Fix ipa-server-upgrade

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

install/share/bootstrap-template.ldif

@@ -491,7 +491,7 @@ cn: ${REALM}_subid_range
 ipaBaseID: eval($SUBID_RANGE_START)
 ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
 # HACK: RIDs to work around adtrust sidgen issue
-ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+ipaBaseRID: eval($SUBID_BASE_RID)
 # 738065-838566 = IPA-SUB
 ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
 # HACK: "ipa-local-subid" range type causes issues with older SSSD clients

install/updates/73-subid.update

@@ -102,7 +102,7 @@ default: cn: ${REALM}_subid_range
 default: ipaBaseID: $SUBID_RANGE_START
 default: ipaIDRangeSize: $SUBID_RANGE_SIZE
 # HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+default: ipaBaseRID: eval($SUBID_BASE_RID)
 default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
 # HACK: "ipa-local-subid" range type causes issues with older SSSD clients
 # see https://github.com/SSSD/sssd/issues/5571

ipaserver/install/ldapupdate.py

@@ -59,8 +59,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
     """
     if idstart is None:
         idrange_size = None
+        subid_base_rid = None
     else:
         idrange_size = idmax - idstart + 1
+        subid_base_rid = constants.SUBID_RANGE_START - idrange_size
 
     return dict(
         REALM=realm,
@@ -81,6 +83,7 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
         SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
         SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
+        SUBID_BASE_RID=subid_base_rid,
         DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
         MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
         MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,