IdM: Can I use a specific idrange for uid and gids, and with an own mechanism rollout objects to multiple IdM domains?

Solution Unverified - Updated -

Issue

  • We are thinking about using an specific uid/gid range for Identity Management (IdM) users, and specify uid/gid manually and therefore rely the uniqueness of uid/gid of new users in an "external source" and do not use the DNA plugin at all. We are already aware of the caveats and problems that this can lead to, but first we want to know if technically is possible.

We want to configure the same range on all of our IdM systems, i.e. using

    # ipa idrange-mod EXAMPLE_id_range --base-id=10000 --range-size=951790000

Can this lead to some problems? Is this procedure supported? Can different IdM versions be used?

  • Given is following setup:

    • multiple IdM domains
    • the servers/replicas in each IdM domain have no idea about the other domains
    • all of the IdM servers get configured with an identical idrange:

      $ ipa idrange-mod FOO.BAR_id_range --base-id=10000 --range-size=951790000

    • the DNA plugin will not be used: all replicas, all IdM servers get this range configured

    • Outside of IdM new UID/GID would be assigned to a new objects like users, and these objects would be rolled out in all of the IdM domains using ipa commands like ipa user add .. that get executed in each of the domains. Inside of the domain the replication would lead to all IdM servers offering all objects.
    • Is that supported? Could the above also work with different IdM versions?

Environment

  • Red Hat Enterprise Linux (RHEL) 6
  • Identity Management (IdM)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.