Change DNA magic value to -1 to make UID 999 usable

Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886

2 files changed, 3 insertions, 3 deletions

diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index b9fc00c8d..dd3ad617b 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -101,7 +101,7 @@ bool secrets_store(const char *key, const void *data, size_t size); /* available
 
 #define IPA_KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1"
 #define IPA_KEYTAB_SET_OID_OLD "2.16.840.1.113730.3.8.3.1"
-#define IPA_MAGIC_ID_STR "999"
+#define IPA_MAGIC_ID_STR "-1"
 
 #define LDAP_ATTRIBUTE_CN "cn"
 #define LDAP_ATTRIBUTE_UID "uid"
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
index b646c2b10..08b43277f 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-conf.ldif
@@ -24,5 +24,5 @@ ipaWinSyncDefaultGroupAttr: ipaDefaultPrimaryGroup
 ipaWinSyncDefaultGroupFilter: (gidNumber=*)(objectclass=posixGroup)(objectclass=groupOfNames)
 ipaWinSyncAcctDisable: both
 ipaWinSyncForceSync: true
-ipaWinSyncUserAttr: uidNumber 999
-ipaWinSyncUserAttr: gidNumber 999
+ipaWinSyncUserAttr: uidNumber -1
+ipaWinSyncUserAttr: gidNumber -1