# ipa user-add administrator --uid=999 --gidnumber=132 --first=administrator --last=administrator -------------------------- Added user "administrator" -------------------------- … UID: 721000062 …
We should not silently assign numbers different than the user has specified. Either the DNA magic value should be non-numeric, or the above command should fail.
The client sends the default value when the number is left out, so there's currently no way to distinguish between 999 and missing value on the server, but we could use the API version to see if the client is fixed.
This breaks backwards compatibility, so it'll need the ability to check client capabilities (as will #2732).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=837364
Why does it break the backward compatibility? If the check is implemented on the server there is no compatibility breaking.
Older clients might be relying on the fact that passing in 999 automatically generates a UID/GID.
I do not think that anyone would rely on the fact that passing 999 generates a random value. This is equivalent to the argument being ignored. If someone came across this expecting uid to be static 999 we would have been seen a bug. But we have not. IMO it is a semantic change to fix an issue. If documented in release notes it is a legitimate change to make.
"Clients" as in the software, not people.
The ipa program has 999 as the default value of the parameter, so it sends 999 when nothing is specified. So with current clients, the server can't distinguish between cases where the user entered "999" and where the user didn't specify a value at all.
ipa
And yes, someone came across this passing 999 and rightfully expecting a uid of 999.
Right. So we need to stop passing 999. And we are passing 999 because it is a magic value for DS so what we need to do is to change the magic value in DS or change a way how the special operations are triggered. For example instead of the magic valuer pass some control. IMO we should have a discussion about this with DS guys.
We might be bale to change the magic value to be a string instead of a valid number, or an invalid very large (bigger than a 32 bit) number.
There was a discussion with DS guys on ipa-users. Nathan warns against using a string here: https://www.redhat.com/archives/freeipa-users/2012-July/msg00011.html
Replying to [comment:11 pviktori]:
This is why I suggested a special control that will carry a magic value. A "magic value" control. It will list the attributes that need to be initialized automatically using the internal implementation.
A control makes it impossible to manually change this stuff from LDAP browsers like ApacheDirectoryStudio. Maybe we could simply use -1 then ? It's a number and it is certainly a uid that should never be assigned as it has special meaning pretty much everywhere.
Doesn't affect UI
Move all uncompleted tickets to next month bucket.
master: 91606e6
Metadata Update from @pviktori: - Issue assigned to pviktori - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.