integration

ID Ranges

Manage UID and GID ranges for POSIX attribute assignment and trust domain integration. ID ranges define allocatable ranges for user and group identifiers, ensuring no conflicts between local users and trusted domain users. Features include range creation with base IDs and sizes, domain and range type specification (local, AD trust with SID), automatic range detection for trusted domains, and range modification for scaling deployments.

5 commands
integration

Overview

ID ranges define allocatable ranges of UID (User ID) and GID (Group ID) numbers for POSIX users and groups in FreeIPA. They serve two critical functions:

  1. Local domain ID allocation: Defining which UIDs/GIDs the IPA DNA (Distributed Numeric Assignment) plugin can assign to new IPA users and groups
  2. Trusted domain ID mapping: Mapping Windows Security Identifiers (SIDs) from Active Directory trusts to POSIX UIDs/GIDs for Unix/Linux interoperability

Without ID ranges, FreeIPA cannot:

  • Assign UIDs/GIDs to new users and groups
  • Map AD user SIDs to UIDs for file ownership and access control
  • Maintain separation between local IPA users and trusted AD users
  • Support multiple IPA replicas allocating IDs without conflicts

ID ranges are typically created automatically during IPA installation (local range) and trust establishment (ipa trust-add for AD ranges). Manual ID range management is needed only for advanced scenarios like range exhaustion, transitive trusts, or multi-forest AD environments.

ID Range Types

FreeIPA uses explicit range type identifiers to distinguish between different ID range purposes. As of FreeIPA 4.11, there are four ID range categories using three type identifiers:

Range Type Identifiers:

  • ipa-local: Local FreeIPA POSIX ID range for IPA users and groups
  • ipa-ad-trust: Used for both subordinate ID ranges and automated AD trust allocation
  • ipa-ad-trust-posix: Trusted domain range with explicit POSIX attributes in AD

Local Domain Ranges (type: ipa-local)

Purpose: Define UIDs/GIDs available for IPA users and groups created locally in the IPA domain.

Characteristics:

  • Automatically created during ipa-server-install or upgrade
  • Used by DNA plugin for automatic UID/GID assignment
  • Includes primary and secondary RID ranges for SID generation
  • Typically one range per IPA deployment (additional ranges for exhaustion scenarios)
  • Range type: ipa-local

Components:

  • base-id: First UID/GID in the range (e.g., 1000000)
  • range-size: Number of IDs in the range (e.g., 200000)
  • rid-base: First RID for primary SID generation (e.g., 1000)
  • secondary-rid-base: First RID for secondary SID generation (e.g., 1000000) - used when primary RID conflicts occur

Subordinate ID Ranges (type: ipa-ad-trust)

Purpose: Provide subordinate UID/GID ranges for rootless containers and user namespaces.

Characteristics:

  • Automatically created during IPA installation (if supported)
  • Named <REALM>_subid_range
  • Uses ipa-ad-trust type for SSSD compatibility (SSSD requires SIDs with S-1-5-21 prefix)
  • Special SID structure: S-1-5-21-738065-838566-<DOMAIN_HASH>
    • 738065-838566 represents “IPA-SUB”
    • <DOMAIN_HASH> is MURMUR-3 hash of domain name with key 0xdeadbeef
  • This SID is never used for actual SID generation (only for range identification)
  • Default range: 2,147,483,648 to 4,294,901,767 (upper 2.1 billion of 32-bit UID space)
  • See subid topic for subordinate ID management commands

Components:

  • base-id: 2147483648 (2^31, start of upper UID space)
  • range-size: 2147352576 (approximately 2.1 billion IDs)
  • rid-base: 2147283648
  • dom-sid: Special subordinate ID SID (e.g., S-1-5-21-738065-838566-1351619967)

Trusted Domain Ranges (type: ipa-ad-trust or ipa-ad-trust-posix)

Purpose: Map Active Directory SIDs to UIDs/GIDs for AD users and groups accessing IPA-enrolled systems.

