On Wed, 17 May 2023, Andreas Binapfl via FreeIPA-users wrote:
dn: cn=DOMAIN.LOCAL_new_range,cn=ranges,cn=etc,dc=domain,dc=local
cn: DOMAIN.LOCAL_new_range
ipabaseid: 1600
ipaidrangesize: 2000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
I think we created this one because we had some old YP users starting their id at 1600
Ok, it does not have RIDs at all, so it cannot be used to assign SIDs to
the objects with POSIX IDs in the range 1600..3600.
It is, however, is treated by the range check plugin as having a RID
range 0...2000 which overlaps with the primary (DOMAIN.LOCAL_id_range)
range because it has starting base RID at 1000.
A solution would be to modify this range to put a base range somewhere
outside the main one:
ipa idrange-mod DOMAIN.LOCAL_new_range --rid-base=500000 --secondary-rid-base=503000
You probably need to play with parameters to the bases so that they
don't overlap with the other ranges.
This is how that is detected:
/**
* connected ranges must not overlap:
* existing range: base rid sec_rid
* | | \ / |
* | | \/ |
* | | /\ |
* | | / \ |
* new range: base rid sec_rid
**/
#define IN_RANGE(x,base,size) ( (x) >= (base) && ((x) - (base) < (size)) )
static bool intervals_overlap(uint32_t x, uint32_t base, uint32_t x_size, uint32_t
base_size)
{
if (IN_RANGE(x, base, base_size) ||
IN_RANGE((x + x_size - 1), base, base_size) ||
IN_RANGE(base, x, x_size) ||
IN_RANGE((base + base_size - 1), x, x_size)) {
return true;
}
return false;
}
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland