[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range

Wed, 17 May 2023 00:37:06 -0700 

On Wed, 17 May 2023, Andreas Binapfl via FreeIPA-users wrote:

dn: cn=DOMAIN.LOCAL_new_range,cn=ranges,cn=etc,dc=domain,dc=local
 cn: DOMAIN.LOCAL_new_range
 ipabaseid: 1600
 ipaidrangesize: 2000
 iparangetype: ipa-local
 objectclass: ipaIDrange
 objectclass: ipadomainidrange



I think we created this one because we had some old YP users starting their id 
at 1600


Ok, it does not have RIDs at all, so it cannot be used to assign SIDs to
the objects with POSIX IDs in the range 1600..3600. 
It is, however, is treated by the range check plugin as having a RID
range 0...2000 which overlaps with the primary (DOMAIN.LOCAL_id_range)
range because it has starting base RID at 1000.

A solution would be to modify this range to put a base range somewhere
outside the main one:

ipa idrange-mod DOMAIN.LOCAL_new_range --rid-base=500000 
--secondary-rid-base=503000

You probably need to play with parameters to the bases so that they
don't overlap with the other ranges.

This is how that is detected:
/** * connected ranges must not overlap: 
 * existing range:  base  rid  sec_rid
 *                   |     |  \  / |
 *                   |     |   \/  |
 *                   |     |   /\  |
 *                   |     |  /  \ |
 * new range:       base  rid  sec_rid
 **/

#define IN_RANGE(x,base,size) ( (x) >= (base) && ((x) - (base) < (size)) )
static bool intervals_overlap(uint32_t x, uint32_t base, uint32_t x_size, 
uint32_t base_size)
{
    if (IN_RANGE(x, base, base_size) ||
        IN_RANGE((x + x_size - 1), base, base_size) ||
        IN_RANGE(base, x, x_size) ||
        IN_RANGE((base + base_size - 1), x, x_size)) {
        return true;
    }

    return false;
}




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to