Goal

Currently, IPA SIDgen task fails on first user/group that SID can't be assigned to, either ducplicate ID or user/group out of range with

ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [ID] into an unused SID.
ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.

and then task ends with 

ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

while it should just log the faulty ID and continue the generation for all the other IDs. This behavior is observed in latest major versions:

ipa-server-4.9.12-11, ipa-server-4.10.2-5

Customers expect SIDgen task to continue on non-critical failure (as opposed to, e.g. incorrect range settings without RID rages set up), while logging the errors.

Steps to reproduce

• Create a user out of range: 

ipa user-add testsid --first test --last sid --uid 2000

• try to force SID generation with

ipa config-mod --add-sids --enable-sid

• Observe in LDAP error log:

ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [2000] into an unused SID.
ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry.
ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32].

Expected results

Faulty user id is logged, SID generation continued

Acceptance Criteria

• Presented an option for SIDgen task to force going on on non-critical errors, or
• Default behavior of SIDgen task is changed and it doesn't stop on non-critical errors
• (optionally) provide customer with list of failed UIDs and options for remediation - creating ID range or moving the entities IDs, and the re-running the task.