FreeIPA supports two types of AD trust ID ranges:

Automated Allocation (type: ipa-ad-trust)

Characteristics:

  • Automatically created by ipa trust-add for directly trusted domains
  • Must be manually created for transitively trusted domains
  • SSSD performs algorithmic SID-to-UID mapping on clients (no LDAP lookups required)
  • ID ranges serve as “fences” to prevent other allocators from using the space
  • One range per trusted AD domain or forest

Components:

  • base-id: First UID/GID mapped from this domain (e.g., 1200000)
  • range-size: Number of IDs allocatable from this domain (e.g., 200000)
  • rid-base: RID offset for mapping (typically 0 for AD domains)
  • dom-sid: Active Directory domain SID (e.g., S-1-5-21-123-456-789)
  • auto-private-groups: Mode for automatic private group creation (true/false/hybrid)

Explicit POSIX Allocation (type: ipa-ad-trust-posix)

Characteristics:

  • Must be manually created with idrange-add --type=ipa-ad-trust-posix
  • SSSD reads uidNumber/gidNumber directly from AD LDAP entries
  • ID range still enforces boundaries but actual IDs come from AD attributes
  • Used when migrating from AD environments with existing POSIX attributes

Components:

  • base-id: Not used for allocation (IDs come from AD attributes)
  • range-size: Defines valid UID/GID boundary check
  • dom-sid: Active Directory domain SID
  • No rid-base (not used for algorithmic mapping)

SID and RID Concepts

Security Identifier (SID)

Windows Security Identifiers uniquely identify users, groups, and computers in Active Directory:

Format: S-1-5-21-<domain-authority-1>-<domain-authority-2>-<domain-authority-3>-<RID>

Example: S-1-5-21-1234567890-987654321-111222333-1105

  • S-1-5: Standard Windows security prefix
  • 21-1234567890-987654321-111222333: Domain SID (uniquely identifies the AD domain)
  • 1105: RID (Relative Identifier - uniquely identifies the user/group within the domain)

Relative Identifier (RID)

The RID is the last component of a SID and uniquely identifies a security principal within a domain:

Range: 32-bit values (0 to 4,294,967,295) Reserved RIDs:

  • 500: Administrator
  • 501: Guest
  • 512: Domain Admins
  • 513: Domain Users
  • 1000+: User-created objects

IPA ID ranges map RIDs to UIDs using the formula:

UID = base-id + (RID - rid-base)

Example:

  • base-id = 1200000
  • rid-base = 0
  • RID = 1105
  • UID = 1200000 + (1105 - 0) = 1201105

ID Allocation for Local Domain

Primary RID Range

Used to generate SIDs for IPA users and groups:

UID → RID mapping:

RID = rid-base + (UID - base-id)

Example:

  • base-id = 1000000
  • rid-base = 1000
  • UID = 1000050
  • RID = 1000 + (1000050 - 1000000) = 1050
  • SID = S-1-5-21-<IPA-domain-SID>-1050

Secondary RID Range

Used when a UID has already been assigned a RID and another object (user vs group) is created with the same UID:

Conflict scenario: User with UID 1000050 gets RID 1050. Later, a group is created with GID 1000050.

Resolution: Group gets RID from secondary range:

RID = secondary-rid-base + (GID - base-id)

Example:

  • secondary-rid-base = 1000000
  • GID = 1000050
  • RID = 1000000 + (1000050 - 1000000) = 1000050
  • Group SID = S-1-5-21-<IPA-domain-SID>-1000050

This prevents SID collisions when users and groups share the same numeric ID.

ID Mapping for Trusted Domains

Direct Mapping

For AD domains with IPA ID ranges configured:

RID → UID mapping:

UID = base-id + (RID - rid-base)

Example:

  • AD user SID: S-1-5-21-123-456-789-1500
  • RID: 1500
  • base-id: 1200000
  • rid-base: 0
  • UID: 1200000 + (1500 - 0) = 1201500

The AD user appears on IPA-enrolled Linux systems with UID 1201500.

Range Boundaries

ID ranges have hard boundaries:

Minimum UID/GID: base-id Maximum UID/GID: base-id + range-size - 1

Any AD RID outside the range (RID < rid-base or RID >= rid-base + range-size) cannot be mapped and the user/group will not have a valid UID/GID on IPA systems.

Auto Private Groups

The --auto-private-groups setting controls automatic creation of private POSIX groups for AD users. This setting is only applicable to AD trust ranges (ipa-ad-trust and ipa-ad-trust-posix). It cannot be used with ipa-local ranges.

Modes:

  • true: Always create a private group with GID = UID, ignoring any existing GID in AD
  • false: Always use the user’s primary GID from AD (for posix ranges) or computed from primaryGroupID (for algorithmic ranges); group must exist
  • hybrid: Create private group only if UID = GID but no group exists with that GID

Default values:

  • ipa-ad-trust-posix: Default is false (use uidNumber and gidNumber from AD; group must exist)
  • ipa-ad-trust: Default is true (UID and GID both mapped from SID; private group auto-created)

Behavior with ipa-ad-trust-posix ranges (AD users have uidNumber/gidNumber attributes):

Scenariotruefalse (default)hybrid
uidNumber=1000, gidNumber missinguid=1000 gid=1000 + private groupNot resolvableNot resolvable
uidNumber=1000, gidNumber=2000, group missinguid=1000 gid=1000 + private groupNot resolvableNot resolvable
uidNumber=1000, gidNumber=1000, group missinguid=1000 gid=1000 + private groupNot resolvableuid=1000 gid=1000 + private group
uidNumber=1000, gidNumber=2000, group existsuid=1000 gid=1000 + private groupuid=1000 gid=2000uid=1000 gid=2000

Behavior with ipa-ad-trust ranges (SID algorithmic mapping):

Scenariotrue (default)falsehybrid
SID → 1000, primaryGroupID → 2000uid=1000 gid=1000 + private groupuid=1000 gid=2000uid=1000 gid=2000

Use cases:

  • true: AD users without proper group memberships; simplifies permission model (each user is their own primary group)
  • false: Preserve AD group structure; use actual AD groups for file ownership and permissions
  • hybrid: Transition scenario; users with proper groups use AD groups, others get private groups

DNA Plugin Integration

The DNA (Distributed Numeric Assignment) plugin in 389 Directory Server automatically assigns UIDs and GIDs to new IPA users and groups:

Current state: DNA plugin configuration is separate from ID range configuration Limitation: Creating or modifying ID ranges via idrange-add/idrange-mod does not automatically update DNA plugin Manual configuration: After adding a new local ID range, administrators must manually update DNA plugin configuration

DNA Plugin Configuration

DNA configuration stored in:

cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Key attributes:

  • dnaNextValue: Next UID/GID to assign
  • dnaMaxValue: Maximum UID/GID in current range
  • dnaNextRange: Next range to use when current exhausted (must be updated manually)

Example DNA update:

# After adding new local ID range (base-id=1400000, range-size=200000)
$ ldapmodify -Y GSSAPI -H ldap://ipa1.example.com
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaNextRange
dnaNextRange: 1400000-1599999

Use Cases

Range Exhaustion

When the local ID range is nearly exhausted, add a new range to enable continued user/group creation:

Scenario: Original range (1000000-1199999) is 95% utilized Solution: Add new local ID range (1400000-1599999) DNA update: Configure DNA plugin to use new range when original exhausted

Transitive AD Trusts

When AD domain A trusts domain B transitively, ipa trust-add only creates a range for domain A:

Scenario: IPA trusts AD domain A. AD domain A trusts AD domain B with transitive trust. Automatic: ID range created for domain A Manual: ID range for domain B must be added manually with domain B’s SID

Multi-Forest AD Environments

Each AD forest may require separate ID ranges:

Scenario: Organization has multiple AD forests (production, development, partner) Configuration: Create separate ID ranges for each forest’s domain SID Isolation: Ensures no UID/GID conflicts between forests

Custom UID/GID Allocation

Organizations with existing UID/GID schemes may need custom ranges:

Scenario: Migrating from legacy system with UIDs in 5000-9999 range Configuration: Create IPA local range starting at 10000 to avoid conflicts Migration: Re-assign legacy users to new IPA UIDs or use ID views

Examples

View Existing ID Ranges

# List all configured ID ranges
$ ipa idrange-find
  2 ranges matched
  Range name: EXAMPLE.COM_id_range
  First Posix ID: 1000000
  Number of IDs: 200000
  First RID: 1000
  First secondary RID: 100000000
  Range type: local domain range
  Range name: AD.EXAMPLE.COM_id_range
  First Posix ID: 1200000
  Number of IDs: 200000
  Domain SID: S-1-5-21-1234567890-987654321-111222333
  First RID: 0
  Range type: Active Directory domain range

