Change DNA magic value to -1 to make UID 999 usable

Change user-add's uid & gid parameters from autofill to optional.
Change the DNA magic value to -1.

For old clients, which will still send 999 when they want DNA
assignment, translate the 999 to -1. This is done via a new
capability, optional_uid_params.

Tests included

https://fedorahosted.org/freeipa/ticket/2886

3 files changed, 12 insertions, 2 deletions

diff --git a/install/share/default-smb-group.ldif b/install/share/default-smb-group.ldif
index abcc8a945..3d2e2a04c 100644
--- a/install/share/default-smb-group.ldif
+++ b/install/share/default-smb-group.ldif
@@ -2,7 +2,7 @@ dn: cn=Default SMB Group,cn=groups,cn=accounts,$SUFFIX
 changetype: add
 cn: Default SMB Group
 description: Fallback group for primary group RID, do not add users to this group
-gidnumber: 999
+gidnumber: -1
 objectclass: top
 objectclass: ipaobject
 objectclass: posixgroup
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index ee927fcc5..86be44ccf 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -9,7 +9,7 @@ dnaType: uidNumber
 dnaType: gidNumber
 dnaNextValue: eval($IDSTART)
 dnaMaxValue: eval($IDMAX)
-dnaMagicRegen: 999
+dnaMagicRegen: -1
 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
 dnaScope: $SUFFIX
 dnaThreshold: 500
diff --git a/install/updates/20-dna.update b/install/updates/20-dna.update
index b83a3703d..04047dd12 100644
--- a/install/updates/20-dna.update
+++ b/install/updates/20-dna.update
@@ -1,3 +1,13 @@
 # Enable the DNA plugin
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 only:nsslapd-pluginEnabled: on
+
+# Change the magic value to -1
+dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+only:dnaMagicRegen: -1
+
+dn: cn=ipa-winsync,cn=plugins,cn=config
+remove:ipaWinSyncUserAttr: uidNumber 999
+remove:ipaWinSyncUserAttr: gidNumber 999
+add:ipaWinSyncUserAttr: uidNumber -1
+add:ipaWinSyncUserAttr: gidNumber -1