Blob Blame History Raw
From 69cd05bf635d19b9844f65d83dace05136a40326 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 19 Mar 2021 11:48:38 +0100
Subject: [PATCH] Add basic support for subordinate user/group ids

New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ACI.txt                                   |   2 +-
 API.txt                                   |  47 ++-
 Makefile.am                               |   2 +-
 VERSION.m4                                |   4 +-
 doc/designs/index.rst                     |   1 +
 doc/designs/subordinate-ids.md            | 468 ++++++++++++++++++++++
 freeipa.spec.in                           |   1 +
 install/share/60basev2.ldif               |   1 +
 install/share/60basev4.ldif               |  19 +
 install/share/Makefile.am                 |   1 +
 install/share/bootstrap-template.ldif     |  22 +
 install/share/dna.ldif                    |  20 +
 install/tools/Makefile.am                 |   2 +
 install/tools/ipa-subids.in               |   8 +
 install/ui/src/freeipa/user.js            |  53 ++-
 install/updates/20-indices.update         |  18 +
 install/updates/73-subid.update           | 102 +++++
 install/updates/Makefile.am               |   1 +
 ipalib/constants.py                       |  13 +
 ipaserver/install/adtrustinstance.py      |  29 +-
 ipaserver/install/dsinstance.py           |  43 +-
 ipaserver/install/ipa_subids.py           | 154 +++++++
 ipaserver/install/ldapupdate.py           |  95 +++--
 ipaserver/plugins/baseuser.py             | 274 ++++++++++++-
 ipaserver/plugins/idrange.py              |  10 +-
 ipaserver/plugins/internal.py             |  12 +
 ipaserver/plugins/user.py                 |  17 +-
 ipatests/prci_definitions/gating.yaml     |  12 +
 ipatests/test_integration/test_subids.py  | 201 ++++++++++
 ipatests/test_xmlrpc/test_range_plugin.py |   7 +
 31 files changed, 1565 insertions(+), 75 deletions(-)
 create mode 100644 doc/designs/subordinate-ids.md
 create mode 100644 install/share/60basev4.ldif
 create mode 100644 install/tools/ipa-subids.in
 create mode 100644 install/updates/73-subid.update
 create mode 100644 ipaserver/install/ipa_subids.py
 create mode 100644 ipatests/test_integration/test_subids.py

diff --git a/ACI.txt b/ACI.txt
index 05852cf6c0150db7d8de99a5f7a44e538df29e5e..fce02a333b212de9b61f920515eed3e356b1391b 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -375,7 +375,7 @@ aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || gecos || gidnumber || homedirectory || loginshell || modifytimestamp || objectclass || uid || uidnumber")(target = "ldap:///cn=users,cn=compat,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read User Compat Tree";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "ipasshpubkey || ipasubgidcount || ipasubgidnumber || ipasubuidcount || ipasubuidnumber || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
 aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 212ef807c771794dc2f89eb89e03b669eb49295b..262b4d6a72c7d7032a7027116f7a4f65aa620615 100644
--- a/API.txt
+++ b/API.txt
@@ -4974,7 +4974,7 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: stageuser_add/1
-args: 1,45,3
+args: 1,46,3
 arg: Str('uid', cli_name='login')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -4992,6 +4992,7 @@ option: Str('givenname', cli_name='first')
 option: Str('homedirectory?', cli_name='homedir')
 option: Str('initials?', autofill=True)
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
+option: Int('ipasubuidnumber?', cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', cli_name='radius')
 option: Str('ipatokenradiususername?', cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -5080,7 +5081,7 @@ output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
 command: stageuser_find/1
-args: 1,58,4
+args: 1,60,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('carlicense*', autofill=False)
@@ -5104,6 +5105,8 @@ option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
 option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
 option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
+option: Int('ipasubgidnumber?', autofill=False, cli_name='subgid')
+option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -5145,7 +5148,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: stageuser_mod/1
-args: 1,51,3
+args: 1,52,3
 arg: Str('uid', cli_name='login')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -5167,6 +5170,7 @@ option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_d
 option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
+option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -6058,7 +6062,7 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: user_add/1
-args: 1,46,3
+args: 1,47,3
 arg: Str('uid', cli_name='login')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -6075,6 +6079,7 @@ option: Str('givenname', cli_name='first')
 option: Str('homedirectory?', cli_name='homedir')
 option: Str('initials?', autofill=True)
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
+option: Int('ipasubuidnumber?', cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', cli_name='radius')
 option: Str('ipatokenradiususername?', cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -6156,6 +6161,16 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
+command: user_auto_subid/1
+args: 1,4,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: user_del/1
 args: 1,3,3
 arg: Str('uid+', cli_name='login')
@@ -6180,7 +6195,7 @@ output: Output('result', type=[<type 'bool'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: user_find/1
-args: 1,61,4
+args: 1,63,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('carlicense*', autofill=False)
@@ -6204,6 +6219,8 @@ option: Str('ipanthomedirectory?', autofill=False, cli_name='smb_home_dir')
 option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_drive', values=[u'A:', u'B:', u'C:', u'D:', u'E:', u'F:', u'G:', u'H:', u'I:', u'J:', u'K:', u'L:', u'M:', u'N:', u'O:', u'P:', u'Q:', u'R:', u'S:', u'T:', u'U:', u'V:', u'W:', u'X:', u'Y:', u'Z:'])
 option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
+option: Int('ipasubgidnumber?', autofill=False, cli_name='subgid')
+option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -6247,8 +6264,23 @@ output: Output('count', type=[<type 'int'>])
 output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
+command: user_match_subid/1
+args: 1,8,4
+arg: Str('criteria?')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Int('ipasubuidnumber', autofill=False, cli_name='subuid')
+option: Flag('no_members', autofill=True, default=True)
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Int('sizelimit?', autofill=False)
+option: Int('timelimit?', autofill=False)
+option: Str('version?')
