QAS uidnumber generation

We use ActiveRoles and Authentication Services to administer UNIX user attributes and our UNIX admins are having troubles with uidnumber re-use. For example a uidnumber assigned to a previous user that is no longer in AD, is being reassigned to a new user. Apparently this reuse is occurring fairly soon after the previous user has left.

Our original uidnumber space was imported from a separately managed UNIX environment, where the uidnumbers were previously assigned. QAS was not used to generated these original uidnumbers. Within QAS we have the minimum uidnumber set to 1000 and the max to 64000

How do the different methods of generating a unique ID work? Are they always starting at the minimum value and working up to find an available uidnumber to assign to a new user? Can it be configured to start at the last assigned uidnumber and work up, until it gets to the max possible uidnumber before starting again at the minimum value?

  • Page 58 (Table 15) of the QAS 4.0.3 Install Guide explains the three options used for generating unique UID's.The default (and IMHO best option) is Object GUID Hash as this stands the best chance of creating a unique UID.

  • Table 15 does give a high level understanding of how uidnumbers are generated (one uses the guid, one uses the SID/RID and one searches for an available number) but doesn't give details. The issue my Unix admins are having is not with QAS is generating conflicting uidnumbers, it is with QAS quickly reusing uidnumbers for users that have been deleted from the directory.

    Since our uidnumber space was imported from an existing Unix environment, the current uidnumber space may not match up with the GUID or SID/RID method of generating a uidnumber. So new uidnumbers being generated may have been previously used, but no longer exist in the directory. So,  I'm trying to get more details on HOW each of the methods generate a uidnumber, rather than the high level description in the documentation.

  • Some more information:

    In what range are the numbers generated using the Object GUID Hash or the Samba Algorithm? What happens when the generated number is outside the allowed min/max uidnumber range?

    How does the Legacy Search Algorithm find a unique value? Does it start at the minumum value each time and work up until it finds an unused value? Does it track the last number that was allocated and start there? Previous versions of the ActiveRoles integration seem to have used the second method, while the latest version seems to use the first.

    Which uidnumber generation method should be used if I want to start at A and assign numbers up to B, before restarting back at A again?

  • After conversations with support, here is my understanding of how these settings work, for those that may be interested.

    QAS supports a uidNumber range of 0 to 2^32. This is the range that the Object GUID and RID/SID algorithms use. If a MIN/MAX range is defined and the uidNumber generated by either of these two methods falls outside of the defined range, QAS falls back to the Legacy search method.

    The Legacy search method in previous versions of QAS had two settings:

    1. Start at the minimum uidNumber and find the next available
    2. Start at the last assigned uidNumber and find the next available

    I'm not sure when it was implemented, but I do know that from at least v4.0.3 and later, the product was changed so that you can no longer set the Legacy algorithm to use the second option.

  • The 2nd legacy search method was not made part of the 4.x code base. So any version of QAS 4 will not have that option.