Hi,

you can use ldapmodify to update the range:

ldapmodify -D "cn=directory manager" -w $PWD
dn: cn=asterisk_system_user,cn=ranges,cn=etc,dc=example,dc=test
changetype: modify
add: ipabaserid
ipabaserid: xxx
-
add: ipasecondarybaserid
ipasecondarybaserid: yyy

Don't forget to replace dc=example,dc=test with your suffix and pick proper values for ipabaserid and ipasecondarybaserid. The directory server must be restarted after this ldapmodify operation.

flo

On Mon, Oct 13, 2025 at 4:49 PM Brian J. Murrell via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On Mon, 2025-10-13 at 10:54 +0200, Florence Blanc-Renaud wrote:
> Hi,

Hi.

> I really have no idea if the wheel group will cause any issue as it
> is
> defined in IPA and probably also locally.

Indeed.  Apologies for the confusion.  I have already dealt with the
wheel group.  I removed the one defined in IPA with the really low GID.
So I think that issue is resolved.

What I have left is a low UID (112) system account that I do need to be
in IPA as it needs to have a Kerberos credential.  I figured the
simplest thing to do was to give 112 it's own ID range since it's the
only low UID I have a need for.  Thus I (incorrectly it seems) created:

  Range name: asterisk_system_user                   
  First Posix ID of the range: 112                                 
  Number of IDs in the range: 1           
  Range type: local domain range

But as you can see it has no RID ranges and I was getting an error
about RID overlap or somesuch.  So I tried to add them but was told I
could not modify that range name.  So I tried to delete it to recreate
it but was told I could not delete it:

# ipa idrange-del asterisk_system_user
ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed

You subsequently suggested that the existing range might be fixable,
which is also a reasonable solution.  So that's where we are now.  The
total of all ranges is currently:

> the
> idrange needs to have primary and secondary rid bases.

Right.  I think I tried to add those but was given an error about not
being able to modify that range.

> The following RIDs are already taken: [1,000-201,000] [301,000-
> 340,000],
> [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any
> value
> outside of those ranges and it won't complain about overlaps.

Right.  So what is the command that will allow me to add new RIDs to
that range?

> Sorry I'm not able to provide a definite answer, but it's hard to
> know if
> removing your wheel group from IPA would break anything. Maybe you
> have
> applications that rely on it, maybe it was added un-intentionally.
> Without
> clear understanding I can't really advise.

So yeah.  It's not really about the wheel group at this point.  It's
just about being able to add the RIDs to that range that does not have
them.  Not sure how to go about doing that.

Cheers,
b.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue