Hi, On Sat, Jun 21, 2025 at 11:28 AM alexey safonov <[email protected]> wrote:
> I'm not sure if I need that suboridante and what is the impact in > future, since I just created it to random user > Subordinate ids are typically used for containers, so that your "random user" has a range of ids that can be mapped to uid/gid inside the container. Please read https://opensource.com/article/19/2/how-does-rootless-podman-work If you don't plan to have your "random user" run containers in rootless mode, you probably don't need to assign him subordinate ids. flo > > чт, 12 июн. 2025 г. в 16:48, Florence Blanc-Renaud <[email protected]>: > > > > Hi, > > > > On Mon, Jun 9, 2025 at 11:57 AM alexey safonov via FreeIPA-users < > [email protected]> wrote: > >> > >> Hi team, > >> > >> I accidentally created subordinateID and made some random user as an > >> owner. So right now we are not using that function and I'd like to > >> delete it. Could not find how to do that. any suggestions? > > > > There is no supported method allowing to remove a subid, please see > https://freeipa.readthedocs.io/en/ipa-4-11/designs/subordinate-ids.html#revision-1-limitation > : > > once assigned subids cannot be removed. > > > > However if you feel adventurous, you can use ldapdelete to directly > remove the entry. > > Let's take the following example where I created a user "flo" and > assigned subid to this user: > > [root@server ~]# ipa subid-find --owner flo --all --raw > > ------------------------ > > 1 subordinate id matched > > ------------------------ > > dn: > ipauniqueid=64bf0eb6-d58f-4a83-a3d1-38e24da9bd72,cn=subids,cn=accounts,dc=ipa,dc=test > > ipauniqueid: 64bf0eb6-d58f-4a83-a3d1-38e24da9bd72 > > description: auto-assigned subid > > ipaowner: uid=flo,cn=users,cn=accounts,dc=ipa,dc=test > > ipasubuidnumber: 2147483648 > > ipasubuidcount: 65536 > > ipasubgidnumber: 2147483648 > > ipasubgidcount: 65536 > > objectclass: ipasubordinateidentry > > objectclass: ipasubordinateid > > objectclass: ipasubordinategid > > objectclass: ipasubordinateuid > > objectclass: top > > ---------------------------- > > Number of entries returned 1 > > ---------------------------- > > > > The above command displays the DN of the subid entry. You can then use > ldapdelete to remove it: > > [root@server ~]# ldapdelete -D cn=directory\ manager -w password > ipauniqueid=64bf0eb6-d58f-4a83-a3d1-38e24da9bd72,cn=subids,cn=accounts,dc=ipa,dc=test > > > > Check again, the entry is removed: > > [root@server ~]# ipa subid-find --owner flo > > ------------------------- > > 0 subordinate ids matched > > ------------------------- > > ---------------------------- > > Number of entries returned 0 > > ---------------------------- > > > > flo > >> > >> > >> Alex > >> -- > >> _______________________________________________ > >> FreeIPA-users mailing list -- [email protected] > >> To unsubscribe send an email to > [email protected] > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > >> Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