+output: Output('count', type=[<type 'int'>])
+output: ListOfEntries('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: Output('truncated', type=[<type 'bool'>])
 command: user_mod/1
-args: 1,52,3
+args: 1,53,3
 arg: Str('uid', cli_name='login')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -6270,6 +6302,7 @@ option: StrEnum('ipanthomedirectorydrive?', autofill=False, cli_name='smb_home_d
 option: Str('ipantlogonscript?', autofill=False, cli_name='smb_logon_script')
 option: Str('ipantprofilepath?', autofill=False, cli_name='smb_profile_path')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
+option: Int('ipasubuidnumber?', autofill=False, cli_name='subuid')
 option: Str('ipatokenradiusconfiglink?', autofill=False, cli_name='radius')
 option: Str('ipatokenradiususername?', autofill=False, cli_name='radius_username')
 option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened'])
@@ -7183,10 +7216,12 @@ default: user_add_cert/1
 default: user_add_certmapdata/1
 default: user_add_manager/1
 default: user_add_principal/1
+default: user_auto_subid/1
 default: user_del/1
 default: user_disable/1
 default: user_enable/1
 default: user_find/1
+default: user_match_subid/1
 default: user_mod/1
 default: user_remove_cert/1
 default: user_remove_certmapdata/1
diff --git a/Makefile.am b/Makefile.am
index c5a33e67f56b2c6f9efb5b4c6af3f7a44ccbdb3c..321df05a7c44f32929a2c5ec45341a42105a8e2f 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -229,7 +229,7 @@ fasttest: $(GENERATED_PYTHON_FILES) ipasetup.py
 	    --ignore $(abspath $(top_srcdir))/ipatests/test_integration \
 	    --ignore $(abspath $(top_srcdir))/ipatests/test_xmlrpc
 
-fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py
+fastlint: $(GENERATED_PYTHON_FILES) ipasetup.py acilint apilint
 if ! WITH_PYLINT
 	@echo "ERROR: pylint not available"; exit 1
 endif
diff --git a/VERSION.m4 b/VERSION.m4
index 9f024675f905a1ee771b6ff293c25b2ac46d92df..1c1e0d56c0eb5c15be0887fae9f90e399757acc7 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 242)
-# Last change: add status options for cert-find
+# Last change: add subordinate id feature
+define(IPA_API_VERSION_MINOR, 243)
 
 
 ########################################################
diff --git a/doc/designs/index.rst b/doc/designs/index.rst
index cbec1096c363c9c31656b05f22c50321cd45e073..6dd0edff3004fd0d19208f0c063d4156bde3bf91 100644
--- a/doc/designs/index.rst
+++ b/doc/designs/index.rst
@@ -17,3 +17,4 @@ FreeIPA design documentation
    membermanager.md
    hidden-replicas.md
    disable-stale-users.md
+   subordinate-ids.md
diff --git a/doc/designs/subordinate-ids.md b/doc/designs/subordinate-ids.md
new file mode 100644
index 0000000000000000000000000000000000000000..1b578667a8cfdda223af38a14d142c72a5d5c073
--- /dev/null
+++ b/doc/designs/subordinate-ids.md
@@ -0,0 +1,468 @@
+# Central management of subordinate user and group ids
+
+Subordinate ids are a Linux Kernel feature to grant a user additional
+user and group id ranges. Amongst others the feature can be used
+by container runtime engies to implement rootless containers.
+Traditionally subordinate id ranges are configured in ``/etc/subuid``
+and ``/etc/subgid``.
+
+To make rootless containers in a large environment as easy as pie, IPA
+gains the ability to centrally manage and assign subordinate id ranges.
+SSSD and shadow-util are extended to read subordinate ids from IPA and
+provide them to userspace tools.
