ipa-idrange-fix - Man Page

Analyse and fix IPA ID ranges

ipa-idrange-fix is a tool for analysis of existing IPA ranges, users and groups outside of those ranges, and functionality to propose and apply remediations to make sure as many users and groups as possible end up in the IPA-managed ranges. Before any changes are applied, a full backup of the system is STRONGLY RECOMMENDED.

Do not use this program in unattended mode unless you are absolutely sure you are consenting to the tool's proposals.

You can apply the proposals manually via ipa idrange(1) commands.

This tool requires it to be run as root and does not require a kerberos ticket. The directory server needs to be running.

ipa-idrange-fix will read current ranges from LDAP, then check their basic constraints, RID bases, etc. If it finds critical issues with ranges, manual adjustment will be required.

After analyzing existing ranges, the tool will search for users and groups that are outside of ipa-local ranges. Then it will attempt to propose new ipa-local ranges in order to cover users and groups found.

Finally, the tool will summarize the analysis, and, if there are proposed changes, will ask if the user wants to apply those. Please read the proposals carefully before proceeding with changes!

Important note: By default, ipa-idrange-fix will not cover the users and groups that have IDs under 1000 as these IDs are reserved for system and service users and groups. We don't recommend using IDs under 1000 for IPA users and groups as they can possibly overlap with local ones. Please consider moving those users out of the range 1..1000, unless they are absolutely needed.

Options

--version

Show the program's version and exit.

-h, --help

Show the help for this program.

--ridoffset INT

An offset for newly proposed base RIDs for ranges. We introduce offset in order to have an ability to increase ranges in the future, increase to more than offset will result in RID bases overlapping, and will be denied. If set to 0, there will be no offset, proposed RID ranges will start directly one after another.

Default - 100000, allowed values - from 0 to 2^31.

--rangegap INT

A number of IDs between out of ranges IDs to be considered too big to be inside a proposed range. If the gap is bigger than this attribute, a new range will be started. If set to 0, every entity will get its own range, if allowed by --minrange.

Default - 200000, allowed values - from 0 to 2^31.

--minrange INT

A minimal amount of IDs the tool considers to be a valid range. All IDs that would form a range with less than this number will be considered outliers, not worth creating an IDrange for, and will be listed explicitly to be moved manually. If set to 1, a range will be proposed for every entity, even if the entity is single in the middle of an empty space.

Default - 10, allowed values - from 1 to 2^31.

--allowunder1000

A flag to allow proposing ranges that start with IDs lower than 1000. Remember, this is not recommended - IDs under 1000 are reserved for system and service users and groups. IDranges with these low IDs may result with overlapping of IPA and system local users and groups, which can be a serious security issue and generally produce a lot of issues around these entities' resolution.

--norounding

A flag to turn off idrange starting id and size rounding - e.g. if we find ID 1234, and the size 567, it will stay that way, the proposed range will start at ID 1234, and have a 567 size. If not specified, basic rounding to outer margins will be applied. Rounding will be 10^size of the proposed range.

--unattended