ID Ranges
Manage UID and GID ranges for POSIX attribute assignment and trust domain integration. ID ranges define allocatable ranges for user and group identifiers, ensuring no conflicts between local users and trusted domain users. Features include range creation with base IDs and sizes, domain and range type specification (local, AD trust with SID), automatic range detection for trusted domains, and range modification for scaling deployments.
Overview
ID ranges define allocatable ranges of UID (User ID) and GID (Group ID) numbers for POSIX users and groups in FreeIPA. They serve two critical functions:
- Local domain ID allocation: Defining which UIDs/GIDs the IPA DNA (Distributed Numeric Assignment) plugin can assign to new IPA users and groups
- Trusted domain ID mapping: Mapping Windows Security Identifiers (SIDs) from Active Directory trusts to POSIX UIDs/GIDs for Unix/Linux interoperability
Without ID ranges, FreeIPA cannot:
- Assign UIDs/GIDs to new users and groups
- Map AD user SIDs to UIDs for file ownership and access control
- Maintain separation between local IPA users and trusted AD users
- Support multiple IPA replicas allocating IDs without conflicts
ID ranges are typically created automatically during IPA installation (local range) and trust establishment (ipa trust-add for AD ranges). Manual ID range management is needed only for advanced scenarios like range exhaustion, transitive trusts, or multi-forest AD environments.
ID Range Types
FreeIPA uses explicit range type identifiers to distinguish between different ID range purposes. As of FreeIPA 4.11, there are four ID range categories using three type identifiers:
Range Type Identifiers:
ipa-local: Local FreeIPA POSIX ID range for IPA users and groupsipa-ad-trust: Used for both subordinate ID ranges and automated AD trust allocationipa-ad-trust-posix: Trusted domain range with explicit POSIX attributes in AD
Local Domain Ranges (type: ipa-local)
Purpose: Define UIDs/GIDs available for IPA users and groups created locally in the IPA domain.
Characteristics:
- Automatically created during
ipa-server-installor upgrade - Used by DNA plugin for automatic UID/GID assignment
- Includes primary and secondary RID ranges for SID generation
- Typically one range per IPA deployment (additional ranges for exhaustion scenarios)
- Range type:
ipa-local
Components:
- base-id: First UID/GID in the range (e.g., 1000000)
- range-size: Number of IDs in the range (e.g., 200000)
- rid-base: First RID for primary SID generation (e.g., 1000)
- secondary-rid-base: First RID for secondary SID generation (e.g., 1000000) - used when primary RID conflicts occur
Subordinate ID Ranges (type: ipa-ad-trust)
Purpose: Provide subordinate UID/GID ranges for rootless containers and user namespaces.
Characteristics:
- Automatically created during IPA installation (if supported)
- Named
<REALM>_subid_range - Uses
ipa-ad-trusttype for SSSD compatibility (SSSD requires SIDs withS-1-5-21prefix) - Special SID structure:
S-1-5-21-738065-838566-<DOMAIN_HASH>738065-838566represents “IPA-SUB”<DOMAIN_HASH>is MURMUR-3 hash of domain name with key0xdeadbeef
- This SID is never used for actual SID generation (only for range identification)
- Default range: 2,147,483,648 to 4,294,901,767 (upper 2.1 billion of 32-bit UID space)
- See
subidtopic for subordinate ID management commands
Components:
- base-id: 2147483648 (2^31, start of upper UID space)
- range-size: 2147352576 (approximately 2.1 billion IDs)
- rid-base: 2147283648
- dom-sid: Special subordinate ID SID (e.g.,
S-1-5-21-738065-838566-1351619967)
Trusted Domain Ranges (type: ipa-ad-trust or ipa-ad-trust-posix)
Purpose: Map Active Directory SIDs to UIDs/GIDs for AD users and groups accessing IPA-enrolled systems.
FreeIPA supports two types of AD trust ID ranges:
Automated Allocation (type: ipa-ad-trust)
Characteristics:
- Automatically created by
ipa trust-addfor directly trusted domains - Must be manually created for transitively trusted domains
- SSSD performs algorithmic SID-to-UID mapping on clients (no LDAP lookups required)
- ID ranges serve as “fences” to prevent other allocators from using the space
- One range per trusted AD domain or forest
Components:
- base-id: First UID/GID mapped from this domain (e.g., 1200000)
- range-size: Number of IDs allocatable from this domain (e.g., 200000)
- rid-base: RID offset for mapping (typically 0 for AD domains)
- dom-sid: Active Directory domain SID (e.g., S-1-5-21-123-456-789)
- auto-private-groups: Mode for automatic private group creation (true/false/hybrid)
Explicit POSIX Allocation (type: ipa-ad-trust-posix)
Characteristics:
- Must be manually created with
idrange-add --type=ipa-ad-trust-posix - SSSD reads uidNumber/gidNumber directly from AD LDAP entries
- ID range still enforces boundaries but actual IDs come from AD attributes
- Used when migrating from AD environments with existing POSIX attributes
Components:
- base-id: Not used for allocation (IDs come from AD attributes)
- range-size: Defines valid UID/GID boundary check
- dom-sid: Active Directory domain SID
- No rid-base (not used for algorithmic mapping)
SID and RID Concepts
Security Identifier (SID)
Windows Security Identifiers uniquely identify users, groups, and computers in Active Directory:
Format: S-1-5-21-<domain-authority-1>-<domain-authority-2>-<domain-authority-3>-<RID>
Example: S-1-5-21-1234567890-987654321-111222333-1105
S-1-5: Standard Windows security prefix21-1234567890-987654321-111222333: Domain SID (uniquely identifies the AD domain)1105: RID (Relative Identifier - uniquely identifies the user/group within the domain)
Relative Identifier (RID)
The RID is the last component of a SID and uniquely identifies a security principal within a domain:
Range: 32-bit values (0 to 4,294,967,295) Reserved RIDs:
- 500: Administrator
- 501: Guest
- 512: Domain Admins
- 513: Domain Users
- 1000+: User-created objects
IPA ID ranges map RIDs to UIDs using the formula:
UID = base-id + (RID - rid-base)
Example:
- base-id = 1200000
- rid-base = 0
- RID = 1105
- UID = 1200000 + (1105 - 0) = 1201105
ID Allocation for Local Domain
Primary RID Range
Used to generate SIDs for IPA users and groups:
UID → RID mapping:
RID = rid-base + (UID - base-id)
Example:
- base-id = 1000000
- rid-base = 1000
- UID = 1000050
- RID = 1000 + (1000050 - 1000000) = 1050
- SID =
S-1-5-21-<IPA-domain-SID>-1050
Secondary RID Range
Used when a UID has already been assigned a RID and another object (user vs group) is created with the same UID:
Conflict scenario: User with UID 1000050 gets RID 1050. Later, a group is created with GID 1000050.
Resolution: Group gets RID from secondary range:
RID = secondary-rid-base + (GID - base-id)
Example:
- secondary-rid-base = 1000000
- GID = 1000050
- RID = 1000000 + (1000050 - 1000000) = 1000050
- Group SID =
S-1-5-21-<IPA-domain-SID>-1000050
This prevents SID collisions when users and groups share the same numeric ID.
ID Mapping for Trusted Domains
Direct Mapping
For AD domains with IPA ID ranges configured:
RID → UID mapping:
UID = base-id + (RID - rid-base)
Example:
- AD user SID:
S-1-5-21-123-456-789-1500 - RID: 1500
- base-id: 1200000
- rid-base: 0
- UID: 1200000 + (1500 - 0) = 1201500
The AD user appears on IPA-enrolled Linux systems with UID 1201500.
Range Boundaries
ID ranges have hard boundaries:
Minimum UID/GID: base-id Maximum UID/GID: base-id + range-size - 1
Any AD RID outside the range (RID < rid-base or RID >= rid-base + range-size) cannot be mapped and the user/group will not have a valid UID/GID on IPA systems.
Auto Private Groups
The --auto-private-groups setting controls automatic creation of private POSIX groups for AD users. This setting is only applicable to AD trust ranges (ipa-ad-trust and ipa-ad-trust-posix). It cannot be used with ipa-local ranges.
Modes:
- true: Always create a private group with GID = UID, ignoring any existing GID in AD
- false: Always use the user’s primary GID from AD (for posix ranges) or computed from primaryGroupID (for algorithmic ranges); group must exist
- hybrid: Create private group only if UID = GID but no group exists with that GID
Default values:
- ipa-ad-trust-posix: Default is
false(use uidNumber and gidNumber from AD; group must exist) - ipa-ad-trust: Default is
true(UID and GID both mapped from SID; private group auto-created)
Behavior with ipa-ad-trust-posix ranges (AD users have uidNumber/gidNumber attributes):
| Scenario | true | false (default) | hybrid |
|---|---|---|---|
| uidNumber=1000, gidNumber missing | uid=1000 gid=1000 + private group | Not resolvable | Not resolvable |
| uidNumber=1000, gidNumber=2000, group missing | uid=1000 gid=1000 + private group | Not resolvable | Not resolvable |
| uidNumber=1000, gidNumber=1000, group missing | uid=1000 gid=1000 + private group | Not resolvable | uid=1000 gid=1000 + private group |
| uidNumber=1000, gidNumber=2000, group exists | uid=1000 gid=1000 + private group | uid=1000 gid=2000 | uid=1000 gid=2000 |
Behavior with ipa-ad-trust ranges (SID algorithmic mapping):
| Scenario | true (default) | false | hybrid |
|---|---|---|---|
| SID → 1000, primaryGroupID → 2000 | uid=1000 gid=1000 + private group | uid=1000 gid=2000 | uid=1000 gid=2000 |
Use cases:
- true: AD users without proper group memberships; simplifies permission model (each user is their own primary group)
- false: Preserve AD group structure; use actual AD groups for file ownership and permissions
- hybrid: Transition scenario; users with proper groups use AD groups, others get private groups
DNA Plugin Integration
The DNA (Distributed Numeric Assignment) plugin in 389 Directory Server automatically assigns UIDs and GIDs to new IPA users and groups:
Current state: DNA plugin configuration is separate from ID range configuration
Limitation: Creating or modifying ID ranges via idrange-add/idrange-mod does not automatically update DNA plugin
Manual configuration: After adding a new local ID range, administrators must manually update DNA plugin configuration
DNA Plugin Configuration
DNA configuration stored in:
cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
Key attributes:
dnaNextValue: Next UID/GID to assigndnaMaxValue: Maximum UID/GID in current rangednaNextRange: Next range to use when current exhausted (must be updated manually)
Example DNA update:
# After adding new local ID range (base-id=1400000, range-size=200000)
$ ldapmodify -Y GSSAPI -H ldap://ipa1.example.com
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextRange
dnaNextRange: 1400000-1599999
Use Cases
Range Exhaustion
When the local ID range is nearly exhausted, add a new range to enable continued user/group creation:
Scenario: Original range (1000000-1199999) is 95% utilized Solution: Add new local ID range (1400000-1599999) DNA update: Configure DNA plugin to use new range when original exhausted
Transitive AD Trusts
When AD domain A trusts domain B transitively, ipa trust-add only creates a range for domain A:
Scenario: IPA trusts AD domain A. AD domain A trusts AD domain B with transitive trust. Automatic: ID range created for domain A Manual: ID range for domain B must be added manually with domain B’s SID
Multi-Forest AD Environments
Each AD forest may require separate ID ranges:
Scenario: Organization has multiple AD forests (production, development, partner) Configuration: Create separate ID ranges for each forest’s domain SID Isolation: Ensures no UID/GID conflicts between forests
Custom UID/GID Allocation
Organizations with existing UID/GID schemes may need custom ranges:
