Default administrators group ID below min GID


simp_openldap::server::conf::default_ldif::administrators_group_id defaults to 700. simp_options::gid::min defaults to 1000. This seems to cause an error 'Group [administrators@ldap] filtered out! (id out of range)' on login.

Acceptance Criteria



Trevor Vaughan
January 21, 2019, 9:17 PM

It looks like this is a bug in our sssd default configuration.

SSSD, by default, has a min_id of 1. At some point, we changed the default of sssd::domain::min_id to be the same as the target system login_defs.uid_min fact.

This is not correct since the local system ID range has no bearing on any central authentication system.

With this in mind, we should change the min_id defaults across the board in sssd to be 1 per the usual system defaults and perhaps expose this via Hiera using the new simplib::dlookup functionality.

Trevor Vaughan
January 21, 2019, 9:05 PM

After quite a bit of discussion, it was determined that moving the GID question to simp config would cause more confusion than it is worth since the choice is absolutely arbitrary anyway.

I'm going to try to reproduce the error because I think that this might be able to be handled via documentation.

Trevor Vaughan
December 18, 2018, 6:54 PM

Ok, it looks like there won't be any issue with just flipping the UID but we'll change it to being a question in simp_config and go from there moving forward.

The current LDAP configuration will not be overwritten even if the defaults file changes so there is no potential of damaging existing systems.

Trevor Vaughan
November 14, 2018, 9:23 PM

So, I don't see any issue changing this from a code point of view, but we need to figure out the right thing to actually change it to.

I never liked just dropping 700 in there, but this was done prior to the simp config command and it may make more sense to force users to enter a value for this and default it to something high like 75309 or the like.




Epic Link


Story Points





Affects versions