Show Specific ID Range

# Display detailed range information
$ ipa idrange-show EXAMPLE.COM_id_range
  Range name: EXAMPLE.COM_id_range
  First Posix ID: 1000000
  Number of IDs: 200000
  First RID: 1000
  First secondary RID: 100000000
  Range type: local domain range

Add ID Range for Transitive Trust

# Manually add range for transitively trusted domain
$ ipa idrange-add TRANSITIVE_DOM_id_range \
  --base-id=1400000 \
  --range-size=200000 \
  --rid-base=0 \
  --dom-sid=S-1-5-21-999888777-666555444-333222111

  Range name: TRANSITIVE_DOM_id_range
  First Posix ID: 1400000
  Number of IDs: 200000
  Domain SID: S-1-5-21-999888777-666555444-333222111
  First RID: 0
  Range type: Active Directory domain range

Add Additional Local ID Range (Exhaustion)

# Add new local range when original is nearly full
$ ipa idrange-add EXAMPLE.COM_id_range_ext \
  --base-id=1600000 \
  --range-size=200000 \
  --rid-base=601000 \
  --secondary-rid-base=101000000

  Range name: EXAMPLE.COM_id_range_ext
  First Posix ID: 1600000
  Number of IDs: 200000
  First RID: 601000
  First secondary RID: 101000000
  Range type: local domain range

# IMPORTANT: Manually update DNA plugin configuration!
# Set dnaNextRange to 1600000-1799999 in:
# cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Delete ID Range

# Delete ID range (use with extreme caution!)
$ ipa idrange-del OLD_RANGE_id_range

# WARNING: Deleting ID ranges can cause file ownership and access control issues
# Only delete ranges that were never used or are definitively obsolete

Modify ID Range Description

# Update range description (metadata only)
$ ipa idrange-mod EXAMPLE.COM_id_range \
  --desc="Primary local ID range for IPA domain"

Best Practices

Planning and Design

Non-overlapping ranges: Ensure all ID ranges (local and trusted) are completely non-overlapping. Overlaps cause UID/GID conflicts and unpredictable behavior.

Sufficient sizing: Size ranges large enough for anticipated growth. Local domain: 200,000-500,000 IDs. Trusted domains: Size based on AD domain user/group count.

Reserve space: Leave gaps between ranges for future expansion. Don’t allocate consecutive ranges—leave buffer space.

Document ranges: Maintain documentation of all ID ranges, their purposes, and which domains they map to.

Operational Practices

Avoid manual creation: Let ipa-server-install create local range and ipa trust-add create AD trust ranges automatically. Manual creation only for edge cases.

Test before production: Test ID range configurations in non-production environment, especially for transitive trusts and exhaustion scenarios.

Monitor utilization: Track local ID range utilization. When reaching 80%, plan for additional range.

DNA plugin coordination: When adding local ID ranges, immediately update DNA plugin configuration. Document the manual update requirement.

Security Considerations

Never delete active ranges: Deleting ID ranges in use causes catastrophic file ownership and access control breakage. Files owned by deleted UIDs become unowned or reassigned.

Range exhaustion protection: Monitor and address range exhaustion proactively. Running out of UIDs prevents user creation.

SID consistency: Never modify SIDs in trusted domain ranges. SID changes break AD user authentication.

Range modification risks: Modifying base-id or range-size on active ranges can reassign UIDs, breaking file ownership. Only modify during migration or with extreme care.