Scenario: Migrating from legacy system with UIDs in 5000-9999 range Configuration: Create IPA local range starting at 10000 to avoid conflicts Migration: Re-assign legacy users to new IPA UIDs or use ID views
Examples
View Existing ID Ranges
# List all configured ID ranges
$ ipa idrange-find
2 ranges matched
Range name: EXAMPLE.COM_id_range
First Posix ID: 1000000
Number of IDs: 200000
First RID: 1000
First secondary RID: 100000000
Range type: local domain range
Range name: AD.EXAMPLE.COM_id_range
First Posix ID: 1200000
Number of IDs: 200000
Domain SID: S-1-5-21-1234567890-987654321-111222333
First RID: 0
Range type: Active Directory domain range
Show Specific ID Range
# Display detailed range information
$ ipa idrange-show EXAMPLE.COM_id_range
Range name: EXAMPLE.COM_id_range
First Posix ID: 1000000
Number of IDs: 200000
First RID: 1000
First secondary RID: 100000000
Range type: local domain range
Add ID Range for Transitive Trust
# Manually add range for transitively trusted domain
$ ipa idrange-add TRANSITIVE_DOM_id_range \
--base-id=1400000 \
--range-size=200000 \
--rid-base=0 \
--dom-sid=S-1-5-21-999888777-666555444-333222111
Range name: TRANSITIVE_DOM_id_range
First Posix ID: 1400000
Number of IDs: 200000
Domain SID: S-1-5-21-999888777-666555444-333222111
First RID: 0
Range type: Active Directory domain range
Add Additional Local ID Range (Exhaustion)
# Add new local range when original is nearly full
$ ipa idrange-add EXAMPLE.COM_id_range_ext \
--base-id=1600000 \
--range-size=200000 \
--rid-base=601000 \
--secondary-rid-base=101000000
Range name: EXAMPLE.COM_id_range_ext
First Posix ID: 1600000
Number of IDs: 200000
First RID: 601000
First secondary RID: 101000000
Range type: local domain range
# IMPORTANT: Manually update DNA plugin configuration!
# Set dnaNextRange to 1600000-1799999 in:
# cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
Delete ID Range
# Delete ID range (use with extreme caution!)
$ ipa idrange-del OLD_RANGE_id_range
# WARNING: Deleting ID ranges can cause file ownership and access control issues
# Only delete ranges that were never used or are definitively obsolete
Modify ID Range Description
# Update range description (metadata only)
$ ipa idrange-mod EXAMPLE.COM_id_range \
--desc="Primary local ID range for IPA domain"
Best Practices
Planning and Design
Non-overlapping ranges: Ensure all ID ranges (local and trusted) are completely non-overlapping. Overlaps cause UID/GID conflicts and unpredictable behavior.
Sufficient sizing: Size ranges large enough for anticipated growth. Local domain: 200,000-500,000 IDs. Trusted domains: Size based on AD domain user/group count.
Reserve space: Leave gaps between ranges for future expansion. Don’t allocate consecutive ranges—leave buffer space.
Document ranges: Maintain documentation of all ID ranges, their purposes, and which domains they map to.
Operational Practices
Avoid manual creation: Let ipa-server-install create local range and ipa trust-add create AD trust ranges automatically. Manual creation only for edge cases.
Test before production: Test ID range configurations in non-production environment, especially for transitive trusts and exhaustion scenarios.
Monitor utilization: Track local ID range utilization. When reaching 80%, plan for additional range.
DNA plugin coordination: When adding local ID ranges, immediately update DNA plugin configuration. Document the manual update requirement.
Security Considerations
Never delete active ranges: Deleting ID ranges in use causes catastrophic file ownership and access control breakage. Files owned by deleted UIDs become unowned or reassigned.
Range exhaustion protection: Monitor and address range exhaustion proactively. Running out of UIDs prevents user creation.
SID consistency: Never modify SIDs in trusted domain ranges. SID changes break AD user authentication.
Range modification risks: Modifying base-id or range-size on active ranges can reassign UIDs, breaking file ownership. Only modify during migration or with extreme care.
