3540986 Add basic support for subordinate user/group ids

31 files Authored by cheimes 2 years ago, Committed by rcritten 2 years ago,
    Add basic support for subordinate user/group ids
    
    New LDAP object class "ipaUserSubordinate" with four new fields:
    - ipasubuidnumber / ipasubuidcount
    - ipasubgidnumber / ipasgbuidcount
    
    New self-service permission to add subids.
    
    New command user-auto-subid to auto-assign subid
    
    The code hard-codes counts to 65536, sets subgid equal to subuid, and
    does not allow removal of subids. There is also a hack that emulates a
    DNA plugin with step interval 65536 for testing.
    
    Work around problem with older SSSD clients that fail with unknown
    idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
    
    Related: https://pagure.io/freeipa/issue/8361
    Signed-off-by: Christian Heimes <cheimes@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    
        
file modified
+1 -0
file modified
+1 -1
file modified
+41 -6
file modified
+1 -1
file modified
+2 -2
file modified
+1 -0
file modified
+1 -0
file modified
+1 -0
file modified
+1 -0
file modified
+20 -0
file modified
+2 -0
file modified
+1 -0
file modified
+13 -0
file modified
+17 -26
file modified
+71 -24
file modified
+267 -7
file modified
+9 -1
file modified
+12 -0
file modified
+16 -1