >> Is there a way to change this value after install, or am I stuck >> uninstalling and reinstalling with the --idstart value set to get >> this to a more reasonable number? >> >> -Brian >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
On 06/13/2011 06:34 PM, Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: > > It's enough of an issue that I'd spend the 1-2 hours to reinstall my > server and 1 client. I just find it really odd that the default would > be so high. I'm all for avoiding conflicts, but I can't think of too > many systems that would have a billion users. The help on the server > installer says the idstart is random. I'd rather skip 1000 UIDs than > 1.3 billion, I just find the numbers unwieldy. Browsing the web, it > looks like the default is random between 1m and 2^31. I'd just prefer > it be in the 4-6 digit range, as I do still use UIDs numerically on > occasion. > > I have no issue with the default being what it is, most people may not > care what their UID range actually is. I just want to know if it can > be changed manually or if I have to reinstall. I'm still in an > evaluation phase with a testing system anyway, so I'll just add it to > my notes when I deploy to something I might use in production. > As far as I remember it is not possible to change after install as any first user is created using this setting. We are heading into the era or multiple name spaces even inside one organization with all the virtualization and cloud. Though these numbers look odd it might actually be a good idea to use higher ranges to avoid conflicts between different environments down the road as there will be many different domains both IPA based as well as AD based in general case. It will be very hard to change the ranges later so leave yourself a bit of breathing room and think about you identity landscape 5-7 years from now. Wrong or limiting decisions now might lead to a lot of pain and costs down the road. Thanks Dmitri > -brian > > On 6/13/11 3:22 PM, "Steven Jones" wrote: > > Hi, > > The docs say they do this to try and avoid clashes with other > organisations in case of a merger. > > Another reason I can see is possibly Shiboleth (Federation) which > I/we have to do. So is changing it that much of an issue? > > regards > > > > From: freeipa-users-boun...@redhat.com > [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. > (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] > Sent: Tuesday, 14 June 2011 10:18 a.m. > To: freeipa-users@redhat.com > Subject: [Freeipa-users] Change UID range > > After installing, I've noticed that my UIDs for freeipa start at > 1.3 billion. Now, this isn't technically a problem, but it is ... > Odd. Is there a way to change this value after install, or am I > stuck uninstalling and reinstalling with the --idstart value set > to get this to a more reasonable number? > > -Brian > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
Stamper, Brian P. (ARC-D)[Logyx LLC] wrote: It’s enough of an issue that I’d spend the 1-2 hours to reinstall my server and 1 client. I just find it really odd that the default would be so high. I’m all for avoiding conflicts, but I can’t think of too many systems that would have a billion users. The help on the server installer says the idstart is random. I’d rather skip 1000 UIDs than 1.3 billion, I just find the numbers unwieldy. Browsing the web, it looks like the default is random between 1m and 2^31. I’d just prefer it be in the 4-6 digit range, as I do still use UIDs numerically on occasion. I have no issue with the default being what it is, most people may not care what their UID range actually is. I just want to know if it can be changed manually or if I have to reinstall. I’m still in an evaluation phase with a testing system anyway, so I’ll just add it to my notes when I deploy to something I might use in production. Modify the dnanextvalue and dnamaxvalue options in the entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config rob -brian On 6/13/11 3:22 PM, "Steven Jones" wrote: Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Change UID range After installing, I’ve noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn’t technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
It's enough of an issue that I'd spend the 1-2 hours to reinstall my server and 1 client. I just find it really odd that the default would be so high. I'm all for avoiding conflicts, but I can't think of too many systems that would have a billion users. The help on the server installer says the idstart is random. I'd rather skip 1000 UIDs than 1.3 billion, I just find the numbers unwieldy. Browsing the web, it looks like the default is random between 1m and 2^31. I'd just prefer it be in the 4-6 digit range, as I do still use UIDs numerically on occasion. I have no issue with the default being what it is, most people may not care what their UID range actually is. I just want to know if it can be changed manually or if I have to reinstall. I'm still in an evaluation phase with a testing system anyway, so I'll just add it to my notes when I deploy to something I might use in production. -brian On 6/13/11 3:22 PM, "Steven Jones" wrote: Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Change UID range After installing, I've noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn't technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Change UID range
Hi, The docs say they do this to try and avoid clashes with other organisations in case of a merger. Another reason I can see is possibly Shiboleth (Federation) which I/we have to do. So is changing it that much of an issue? regards From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Stamper, Brian P. (ARC-D)[Logyx LLC] [brian.p.stam...@nasa.gov] Sent: Tuesday, 14 June 2011 10:18 a.m. To: freeipa-users@redhat.com Subject: [Freeipa-users] Change UID range After installing, I’ve noticed that my UIDs for freeipa start at 1.3 billion. Now, this isn’t technically a problem, but it is ... Odd. Is there a way to change this value after install, or am I stuck uninstalling and reinstalling with the --idstart value set to get this to a more reasonable number? -Brian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