Integration Points
Active Directory Trusts
ID ranges are automatically created when establishing AD trusts:
Trust creation: ipa trust-add queries AD domain for SID and creates matching ID range
Transitive trusts: Require manual ID range creation for each transitively trusted domain
Forest trusts: Each trusted forest domain may need separate ID ranges
Commands: trust-add, trust-show, trust-find
Users and Groups
ID ranges control UID/GID assignment for users and groups:
Local users: DNA plugin assigns UIDs from local ID ranges AD users: SID-to-UID mapping uses trusted domain ID ranges File ownership: UIDs assigned via ID ranges determine file ownership on enrolled systems
Commands: user-add, user-show, group-add, group-show
SSSD
SSSD uses ID ranges for SID-to-UID mapping on IPA clients:
Configuration: SSSD retrieves ID range configuration from IPA server Mapping: SSSD applies range formulas to map AD SIDs to UIDs Caching: SSSD caches UID assignments for performance
DNA Plugin
The DNA plugin allocates UIDs/GIDs from local ID ranges:
Automatic assignment: DNA assigns next available UID when creating users without explicit UID Multi-master: DNA coordinates across IPA replicas to prevent UID conflicts Range handoff: When one range exhausts, DNA moves to next range (if configured)
Manual integration: Changes to ID ranges require manual DNA plugin configuration updates
Replication
ID range configuration replicates across IPA servers:
LDAP replication: ID range entries replicate to all IPA replicas Consistency: Changes propagate within minutes in healthy replication topology DNA coordination: DNA plugin coordinates UID allocation across replicas using ID ranges
Security Considerations
1. UID/GID Conflicts Between Ranges
Overlapping ID ranges create UID/GID collisions causing file ownership and access control issues.
- Two ranges with overlapping IDs assign same UID to different users
- File ownership ambiguous when multiple users share same UID
- POSIX access controls fail when UIDs conflict across systems
- Carefully plan ID ranges to ensure no overlap between local and trusted domains
- Reserve sufficient gap between ranges for future growth
- Document all ID range allocations to prevent accidental overlaps
2. Trust Range Exhaustion
Insufficient AD trust ID range size prevents authenticating all AD users.
- AD domain with 100,000 users needs range-size ≥ 100,000
- Users with RIDs beyond range-size cannot get UIDs
- Authentication succeeds but user appears without UID on clients
- Calculate AD user count before creating trust range
- Provision ranges larger than current AD population for growth
- Monitor AD user growth and expand ranges proactively
3. SID-RID Algorithmic Collision Risk
Multiple AD domains may generate overlapping RID values requiring base-id adjustment.
- Different AD domains may have users with same RID
- Base-id offset differentiates ranges but miscalculation creates collisions
- UID = base-id + RID; insufficient base-id spacing causes overlap
- Use base-id values with large gaps (e.g., 1000000, 2000000, 3000000)
- Document base-id allocation strategy across all trusted domains
- Verify no UID collisions after adding new trusted domains
4. DNA Plugin Range Handoff Failure
DNA plugin exhaustion without configured next range halts user creation.
- DNA assigns UIDs sequentially from current range
- When range exhausts, DNA stops assigning UIDs if dnaNextRange not set
- New user creation fails with “No more IDs available”
- Pre-configure DNA dnaNextRange before primary range exhausts
- Monitor DNA current value vs max value with alerting
- Establish procedure for expanding ID ranges before exhaustion
5. Local Range Modification Requires DNA Reconfiguration
Changing local ID range parameters does not automatically update DNA plugin.
- Modified ID range in IPA does not propagate to DNA plugin configuration
- DNA continues using old range values causing inconsistent UID assignment
- Manual DNA plugin reconfiguration required after range changes
- Document DNA plugin configuration steps for range modifications
- Test user creation after range modifications to verify DNA update
- Consider DNA update part of mandatory ID range change procedure
6. AD Trust Range Modification Risks
Changing AD trust ID range after users exist causes UID reassignment.