Integration Points

Active Directory Trusts

ID ranges are automatically created when establishing AD trusts:

Trust creation: ipa trust-add queries AD domain for SID and creates matching ID range Transitive trusts: Require manual ID range creation for each transitively trusted domain Forest trusts: Each trusted forest domain may need separate ID ranges

Commands: trust-add, trust-show, trust-find

Users and Groups

ID ranges control UID/GID assignment for users and groups:

Local users: DNA plugin assigns UIDs from local ID ranges AD users: SID-to-UID mapping uses trusted domain ID ranges File ownership: UIDs assigned via ID ranges determine file ownership on enrolled systems

Commands: user-add, user-show, group-add, group-show

SSSD

SSSD uses ID ranges for SID-to-UID mapping on IPA clients:

Configuration: SSSD retrieves ID range configuration from IPA server Mapping: SSSD applies range formulas to map AD SIDs to UIDs Caching: SSSD caches UID assignments for performance

DNA Plugin

The DNA plugin allocates UIDs/GIDs from local ID ranges:

Automatic assignment: DNA assigns next available UID when creating users without explicit UID Multi-master: DNA coordinates across IPA replicas to prevent UID conflicts Range handoff: When one range exhausts, DNA moves to next range (if configured)

Manual integration: Changes to ID ranges require manual DNA plugin configuration updates

Replication

ID range configuration replicates across IPA servers:

LDAP replication: ID range entries replicate to all IPA replicas Consistency: Changes propagate within minutes in healthy replication topology DNA coordination: DNA plugin coordinates UID allocation across replicas using ID ranges

Security Considerations

1. UID/GID Conflicts Between Ranges

Overlapping ID ranges create UID/GID collisions causing file ownership and access control issues.

  • Two ranges with overlapping IDs assign same UID to different users
  • File ownership ambiguous when multiple users share same UID
  • POSIX access controls fail when UIDs conflict across systems
  • Carefully plan ID ranges to ensure no overlap between local and trusted domains
  • Reserve sufficient gap between ranges for future growth
  • Document all ID range allocations to prevent accidental overlaps

2. Trust Range Exhaustion

Insufficient AD trust ID range size prevents authenticating all AD users.

  • AD domain with 100,000 users needs range-size ≥ 100,000
  • Users with RIDs beyond range-size cannot get UIDs
  • Authentication succeeds but user appears without UID on clients
  • Calculate AD user count before creating trust range
  • Provision ranges larger than current AD population for growth
  • Monitor AD user growth and expand ranges proactively

3. SID-RID Algorithmic Collision Risk

Multiple AD domains may generate overlapping RID values requiring base-id adjustment.

  • Different AD domains may have users with same RID
  • Base-id offset differentiates ranges but miscalculation creates collisions
  • UID = base-id + RID; insufficient base-id spacing causes overlap
  • Use base-id values with large gaps (e.g., 1000000, 2000000, 3000000)
  • Document base-id allocation strategy across all trusted domains
  • Verify no UID collisions after adding new trusted domains

4. DNA Plugin Range Handoff Failure

DNA plugin exhaustion without configured next range halts user creation.

  • DNA assigns UIDs sequentially from current range
  • When range exhausts, DNA stops assigning UIDs if dnaNextRange not set
  • New user creation fails with “No more IDs available”
  • Pre-configure DNA dnaNextRange before primary range exhausts
  • Monitor DNA current value vs max value with alerting
  • Establish procedure for expanding ID ranges before exhaustion

5. Local Range Modification Requires DNA Reconfiguration

Changing local ID range parameters does not automatically update DNA plugin.

  • Modified ID range in IPA does not propagate to DNA plugin configuration
  • DNA continues using old range values causing inconsistent UID assignment
  • Manual DNA plugin reconfiguration required after range changes
  • Document DNA plugin configuration steps for range modifications
  • Test user creation after range modifications to verify DNA update
  • Consider DNA update part of mandatory ID range change procedure

6. AD Trust Range Modification Risks

Changing AD trust ID range after users exist causes UID reassignment.

  • Users already have UIDs calculated from original base-id and RID
  • Changing base-id invalidates all existing UID mappings
  • File ownership, home directories, and POSIX permissions break
  • Never modify AD trust ranges after users have authenticated
  • Plan AD trust ranges correctly during initial trust creation
  • If change required, prepare for full user remediation (file ownership, home dir migration)

7. Secondary RID Base Misunderstanding

Secondary RID base for algorithmic mapping requires precise calculation to avoid conflicts.

  • Secondary RID base determines starting UID for secondary domain users
  • Incorrect secondary base creates UID overlaps with primary domain
  • Complex formula: requires understanding of both domain ranges
  • Use SSSD automatic calculation instead of manual secondary base when possible
  • Document secondary RID base calculation with worked examples
  • Validate no UID conflicts after configuring secondary ranges

8. Maximum Range Size Limitations

POSIX UID/GID limited to 32-bit unsigned integers (maximum ~4.2 billion).

