Add now options ldap_min_id and ldap_max_id

Currently the range for Posix IDs stored in an LDAP server is unbound.
This might lead to conflicts in a setup with AD and trusts when the
configured domain uses IDs from LDAP. With the two noe options this
conflict can be avoided.

7 files changed, 33 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 4d7629e1..1bc4f1bf 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -309,6 +309,8 @@ option_strings = {
 
     'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'),
     'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'),
+    'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
+    'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),
 
     # [provider/ldap/auth]
     'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index 870cf20f..eb239664 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -117,6 +117,8 @@ ldap_idmap_default_domain_sid = str, None, false
 ldap_groups_use_matching_rule_in_chain = bool, None, false
 ldap_initgroups_use_matching_rule_in_chain = bool, None, false
 ldap_rfc2307_fallback_to_local_users = bool, None, false
+ldap_min_id = int, None, false
+ldap_max_id = int, None, false
 
 [provider/ldap/auth]
 ldap_pwd_policy = str, None, false
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml
index fd29650e..12e91524 100644
--- a/src/man/sssd-ldap.5.xml
+++ b/src/man/sssd-ldap.5.xml
@@ -1434,6 +1434,27 @@
                 </varlistentry>
 
                 <varlistentry>
+                    <term>ldap_min_id, ldap_max_id (interger)</term>
+                    <listitem>
+                        <para>
+                            In contrast to the SID based ID mapping which is
+                            used if ldap_id_mapping is set to true the allowed
+                            ID range for ldap_user_uid_number and
+                            ldap_group_gid_number is unbound. In a setup with
+                            sub/trusted-domains this might lead to ID
+                            collisions. To avoid collisions ldap_min_id and
+                            ldap_max_id can be set to restrict the allowed
+                            range for the IDs which are read directly from the
+                            server. Sub-domains can then pick other ranges to
+                            map IDs.
+                        </para>
+                        <para>
+                            Default: not set (both options are set to 0)
+                        </para>
+                    </listitem>
+                </varlistentry>
+
+                <varlistentry>
                     <term>ldap_sasl_mech (string)</term>
                     <listitem>
                         <para>
diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h
index ba03c232..2c60b761 100644
--- a/src/providers/ad/ad_opts.h
+++ b/src/providers/ad/ad_opts.h
@@ -124,6 +124,8 @@ struct dp_option ad_def_ldap_opts[] = {
     { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+    { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index 6246f589..139008b1 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -148,6 +148,8 @@ struct dp_option ipa_def_ldap_opts[] = {
     { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+    { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h
index 6857d4ca..a6c821f3 100644
--- a/src/providers/ldap/ldap_opts.h
+++ b/src/providers/ldap/ldap_opts.h
@@ -115,6 +115,8 @@ struct dp_option default_basic_opts[] = {
     { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
     { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
+    { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
+    { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER},
     DP_OPTION_TERMINATOR
 };
 
diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h
index 6f10efa4..9fbe04b6 100644
--- a/src/providers/ldap/sdap.h
+++ b/src/providers/ldap/sdap.h
@@ -219,6 +219,8 @@ enum sdap_basic_opt {
     SDAP_AD_MATCHING_RULE_INITGROUPS,
     SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS,
     SDAP_DISABLE_RANGE_RETRIEVAL,
+    SDAP_MIN_ID,
+    SDAP_MAX_ID,
 
     SDAP_OPTS_BASIC /* opts counter */
 };