- Users already have UIDs calculated from original base-id and RID
- Changing base-id invalidates all existing UID mappings
- File ownership, home directories, and POSIX permissions break
- Never modify AD trust ranges after users have authenticated
- Plan AD trust ranges correctly during initial trust creation
- If change required, prepare for full user remediation (file ownership, home dir migration)
7. Secondary RID Base Misunderstanding
Secondary RID base for algorithmic mapping requires precise calculation to avoid conflicts.
- Secondary RID base determines starting UID for secondary domain users
- Incorrect secondary base creates UID overlaps with primary domain
- Complex formula: requires understanding of both domain ranges
- Use SSSD automatic calculation instead of manual secondary base when possible
- Document secondary RID base calculation with worked examples
- Validate no UID conflicts after configuring secondary ranges
8. Maximum Range Size Limitations
POSIX UID/GID limited to 32-bit unsigned integers (maximum ~4.2 billion).
- Range-size cannot exceed 4,294,967,295
- Base-id + range-size must not overflow 32-bit limit
- Very large ranges (base-id=2000000000, range-size=2000000000) may exceed limit
- Plan ranges within 32-bit constraints
- Reserve high UID space (>1,000,000,000) for trusted domains
- Use range calculator to verify base-id + range-size valid
9. Deleting ID Ranges with Active UIDs
Deleting ID range while UIDs still in use orphans existing users and files.
- Users with UIDs from deleted range lose UID mapping
- Files owned by these UIDs become orphaned (numeric UID only)
- User authentication may fail or users get different UIDs on re-creation
- Never delete ID ranges with active users
- Migrate all users to new range before deleting old range
- Verify zero users in range before deletion:
ipa user-find --uid-min=X --uid-max=Y
10. Non-Contiguous Range Fragmentation
Creating many small non-contiguous ranges complicates management and increases DNA complexity.
- Each range requires separate DNA plugin configuration
- Fragmented ranges harder to audit and document
- DNA handoff between non-contiguous ranges more error-prone
- Use large contiguous ranges when possible
- Consolidate ranges during migrations rather than creating new small ranges
- Document range allocation strategy in infrastructure documentation
11. Cross-Forest Trust Range Planning
Multiple AD forests require separate ID ranges with careful base-id spacing.
- Each forest needs distinct ID range to prevent conflicts
- Forest user populations may grow independently
- Insufficient spacing between forest ranges causes eventual collision
- Allocate large base-id gaps between forests (e.g., 10,000,000)
- Reserve multiple large ranges for anticipated forest growth
- Document forest-to-range mapping for all trusted forests
12. POSIX Attribute Override Conflicts
AD users with explicit POSIX attributes (uidNumber in AD) conflict with algorithmic mapping.
- Some AD users may have uidNumber already set in AD schema
- IPA algorithmic ID mapping may assign different UID
- Client may use AD-provided uidNumber or IPA-calculated UID unpredictably
- Decide on authoritative UID source: AD attributes or IPA algorithmic mapping
- If using AD POSIX attributes, configure SSSD to prefer AD values
- If using IPA mapping, ensure AD POSIX attributes not set or are removed
13. Range Type Mismatches After Migration
Converting between range types (ipa-local to ipa-ad-trust) requires careful migration.
- Range types cannot be changed in-place
- Migration requires creating new range and moving users
- User UIDs change during migration affecting file ownership
- Avoid range type migrations if possible; plan correctly initially
- If migration necessary, plan for comprehensive file ownership remediation
- Test migration in non-production environment with full user/file inventory
14. Audit Trail for Range Modifications
ID range changes have significant impact but may not be prominently logged.
- Range modifications may only appear in LDAP modification logs
- Difficult to correlate range changes with subsequent user creation issues
- No built-in approval workflow for range modifications
- Require organizational change control for all range modifications
- Document all range changes with business justification
- Implement external auditing/alerting for range object modifications in LDAP
15. IPA Local Range Sizing for Future Growth
Undersized local ranges require expansion; oversized ranges waste UID space.