  • Range-size cannot exceed 4,294,967,295
  • Base-id + range-size must not overflow 32-bit limit
  • Very large ranges (base-id=2000000000, range-size=2000000000) may exceed limit
  • Plan ranges within 32-bit constraints
  • Reserve high UID space (>1,000,000,000) for trusted domains
  • Use range calculator to verify base-id + range-size valid

9. Deleting ID Ranges with Active UIDs

Deleting ID range while UIDs still in use orphans existing users and files.

  • Users with UIDs from deleted range lose UID mapping
  • Files owned by these UIDs become orphaned (numeric UID only)
  • User authentication may fail or users get different UIDs on re-creation
  • Never delete ID ranges with active users
  • Migrate all users to new range before deleting old range
  • Verify zero users in range before deletion: ipa user-find --uid-min=X --uid-max=Y

10. Non-Contiguous Range Fragmentation

Creating many small non-contiguous ranges complicates management and increases DNA complexity.

  • Each range requires separate DNA plugin configuration
  • Fragmented ranges harder to audit and document
  • DNA handoff between non-contiguous ranges more error-prone
  • Use large contiguous ranges when possible
  • Consolidate ranges during migrations rather than creating new small ranges
  • Document range allocation strategy in infrastructure documentation

11. Cross-Forest Trust Range Planning

Multiple AD forests require separate ID ranges with careful base-id spacing.

  • Each forest needs distinct ID range to prevent conflicts
  • Forest user populations may grow independently
  • Insufficient spacing between forest ranges causes eventual collision
  • Allocate large base-id gaps between forests (e.g., 10,000,000)
  • Reserve multiple large ranges for anticipated forest growth
  • Document forest-to-range mapping for all trusted forests

12. POSIX Attribute Override Conflicts

AD users with explicit POSIX attributes (uidNumber in AD) conflict with algorithmic mapping.

  • Some AD users may have uidNumber already set in AD schema
  • IPA algorithmic ID mapping may assign different UID
  • Client may use AD-provided uidNumber or IPA-calculated UID unpredictably
  • Decide on authoritative UID source: AD attributes or IPA algorithmic mapping
  • If using AD POSIX attributes, configure SSSD to prefer AD values
  • If using IPA mapping, ensure AD POSIX attributes not set or are removed

13. Range Type Mismatches After Migration

Converting between range types (ipa-local to ipa-ad-trust) requires careful migration.

  • Range types cannot be changed in-place
  • Migration requires creating new range and moving users
  • User UIDs change during migration affecting file ownership
  • Avoid range type migrations if possible; plan correctly initially
  • If migration necessary, plan for comprehensive file ownership remediation
  • Test migration in non-production environment with full user/file inventory

14. Audit Trail for Range Modifications

ID range changes have significant impact but may not be prominently logged.

  • Range modifications may only appear in LDAP modification logs
  • Difficult to correlate range changes with subsequent user creation issues
  • No built-in approval workflow for range modifications
  • Require organizational change control for all range modifications
  • Document all range changes with business justification
  • Implement external auditing/alerting for range object modifications in LDAP

15. IPA Local Range Sizing for Future Growth

Undersized local ranges require expansion; oversized ranges waste UID space.

  • Local range too small requires adding ranges later (DNA reconfiguration needed)
  • Local range too large reserves UIDs that could be used for other purposes
  • Balance between growth headroom and efficient space utilization
  • Typical small organization: 100,000 UID range (IDs 100,000-199,999)
  • Large organization: 1,000,000 UID range (IDs 1,000,000-1,999,999)
  • Plan for 3-5 years of user growth when sizing initial range

Troubleshooting

UID/GID Exhaustion

Symptom: Cannot create new users, error “No more IDs available”

Diagnosis: Check DNA plugin current value vs max value Solution: Add new local ID range and update DNA plugin dnaNextRange

AD User Has No UID

Symptom: AD user authenticated but has no UID on IPA clients

Diagnosis: Check if user’s RID falls within configured ID range Solution: Ensure ID range for AD domain has sufficient range-size to include user’s RID

