Hi,
you can use ldapmodify to update the range:
ldapmodify -D "cn=directory manager" -w $PWD dn: cn=asterisk_system_user,cn=ranges,cn=etc,dc=example,dc=test changetype: modify add: ipabaserid ipabaserid: xxx - add: ipasecondarybaserid ipasecondarybaserid: yyy
Don't forget to replace dc=example,dc=test with your suffix and pick proper values for ipabaserid and ipasecondarybaserid. The directory server must be restarted after this ldapmodify operation.
flo
On Mon, Oct 13, 2025 at 4:49 PM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Mon, 2025-10-13 at 10:54 +0200, Florence Blanc-Renaud wrote:
Hi,
Hi.
I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally.
Indeed. Apologies for the confusion. I have already dealt with the wheel group. I removed the one defined in IPA with the really low GID. So I think that issue is resolved.
What I have left is a low UID (112) system account that I do need to be in IPA as it needs to have a Kerberos credential. I figured the simplest thing to do was to give 112 it's own ID range since it's the only low UID I have a need for. Thus I (incorrectly it seems) created:
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
But as you can see it has no RID ranges and I was getting an error about RID overlap or somesuch. So I tried to add them but was told I could not modify that range name. So I tried to delete it to recreate it but was told I could not delete it:
# ipa idrange-del asterisk_system_user ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
You subsequently suggested that the existing range might be fixable, which is also a reasonable solution. So that's where we are now. The total of all ranges is currently:
the idrange needs to have primary and secondary rid bases.
Right. I think I tried to add those but was given an error about not being able to modify that range.
The following RIDs are already taken: [1,000-201,000] [301,000- 340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps.
Right. So what is the command that will allow me to add new RIDs to that range?
Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise.
So yeah. It's not really about the wheel group at this point. It's just about being able to add the RIDs to that range that does not have them. Not sure how to go about doing that.
Cheers, b. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue