About IdM ID ranges generated by ipa-ad-trust-posix

Resolution

When using ipa-ad-trust-posix, IdM initially tries to get a POSIX range from AD. IPA tries to retrieve ‘msSFU30MaxUidNumber’ and ‘msSFU30MaxGidNumber’ from AD.

These attributes can be queried from powershell.

The exact range is calculated as follows:

max_uid = info.get('msSFU30MaxUidNumber')
max_gid = info.get('msSFU30MaxGidNumber', None)
max_id = int(max(max_uid, max_gid)[0])
base_id = int(info.get('msSFU30OrderNumber')[0])
range_size = (1 + (max_id - base_id) // DEFAULT_RANGE_SIZE)* DEFAULT_RANGE_SIZE

The purpose of ID range generated by ipa-ad-trust-posix is reservation, so to prevent the range from being used for other purposes. To avoid overlap, one must select unique ID ranges for each domain. The ranges must be continuous and big enough to enable IdM/AD to assign an ID for every future user and group created in the domain.

The IPA webgui allows to manually select an ID range. While by default ipa-ad-trust-posix searches the used ID ranges, this setting here can override the automatically configured ID range. While this is technically possible and supported, customers need to understand the implications. If this range is set incorrectly, the IPA might hand out IDs which are already in use by AD.