id ranges: change DNA configuration

Change the way we specify the id ranges to force uid and gid ranges to always be the same. Add option to specify a maximum id. Change DNA configuration to use shared ranges so that masters and replicas can actually share the same overall range in a safe way. Configure replicas so that their default range is depleted. This will force them to fetch a range portion from the master on the first install. fixes: https://fedorahosted.org/freeipa/ticket/198
author: Simo Sorce <ssorce@redhat.com> 2010-11-11 18:15:28 -0500
committer: Adam Young <ayoung@redhat.com> 2010-11-22 12:42:16 -0500
commit: 6a5c4763afad6fec2b49ffadbca9628a7ed162d5 (patch)
tree: d3f4016a9c25f63a205e39d53eebcec5e0c35e38 /install/tools
parent: 61e2016ee3e52d938557c0bed0248476555b0afa (diff)
download: freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.tar.gz
freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.tar.xz
freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.zip
3 files changed, 25 insertions, 11 deletions
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index fb6dd46f..e58a1f3f 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -176,7 +176,13 @@ def install_ds(config):
                        config.dir + "/dirsrv_pin.txt")
 
     ds = dsinstance.DsInstance()
-    ds.create_instance(config.ds_user, config.realm_name, config.host_name, config.domain_name, config.dirman_password, pkcs12_info)
+    # idstart and idmax are configured so that the range is seen as depleted
+    # by the DNA plugin and the replica will go and get a new range from the
+    # master.
+    # This way all servers use the initially defined range by default.
+    ds.create_instance(config.ds_user, config.realm_name, config.host_name,
+                       config.domain_name, config.dirman_password,
+                       pkcs12_info, idstart=1101, idmax=1100)
 
     return ds
 
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index b3e724e4..6a9d1bc5 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -124,10 +124,10 @@ def parse_options():
                       default=False,
                       help="Do not use DNS for hostname lookup during installation")
 
-    parser.add_option("--uidstart", dest="uidstart", default=namespace, type=int,
-                      help="The starting uid value (default random)")
-    parser.add_option("--gidstart", dest="gidstart", default=namespace, type=int,
-                      help="The starting gid value (default random)")
+    parser.add_option("--idstart", dest="idstart", default=namespace, type=int,
+                      help="The starting value for the IDs range (default random)")
+    parser.add_option("--idmax", dest="idmax", default=0, type=int,
+                      help="The max value value for the IDs range (default random)")
     parser.add_option("--subject", dest="subject",
                       help="The certificate subject base (default O=<realm-name>)")
     parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
@@ -176,6 +176,13 @@ def parse_options():
     if (options.external_cert_file and not os.path.isabs(options.external_cert_file)):
         parser.error("--external-cert-file must use an absolute path")
 
+    if options.idmax == 0:
+        options.idmax = int(options.idstart) + 1000000 - 1
+
+    if options.idmax < options.idstart:
+        parse.error("idmax (%u) cannot be smaller than idstart (%u)" %
+                    (options.idmax, options.idstart))
+
     #Automatically disable pkinit w/ dogtag until that is supported
     if not options.pkinit_pkcs12 and not options.selfsign:
         options.setup_pkinit = False
@@ -739,7 +746,11 @@ def main():
         finally:
             os.remove(pw_name)
     else:
-        ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject, hbac_allow=not options.hbac_allow)
+        ds.create_instance(ds_user, realm_name, host_name, domain_name,
+                           dm_password, self_signed_ca=options.selfsign,
+                           idstart=options.idstart, idmax=options.idmax,
+                           subject_base=options.subject,
+                           hbac_allow=not options.hbac_allow)
 
     if options.pkinit_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 0d4d8c52..8fb58a0e 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -95,11 +95,8 @@ The password of the Directory Server PKCS#12 file
 \fB\-\-http_pin\fR=\fIHTTP_PIN\fR
 The password of the Apache Server PKCS#12 file
 .TP
-\fB\-\-uidstart\fR=\fIUIDSTART\fR
-The starting user id number (default random)
-.TP
-\fB\-\-gidstart\fR=\fIGIDSTART\fR
-The starting group id number (default random)
+\fB\-\-idstart\fR=\fIIDSTART\fR
+The starting user and group id number (default random)
 .TP
 \fB\-\-subject\fR=\fISUBJECT\fR
  The certificate subject base (default O=REALM.NAME)
author	Simo Sorce <ssorce@redhat.com>	2010-11-11 18:15:28 -0500
committer	Adam Young <ayoung@redhat.com>	2010-11-22 12:42:16 -0500
commit	6a5c4763afad6fec2b49ffadbca9628a7ed162d5 (patch)
tree	d3f4016a9c25f63a205e39d53eebcec5e0c35e38 /install/tools
parent	61e2016ee3e52d938557c0bed0248476555b0afa (diff)
download	freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.tar.gz freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.tar.xz freeipa-6a5c4763afad6fec2b49ffadbca9628a7ed162d5.zip