UID Conflicts Between IPA and AD

Symptom: IPA local user and AD user have same UID

Diagnosis: ID ranges overlap Solution: Reconfigure ranges to be non-overlapping (may require user migration)

SID Mapping Failures

Symptom: IPA users don’t have SIDs or SIDs are incorrect

Diagnosis: Local ID range missing rid-base or secondary-rid-base Solution: Use ipa-idrange-fix command to identify and repair range configuration

DNA Not Using New Range

Symptom: Added new local ID range but DNA still reports exhaustion

Diagnosis: DNA plugin not configured to use new range Solution: Manually update dnaNextRange attribute in DNA plugin LDAP entry

Commands

idrange-add

Usage: ipa [global-options] idrange-add NAME [options]

Add new ID range.

To add a new ID range you always have to specify

    --base-id
    --range-size

Additionally

    --rid-base
    --secondary-rid-base

may be given for a new ID range for the local domain while

    --auto-private-groups

may be given for a new ID range for a trusted AD domain and

    --rid-base
    --dom-sid

must be given to add a new range for a trusted AD domain.

WARNING

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range.

Arguments

ArgumentRequiredDescription
NAMEyesRange name

Options

OptionDescription
--base-id BASE-IDFirst Posix ID of the range
--range-size RANGE-SIZENumber of IDs in the range
--rid-base RID-BASEFirst RID of the corresponding RID range
--secondary-rid-base SECONDARY-RID-BASEFirst RID of the secondary RID range
--dom-sid DOM-SIDDomain SID of the trusted domain
--dom-name DOM-NAMEName of the trusted domain
--type TYPEID range type, one of allowed values
--auto-private-groups AUTO-PRIVATE-GROUPSAuto creation of private groups, one of allowed values
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idrange-del

Usage: ipa [global-options] idrange-del NAME [options]

Delete an ID range.

Arguments

ArgumentRequiredDescription
NAMEyesRange name

Options

OptionDescription
--continueContinuous mode: Don’t stop on errors.

idrange-find

Usage: ipa [global-options] idrange-find [CRITERIA] [options]

Search for ranges.

Arguments

Argument Required Description


CRITERIA no A string searched in all relevant object attributes

Options

OptionDescription
--name NAMERange name
--base-id BASE-IDFirst Posix ID of the range
--range-size RANGE-SIZENumber of IDs in the range
--rid-base RID-BASEFirst RID of the corresponding RID range
--secondary-rid-base SECONDARY-RID-BASEFirst RID of the secondary RID range
--dom-sid DOM-SIDDomain SID of the trusted domain
--type TYPEID range type, one of allowed values
--auto-private-groups AUTO-PRIVATE-GROUPSAuto creation of private groups, one of allowed values
--timelimit TIMELIMITTime limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMITMaximum number of entries returned (0 is unlimited)
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.
--pkey-onlyResults should contain primary key attribute only (“name”)

idrange-mod

Usage: ipa [global-options] idrange-mod NAME [options]

Modify ID range.

WARNING

DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin cannot be reconfigured itself based on the local ranges set via this family of commands.

Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of ‘cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config’ has to be modified to match the new range.

Arguments

ArgumentRequiredDescription
NAMEyesRange name

Options

OptionDescription
--base-id BASE-IDFirst Posix ID of the range
--range-size RANGE-SIZENumber of IDs in the range
--rid-base RID-BASEFirst RID of the corresponding RID range
--secondary-rid-base SECONDARY-RID-BASEFirst RID of the secondary RID range
--auto-private-groups AUTO-PRIVATE-GROUPSAuto creation of private groups, one of allowed values
--setattr SETATTRSet an attribute to a name/value pair. Format is attr=value.
--addattr ADDATTRAdd an attribute/value pair. Format is attr=value. The attribute
--delattr DELATTRDelete an attribute/value pair. The option will be evaluated
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.

idrange-show

Usage: ipa [global-options] idrange-show NAME [options]

Display information about a range.

Arguments

ArgumentRequiredDescription
NAMEyesRange name

Options

OptionDescription
--rightsDisplay the access rights of this entry (requires —all). See ipa man page for details.
--allRetrieve and print all attributes from the server. Affects command output.
--rawPrint entries as stored on the server. Only affects output format.