- Local range too small requires adding ranges later (DNA reconfiguration needed)
- Local range too large reserves UIDs that could be used for other purposes
- Balance between growth headroom and efficient space utilization
- Typical small organization: 100,000 UID range (IDs 100,000-199,999)
- Large organization: 1,000,000 UID range (IDs 1,000,000-1,999,999)
- Plan for 3-5 years of user growth when sizing initial range
Troubleshooting
UID/GID Exhaustion
Symptom: Cannot create new users, error “No more IDs available”
Diagnosis: Check DNA plugin current value vs max value Solution: Add new local ID range and update DNA plugin dnaNextRange
AD User Has No UID
Symptom: AD user authenticated but has no UID on IPA clients
Diagnosis: Check if user’s RID falls within configured ID range Solution: Ensure ID range for AD domain has sufficient range-size to include user’s RID
UID Conflicts Between IPA and AD
Symptom: IPA local user and AD user have same UID
Diagnosis: ID ranges overlap Solution: Reconfigure ranges to be non-overlapping (may require user migration)
SID Mapping Failures
Symptom: IPA users don’t have SIDs or SIDs are incorrect
Diagnosis: Local ID range missing rid-base or secondary-rid-base
Solution: Use ipa-idrange-fix command to identify and repair range configuration
DNA Not Using New Range
Symptom: Added new local ID range but DNA still reports exhaustion
Diagnosis: DNA plugin not configured to use new range Solution: Manually update dnaNextRange attribute in DNA plugin LDAP entry
Commands
idrange-add
Usage: ipa [global-options] idrange-add NAME [options]
Add new ID range.
To add a new ID range you always have to specify
--base-id
--range-size
Additionally
--rid-base
--secondary-rid-base
may be given for a new ID range for the local domain while
--auto-private-groups
may be given for a new ID range for a trusted AD domain and
--rid-base
--dom-sid
must be given to add a new range for a trusted AD domain.
WARNING
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Range name |
Options
| Option | Description |
|---|---|
--base-id BASE-ID | First Posix ID of the range |
--range-size RANGE-SIZE | Number of IDs in the range |
--rid-base RID-BASE | First RID of the corresponding RID range |
--secondary-rid-base SECONDARY-RID-BASE | First RID of the secondary RID range |
--dom-sid DOM-SID | Domain SID of the trusted domain |
--dom-name DOM-NAME | Name of the trusted domain |
--type TYPE | ID range type, one of allowed values |
--auto-private-groups AUTO-PRIVATE-GROUPS | Auto creation of private groups, one of allowed values |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idrange-del
Usage: ipa [global-options] idrange-del NAME [options]
Delete an ID range.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Range name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
idrange-find
Usage: ipa [global-options] idrange-find [CRITERIA] [options]
Search for ranges.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Range name |
--base-id BASE-ID | First Posix ID of the range |
--range-size RANGE-SIZE | Number of IDs in the range |
--rid-base RID-BASE | First RID of the corresponding RID range |
--secondary-rid-base SECONDARY-RID-BASE | First RID of the secondary RID range |
--dom-sid DOM-SID | Domain SID of the trusted domain |
--type TYPE | ID range type, one of allowed values |
--auto-private-groups AUTO-PRIVATE-GROUPS | Auto creation of private groups, one of allowed values |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
idrange-mod
Usage: ipa [global-options] idrange-mod NAME [options]
Modify ID range.
WARNING
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Range name |
Options
| Option | Description |
|---|---|
--base-id BASE-ID | First Posix ID of the range |
--range-size RANGE-SIZE | Number of IDs in the range |
--rid-base RID-BASE | First RID of the corresponding RID range |
--secondary-rid-base SECONDARY-RID-BASE | First RID of the secondary RID range |
--auto-private-groups AUTO-PRIVATE-GROUPS | Auto creation of private groups, one of allowed values |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
idrange-show
Usage: ipa [global-options] idrange-show NAME [options]
Display information about a range.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Range name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |