From 13aea9c2b9c48dd614095b4551021868812ba2f0 Mon Sep 17 00:00:00 2001
From: Pavel Reichl <preichl@redhat.com>
Date: Mar 20 2014 19:20:19 +0000
Subject: MAN: minimal value expected for ldap_idmap_range_size


Resolves:
https://fedorahosted.org/sssd/ticket/1451

Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml
index 64d2c15..9a31c15 100644
--- a/src/man/include/ldap_id_mapping.xml
+++ b/src/man/include/ldap_id_mapping.xml
@@ -170,6 +170,22 @@ ldap_schema = ad
                             as it can.
                         </para>
                         <para>
+                            NOTE: The value of this option must be at least as large as the
+                            highest user RID planned for use on the Active Directory server. User
+                            lookups and login will fail for any user whose RID is greater than
+                            this value.
+                        </para>
+                        <para>
+                            For example, if your most recently-added Active Directory user has
+                            objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107,
+                            <quote>ldap_idmap_range_size</quote> must be at least 1107.
+                        </para>
+                        <para>
+                            It is important to plan ahead for future expansion, as changing this
+                            value will result in changing all of the ID mappings on the system,
+                            leading to users with different local IDs than they previously had.
+                        </para>
+                        <para>
                             Default: 200000
                         </para>
                     </listitem>