+
+## Overview
+
+Feature requests
+
+* [FreeIPA feature request #8361](https://pagure.io/freeipa/issue/8361)
+* [SSSD feature request #5197](https://github.com/SSSD/sssd/issues/5197)
+* [shadow-util feature request #154](https://github.com/shadow-maint/shadow/issues/154)
+* [389-DS RFE for DNA plugin rhbz#1938239](https://bugzilla.redhat.com/show_bug.cgi?id=1938239)
+
+Man pages
+
+* [man subuid(5)](https://man7.org/linux/man-pages/man5/subuid.5.html)
+* [man subgid(5)](https://man7.org/linux/man-pages/man5/subgid.5.html)
+* [man user_namespaces(7)](https://man7.org/linux/man-pages/man7/user_namespaces.7.html)
+* [man newuidmap(1)](https://man7.org/linux/man-pages/man1/newuidmap.1.html)
+
+Articles / blog posts
+* [Basic Setup and Use of Podman in a Rootless environment](https://github.com/containers/podman/blob/master/docs/tutorials/rootless_tutorial.md)
+* [How does rootless Podman work](https://opensource.com/article/19/2/how-does-rootless-podman-work)
+
+## Design choices
+
+Some design choices are owed to the circumstance that uids and gids
+are limited datatypes. The Linux Kernel and userland defines
+``uid_t`` and ``gid_t`` as unsigned 32bit integers (``uint32_t``), which
+limits possible values for numeric user and group ids to
+``0 .. 2^32-2``. ``(uid_t)-1`` is reserved for error reporting. On the
+other hand the user ``nobody`` typically has uid 65534 / gid 65534. This
+means we need to assign 65,536 subordinate ids to every user. The
+theoretical maximum amount of subordinate ranges is less than 65,536
+(``65536 * 65536 == 2^32``). [``logins.def``](https://man7.org/linux/man-pages/man5/login.defs.5.html)
+also uses 65536 as default setting for ``SUB_UID_COUNT``.
+
+The practical limit is far smaller. Subordinate ids should not overlap
+with system accounts, local user accounts, IPA user accounts, and
+mapped accounts from Active Directory. Therefore IPA uses the upper
+half of the uid_t range (>= 2^31 == 2,147,483,648) for subordinate ids.
+The high bit is rarely used. IPA limits general numeric ids
+(``uidNumber``, ``gidNumber``, ID ranges) to maximum values of signed
+32bit integer (2^31-1) for backwards compatibility with XML-RPC.
+``logins.def`` defaults to ``SUB_UID_MAX`` 600,100,000.
+
+A default subordinate id count of 65,536 and a total range of approx.
+2.1 billion limits IPA to slightly more than 32,000 possible ranges. It
+may sound like a lot of users, but there are much bigger installations
+of IPA. For comparison Fedora Accounts has over 120,000 users stored in
+IPA.
+
+For that reason we treat subordinate id space as premium real estate
+and don't auto-map or auto-assign subordinate ids by default. Instead
+we give the admin several options to assign them manually, semi-manual,
+or automatically.
+
+### Revision 1 limitation
+
+The first revision of the feature is deliberately limited and
+restricted. We are aiming for a simple implementation that covers
+basic use cases. Some restrictions may be lifted in the future.
+
+* subuid and subgids cannot be set independently. They are always set
+  to the same value.
+* counts are hard-coded to value 65536
+* once assigned subids cannot be removed
+* IPA does not support multiple subordinate id ranges. Contrary to
+  ``/etc/subuid``, users are limited to one set of subordinate ids.
+* subids are auto-assigned. Auto-assignment is currently emulated
+  until 389-DS has been extended to support DNA with step interval.
+* subids are allocated from hard-coded range
+  ``[2147483648..4294901767]`` (``2^31`` to ``2^32-1-65536``), which
+  is the upper 2.1 billion uids of ``uid_t`` (``uint32_t``). The range
+  can hold little 32,767 subordinate id ranges.
+* Active Directory support is out of scope and may be provided in the
+  future.
+
+### Subid assignment example
+
+```
+>>> import itertools
+>>> def subids():
+...     for n in itertools.count(start=0):
+...         start = SUBID_RANGE_START + (n * SUBID_COUNT)
+...         last = start + SUBID_COUNT - 1
+...         yield (start, last)
+...
+>>> gen = subids()
+>>> next(gen)
+(2147483648, 2147549183)
+>>> next(gen)
+(2147549184, 2147614719)
+>>> next(gen)
+(2147614720, 2147680255)
+```
+
+The first user has 65565 subordinate ids from uid/gid ``2147483648``
+to ``2147549183``, the next user has ``2147549184`` to ``2147614719``,
+and so on. The range count includes the start value.
+
+An installation with multiple servers, 389-DS'
+[DNA](https://directory.fedoraproject.org/docs/389ds/design/dna-plugin.html)
+plug-in takes care of delegating and assigning chunks of subid ranges
+to servers. The DNA plug-in guarantees uniqueness across servers.
+
+## LDAP
+
+### LDAP schema extension
+
+The subordinate id feature introduces a new auxiliar object class
+``ipaSubordinateId`` with four required attributes ``ipaSubUidNumber``,
+``ipaSubUidCount``, ``ipaSubGidNumber``, and ``ipaSubGidCount``. The
+attributes with ``number`` suffix store the start value of the interval.
+The ``count`` attributes contain the size of the interval including the
+start value. The maximum subid is
+``ipaSubUidNumber + ipaSubUidCount - 1``.
+
+All four attributes are single-value ``INTEGER`` type with standard
+integer matching rules. OIDs ``2.16.840.1.113730.3.8.23.8`` and
+``2.16.840.1.113730.3.8.23.11`` are reserved for future use.
+
+```raw
+attributeTypes: (
+  2.16.840.1.113730.3.8.23.6
+  NAME 'ipaSubUidNumber'
+  DESC 'Numerical subordinate user ID (range start value)'
+  EQUALITY integerMatch ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+  X-ORIGIN 'IPA v4.9'
+)
+attributeTypes: (
+  2.16.840.1.113730.3.8.23.7
+  NAME 'ipaSubUidCount'
+  DESC 'Subordinate user ID count (range size)'
+  EQUALITY integerMatch ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+  X-ORIGIN 'IPA v4.9'
+)
+attributeTypes: (
+  2.16.840.1.113730.3.8.23.9
+  NAME 'ipaSubGidNumber'
+  DESC 'Numerical subordinate group ID (range start value)'
+  EQUALITY integerMatch ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+  X-ORIGIN 'IPA v4.9'
+)
+attributeTypes: (
+  2.16.840.1.113730.3.8.23.10
+  NAME 'ipaSubGidCount'
+  DESC 'Subordinate group ID count (range size)'
+  EQUALITY integerMatch ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
+  X-ORIGIN 'IPA v4.9'
+)
+```
+
+The ``ipaSubordinateId`` object class is an auxiliar subclass of
+``top`` and requires all four subordinate id attributes as well as
+``uidNumber``. It does not subclass ``posixAccount`` to make
+the class reusable in idview overrides later.
+
+```raw
+objectClasses: (
+  2.16.840.1.113730.3.8.24.4
+  NAME 'ipaSubordinateId'
+  DESC 'Subordinate uid and gid for users'
+  SUP top AUXILIARY
+  MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount )
+  X-ORIGIN 'IPA v4.9'
+)
+```
+
+The ``ipaSubordinateGid`` and ``ipaSubordinateUid`` are defined for
+future use. IPA always assumes the presence of ``ipaSubordinateId`` and
+does not use these object classes.
+
+```raw
+objectClasses: (
+  2.16.840.1.113730.3.8.24.2
+  NAME 'ipaSubordinateUid'
+  DESC 'Subordinate uids for users, see subuid(5)'
+  SUP top AUXILIARY
+  MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount )
+  X-ORIGIN 'IPA v4.9'
+ )
+objectClasses: (
+  2.16.840.1.113730.3.8.24.3
+  NAME 'ipaSubordinateGid'
+  DESC 'Subordinate gids for users, see subgid(5)'
+  SUP top AUXILIARY
+  MUST ( uidNumber $ ipaSubGidNumber $ ipaSubGidCount )
+  X-ORIGIN 'IPA v4.9'
+)
+```
+
+### Index
+
+The attributes ``ipaSubUidNumber`` and ``ipaSubGidNumber`` are index
+for ``pres`` and ``eq`` with ``nsMatchingRule: integerOrderingMatch``
+to enable efficient ``=``, ``>=``, and ``<=`` searches.
+
+### Distributed numeric assignment (DNA) plug-in extension
+
+Subordinate id auto-assignment requires an extension of 389-DS'
+[DNA](https://directory.fedoraproject.org/docs/389ds/design/dna-plugin.html)
+plug-in. The DNA plug-in is responsible for safely assigning unique
+numeric ids across all replicas.
+
+Currently the DNA plug-in only supports a step size of ``1``. A new
+option ``dnaStepAttr`` (name is tentative) will tell the DNA plug-in
+to use the value of entry attributes as step size.
+
+
+## Permissions, Privileges, Roles
+
+### Self-servive RBAC
+
+The self-service permission enables users to request auto-assignment
+of subordinate uid and gid ranges for themselves. Subordinate ids cannot
+be modified or deleted.
+
+* ACI: *selfservice: Add subordinate id*
+* Permission: *Self-service subordinate ID*
+* Privilege: *Subordinate ID Selfservice User*
+* Role: *Subordinate ID Selfservice Users*
+* role default member: n/a
+
+### Administrator RBAC
+
+The administrator permission allows privileged users to auto-assign
+subordinate ids to users. Once assigned subordinate ids cannot
+be modified or deleted.
+
+* ACI: *Add subordinate ids to any user*
+* Permission: *Manage subordinate ID*
+* Privilege: *Subordinate ID Administrators*
+* default privilege role: *User Administrator*
+
+
+## Workflows
+
+In the default configuration of IPA, neither existing users nor new
+users will have subordinate ids assigned. There are a couple of ways
+to assign subordinate ids to users.
+
+### User administrator
+
+Users with *User Administrator* role and members of the *admins* group
+have permission to auto-assign new subordinate ids to any user. Auto
+assignment can be performed with new ``user-auto-subid`` command on the
+command line or with the *Auto assign subordinate ids* action in the
+*Actions* drop-down menu in the web UI.
+
+```shell
+$ ipa user-auto-subid someusername
+```
+
+### Self-service for group members
+
+Ordinary users cannot self-service subordinate ids by default. Admins
+can assign the new *Subordinate ID Selfservice User* to users group to
+enable self-service for members of the group.
+
+For example to enable self-service for all members of the default user
+group ``ipausers``, do:
+
+```shell
+$ ipa role-add-member "Subordinate ID Selfservice User" --groups=ipausers
+```
+
+This allows members of ``ipausers`` to request subordinate ids with
+the ``user-auto-subid`` command or the *Auto assign subordinate ids*
+action in the web UI.
+
+```shell
+$ ipa user-auto-subid myusername
+```
+
+### Auto assignment with user default object class
+
+Admins can also enable auto-assignment of subordinate ids for all new
+users by adding ``ipasubordinateid`` as a default user objectclass.
+This can be accomplished in the web UI under "IPA Server" /
+"Configuration" / "Default user objectclasses" or on the command line
+with:
+
+```shell
+$ ipa config-mod --addattr="ipaUserObjectClasses=ipasubordinateid"
+```
+
+**NOTE:** The objectclass must be written all lower case.
+
+### ipa-subid tool
+
+Finally IPA includes a new tool for mass-assignment of subordinate ids.
+The command uses automatic LDAPI EXTERNAL bind when it's executed as
+root user. Other it requires valid Kerberos TGT of an admin or user
+administrator.
+
+```raw
+
+# /usr/libexec/ipa/ipa-subids --help
+Usage: ipa-subids
+
+Mass-assign subordinate ids
+
+Options:
+  --version             show program's version number and exit
+  -h, --help            show this help message and exit
+  --group=GROUP         Filter by group membership
+  --filter=USER_FILTER  Raw LDAP filter
+  --dry-run             Dry run mode.
+  --all-users           All users
+
+  Logging and output options:
+    -v, --verbose       print debugging information
+    -d, --debug         alias for --verbose (deprecated)
+    -q, --quiet         output only errors
+    --log-file=FILE     log to the given file
+
+# # /usr/libexec/ipa/ipa-subids --group ipausers
+Processing user 'testsubordinated1' (1/15)
+Processing user 'testsubordinated2' (2/15)
+Processing user 'testsubordinated3' (3/15)
+Processing user 'testsubordinated4' (4/15)
+Processing user 'testsubordinated5' (5/15)
+Processing user 'testsubordinated6' (6/15)
+Processing user 'testsubordinated7' (7/15)
+Processing user 'testsubordinated8' (8/15)
+Processing user 'testsubordinated9' (9/15)
+Processing user 'testsubordinated10' (10/15)
+Processing user 'testsubordinated11' (11/15)
+Processing user 'testsubordinated12' (12/15)
+Processing user 'testsubordinated13' (13/15)
+Processing user 'testsubordinated14' (14/15)
+Processing user 'testsubordinated15' (15/15)
+Processed 15 user(s)
+The ipa-subids command was successful
+```
+
+### Find and match users by any subordinate id
+
+The ``user-find`` command search by start value of subordinate uid and
+gid range. The new command ``user-match-subid`` can be used to find a
+user by any subordinate id in their range.
+
+```raw
+$ ipa user-match-subid --subuid=2153185287
+  User login: asmith
+  First name: Alice
+  Last name: Smith
+  ...
+  SubUID range start: 2153185280
+  SubUID range size: 65536
+  SubGID range start: 2153185280
+  SubGID range size: 65536
+----------------------------
+Number of entries returned 1
+----------------------------
+$ ipa user-match-subid --subuid=2153185279
+  User login: bjones
+  First name: Bob
+  Last name: Jones
+  ...
+  SubUID range start: 2153119744
+  SubUID range size: 65536
+  SubGID range start: 2153119744
+  SubGID range size: 65536
+----------------------------
+Number of entries returned 1
+----------------------------
+```
+
+## SSSD integration
+
+* base: ``cn=accounts,$SUFFIX`` / ``cn=users,cn=accounts,$SUFFIX``
+* scope: ``SCOPE_SUBTREE`` (2) / ``SCOPE_ONELEVEL`` (1)
+* user filter: should include ``(objectClass=posixAccount)``
+* attributes: ``uidNumber ipaSubUidNumber ipaSubUidCount ipaSubGidNumber ipaSubGidCount``
+
+SSSD can safely assume that only *user accounts* of type ``posixAccount``
+have subordinate ids. In the first revision there are no other entries
+with subordinate ids. The ``posixAccount`` object class has ``uid``
+(user login name) and ``uidNumber`` (numeric user id) as mandatory
+attributes. The ``uid`` attribute is guaranteed to be unique across
+all user accounts in an IPA domain.
+
+The ``uidNumber`` attribute is commonly unique, too. However it's
+technically possible that an administrator has assigned the same
+numeric user id to multiple users. Automatically assigned uid numbers
+don't conflict. SSSD should treat multiple users with same numeric
+user id as an error.
+
+The attribute ``ipaSubUidNumber`` is always accompanied by
+``ipaSubUidCount`` and ``ipaSubGidNumber`` is always accompanied
+by ``ipaSubGidCount``. In revision 1 the presence of
+``ipaSubUidNumber`` implies presence of the other three attributes.
+All four subordinate id attributes and ``uidNumber`` are single-value
+``INTEGER`` types. Any value outside of range of ``uint32_t`` must
+treated as invalid. SSSD will never see the DNA magic value ``-1``
+in ``cn=accounts,$SUFFIX`` subtree.
+
+IPA recommends that SSSD simply extends its existing query for user
+accounts and requests the four subordinate attributes additionally to
+RFC 2307 attributes ``rfc2307_user_map``. SSSD can directly take the
+values and return them without further processing, e.g.
+``uidNumber:ipaSubUidNumber:ipaSubUidCount`` for ``/etc/subuid``.
+
+Filters for additional cases:
+
+* subuid filter (find user with subuid by numeric uid):
+  ``&((objectClass=posixAccount)(ipaSubUidNumber=*)(uidNumber=$UID))``,
+  ``(&(objectClass=ipaSubordinateId)(uidNumber=$UID))``, or similar
+* subuid enumeration filter:
+  ``&((objectClass=posixAccount)(ipaSubUidNumber=*)(uidNumber=*))``,
+  ``(objectClass=ipaSubordinateId)``, or similar
+* subgid filter (find user with subgid by numeric uid):
+  ``&((objectClass=posixAccount)(ipaSubGidNumber=*)(uidNumber=$UID))``,
+  ``(&(objectClass=ipaSubordinateId)(uidNumber=$UID))``, or similar
+* subgid enumeration filter:
+  ``&((objectClass=posixAccount)(ipaSubGidNumber=*)(uidNumber=*))``,
+  ``(objectClass=ipaSubordinateId)``, or similar
+
+## Implementation details
+
+* The four subid attributes are not included in
+  ``baseuser.default_attributes`` on purpose. The ``config-mod``
+  command does not permit removal of a user default objectclasses
+  when the class is the last provider of an attribute in
+  ``default_attributes``.
+* ``ipaSubordinateId`` object class does not subclass the other two
+  object classes. LDAP supports
+  ``SUP ( ipaSubordinateGid $ ipaSubordinateUid )`` but 389-DS only
+  auto-inherits from first object class.
+* The idrange entry ``$REALM_subid_range`` has preconfigured base RIDs
+  and SID so idrange plug-in and sidgen task ignore the entry. It's the
+  simplest approach to ensure backwards compatibility with older IPA
+  server versions that don't know how to handle the new range.
+  The SID is ``S-1-5-21-738065-838566-$DOMAIN_HASH``. ``S-1-5-21``
+  is the well-known SID prefix for domain SIDs.  ``738065-838566`` is
+  the decimal representation of the string ``IPA-SUB``. ``DOMAIN_HASH``
+  is the MURMUR-3 hash of the domain name for key ``0xdeadbeef``. SSSD
+  rejects SIDs unless they are prefixed with ``S-1-5-21`` (see
+  ``sss_idmap.c:is_domain_sid()``).
+* The new ``$REALM_subid_range`` entry uses range type ``ipa-ad-trust``
+  instead of range type ``ipa-local-subid`` for backwards compatibility
+  with older SSSD clients, see
+  [SSSD #5571](https://github.com/SSSD/sssd/issues/5571).
+* Shared DNA configuration entries in ``cn=dna,cn=ipa,cn=etc,$SUFFIX``
+  are automatically removed by existing code. Server and replication
+  plug-ins search and delete entries by ``dnaHostname`` attribute.
+
+### TODO
+
+* enable configuration for ``dnaStepAttr``
+* remove ``fake_dna_plugin`` hack from ``baseuser`` plug-in.
+* add custom range type for idranges and teach AD trust, sidgen, and
+  range overlap check code to deal with new range type.
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ae4af099f39641a9f5163d61cfb37e1c3afb6f4b..044e3559975c399f6697d4da94b5a059eb5b407c 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1361,6 +1361,7 @@ fi
 %{_libexecdir}/ipa/ipa-pki-wait-running
 %{_libexecdir}/ipa/ipa-otpd
 %{_libexecdir}/ipa/ipa-print-pac
+%{_libexecdir}/ipa/ipa-subids
 %dir %{_libexecdir}/ipa/custodia
 %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
 %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index f253f30c91350c1358b24986806efea7768ea9ce..952755309d13d7df1806a52af351df250185b16d 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -3,6 +3,7 @@
 ## Attributes:		2.16.840.1.113730.3.8.3 - V2 base attributres
 ## ObjectClasses:	2.16.840.1.113730.3.8.4 - V2 base objectclasses
 ## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
+## ObjectClasses:	2.16.840.1.113730.3.8.24 - V4 base objectclasses
 ##
 dn: cn=schema
 attributeTypes: (2.16.840.1.113730.3.8.3.1 NAME 'ipaUniqueID' DESC 'Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
diff --git a/install/share/60basev4.ldif b/install/share/60basev4.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..7f5173e593ff68a03d4005957b1dc9b9eb489dc5
--- /dev/null
+++ b/install/share/60basev4.ldif
@@ -0,0 +1,19 @@
+## IPA Base OID:	2.16.840.1.113730.3.8
+##
+## Attributes:		2.16.840.1.113730.3.8.23 - V4 base attributes
+## ObjectClasses:	2.16.840.1.113730.3.8.24 - V4 base objectclasses
+##
+dn: cn=schema
+# subordinate ids
+# range ceiling OIDs are reserved for future use (operational attribute?)
+# object class requires uidNumber but does not subclass posixAccount so we
+# can re-use the object class in idview overrides later.
+attributeTypes: ( 2.16.840.1.113730.3.8.23.6 NAME 'ipaSubUidNumber' DESC 'Numerical subordinate user ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.7 NAME 'ipaSubUidCount' DESC 'Subordinate user ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.8 NAME 'ipaSubUidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.9 NAME 'ipaSubGidNumber' DESC 'Numerical subordinate group ID (range start value)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.10 NAME 'ipaSubGidCount' DESC 'Subordinate group ID count (range size)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+# attributeTypes: ( 2.16.840.1.113730.3.8.23.11 NAME 'ipaSubGidCeiling' DESC 'Numerical subordinate user ID ceiling (largest value in range)' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE  X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.2 NAME 'ipaSubordinateUid' DESC 'Subordinate uids for users, see subuid(5)' SUP top AUXILIARY MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.3 NAME 'ipaSubordinateGid' DESC 'Subordinate gids for users, see subgid(5)' SUP top AUXILIARY MUST ( uidNumber $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
+objectClasses: (2.16.840.1.113730.3.8.24.4 NAME 'ipaSubordinateId' DESC 'Subordinate uid and gid for users' SUP top AUXILIARY MUST ( uidNumber $ ipaSubUidNumber $ ipaSubUidCount $ ipaSubGidNumber $ ipaSubGidCount ) X-ORIGIN 'IPA v4.9')
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 0f1a6975fc3394316769295e67ac3c2e05ee9cee..e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ dist_app_DATA =				\
 	60ipaconfig.ldif		\
 	60basev2.ldif			\
 	60basev3.ldif			\
+	60basev4.ldif			\
 	60ipadns.ldif			\
 	60ipapk11.ldif			\
 	60certificate-profiles.ldif	\
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 6a689798451e8cc072284065849f9a95635f8069..16f2ef822eaf56dd68d4140b22a607539645b151 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -167,6 +167,12 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids
 
+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: subordinate-ids
+
 dn: cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX
 changetype: add
 objectClass: nsContainer
@@ -476,6 +482,22 @@ ipaBaseID: $IDSTART
 ipaIDRangeSize: $IDRANGE_SIZE
 ipaRangeType: ipa-local
 
+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaIDrange
+objectClass: ipaTrustedADDomainRange
+cn: ${REALM}_subid_range
+ipaBaseID: eval($SUBID_RANGE_START)
+ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
+# HACK: RIDs to work around adtrust sidgen issue
+ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+# 738065-838566 = IPA-SUB
+ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+ipaRangeType: ipa-ad-trust
+
 dn: cn=ca,$SUFFIX
 changetype: add
 objectClass: nsContainer
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index f4bff3691570eb1fe028b13b69d2cc175c7df174..649313e72fc58112865e5901125923b3704276b1 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -16,6 +16,26 @@ dnaThreshold: 500
 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
 dnaExcludeScope: cn=provisioning,$SUFFIX
 
+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+changetype: add
+objectclass: top
+objectclass: extensibleObject
+cn: Subordinate IDs
+dnaType: ipasubuidnumber
+dnaType: ipasubgidnumber
+dnaNextValue: eval($SUBID_RANGE_START)
+dnaMaxValue: eval($SUBID_RANGE_MAX)
+dnaMagicRegen: -1
+dnaFilter: (objectClass=ipaSubordinateId)
+dnaScope: $SUFFIX
+dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
+# dnaStepAttr: ipaSubUidCount
+# dnaStepAttr: ipaSubGidCount
+# dnaStepAllowedValues: eval($SUBID_COUNT)
+dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+dnaExcludeScope: cn=provisioning,$SUFFIX
+
 # Enable the DNA plugin
 dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
 changetype: modify
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index d6fbf9e3bc84bc475d7a797ff663df40da0a0efa..5f36742957505f6d695097c8aab6c73f9d59e146 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -38,6 +38,7 @@ dist_noinst_DATA =		\
 	ipa-pki-retrieve-key.in	\
 	ipa-pki-wait-running.in	\
 	ipa-acme-manage.in	\
+	ipa-subids.in	\
 	$(NULL)
 
 nodist_sbin_SCRIPTS =		\
@@ -78,6 +79,7 @@ nodist_app_SCRIPTS =		\
 	ipa-httpd-pwdreader	\
 	ipa-pki-retrieve-key	\
 	ipa-pki-wait-running	\
+	ipa-subids	\
 	$(NULL)
 
 PYTHON_SHEBANG = 					\
diff --git a/install/tools/ipa-subids.in b/install/tools/ipa-subids.in
new file mode 100644
index 0000000000000000000000000000000000000000..5c7b9f8f788e3c230253e86151cff8234161909b
--- /dev/null
+++ b/install/tools/ipa-subids.in
@@ -0,0 +1,8 @@
+#!/usr/bin/python3
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+
+from ipaserver.install.ipa_subids import IPASubids
+
+IPASubids.run_cli()
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index a4eb390b7d9ca0fb8f50245cfedec27ca2607cdd..5b49b0f6edbbbb6c802afb803a6406a0ab796c44 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -259,6 +259,33 @@ return {
                         }
                     ]
                 },
+                {
+                    name: 'subordinate',
+                    label: '@i18n:objects.subordinate.identity',
+                    fields: [
+                        {
+                            name: 'ipasubuidnumber',
+                            label: '@i18n:objects.subordinate.subuidnumber',
+                            read_only: true
+                        },
+                        {
+                            name: 'ipasubuidcount',
+                            label: '@i18n:objects.subordinate.subuidcount',
+                            read_only: true
+
+                        },
+                        {
+                            name: 'ipasubgidnumber',
+                            label: '@i18n:objects.subordinate.subgidnumber',
+                            read_only: true
+                        },
+                        {
+                            name: 'ipasubgidcount',
+                            label: '@i18n:objects.subordinate.subgidcount',
+                            read_only: true
+                        }
+                    ]
+                },
                 {
                     name: 'pwpolicy',
                     label: '@i18n:objects.pwpolicy.identity',
@@ -451,6 +478,16 @@ return {
                     enable_cond: ['is-locked'],
                     confirm_msg: '@i18n:objects.user.unlock_confirm'
                 },
+                {
+                    $factory: IPA.object_action,
+                    name: 'auto_subid',
+                    method: 'auto_subid',
+                    label: '@i18n:objects.user.auto_subid',
+                    needs_confirm: true,
+                    hide_cond: ['preserved-user'],
+                    enable_cond: ['no-subid'],
+                    confirm_msg: '@i18n:objects.user.auto_subid_confirm'
+                },
                 {
                     $type: 'automember_rebuild',
                     name: 'automember_rebuild',
@@ -461,12 +498,22 @@ return {
                     $type: 'cert_request',
                     hide_cond: ['preserved-user'],
                     title: '@i18n:objects.cert.issue_for_user'
+                },
+                {
+                    $factory: IPA.object_action,
+                    name: 'auto_subid',
+                    method: 'auto_subid',
+                    label: '@i18n:objects.user.auto_subid',
+                    needs_confirm: true,
+                    hide_cond: ['preserved-user'],
+                    enable_cond: ['no-subid'],
+                    confirm_msg: '@i18n:objects.user.auto_subid_confirm'
                 }
             ],
             header_actions: [
                 'reset_password', 'enable', 'disable', 'stage', 'undel',
                 'delete_active_user', 'delete', 'unlock', 'add_otptoken',
-                'automember_rebuild', 'request_cert'
+                'automember_rebuild', 'request_cert', 'auto_subid'
             ],
             state: {
                 evaluators: [
@@ -1159,6 +1206,10 @@ IPA.user.is_locked_evaluator = function(spec) {
             }
         }
 
+        if (!user.ipasubuidnumber) {
+            that.state.push('no-subid');
+        }
+
         that.notify_on_change(old_state);
     };
 
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index 6632f105a98276d0d7e63ce249ade15501c3b673..7f83ab9f04c565a59efdd2f41c3e7ee30f5da9c7 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -272,6 +272,24 @@ add:nsIndexType: eq
 add:nsIndexType: pres
 add:nsIndexType: sub
 
+dn: cn=ipaSubGidNumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaSubGidNumber
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+add:nsIndexType: pres
+add:nsMatchingRule: integerOrderingMatch
+
+dn: cn=ipaSubUidNumber,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+only:cn: ipaSubUidNumber
+default:objectClass: nsIndex
+default:objectClass: top
+default:nsSystemIndex: false
+add:nsIndexType: eq
+add:nsIndexType: pres
+add:nsMatchingRule: integerOrderingMatch
+
 dn: cn=ipasudorunasgroup,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 only:cn: ipasudorunasgroup
 default:objectClass: nsIndex
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
new file mode 100644
index 0000000000000000000000000000000000000000..2aab3d445a33ae1663f81ca2d61b62ebc94aa37d
--- /dev/null
+++ b/install/updates/73-subid.update
@@ -0,0 +1,102 @@
+# subordinate ids
+
+# self-service RBAC
+dn: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:objectClass: top
+default:cn: Subordinate ID Selfservice User
+default:description: User that can self-request subordiante ids
+# default: member: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
+
+dn: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Subordinate ID Selfservice Users
+default:description: Subordinate ID Selfservice User
+default:member: cn=Subordinate ID Selfservice User,cn=roles,cn=accounts,$SUFFIX
+
+dn: cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Self-service subordinate ID
+default:ipapermissiontype: SYSTEM
+default:member: cn=Subordinate ID Selfservice Users,cn=privileges,cn=pbac,$SUFFIX
+
+# Administrator RBAC
+dn: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Subordinate ID Administrators
+default:description: Subordinate ID Administrators
+default:member: cn=User Administrator,cn=roles,cn=accounts,$SUFFIX
+
+dn: cn=Manage subordinate ID,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Manage subordinate ID
+default:ipapermissiontype: SYSTEM
+default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+# ACIs (in domain database root so they also apply to staging area)
+#
+# - allow users to request new subid with DNA_MAGIC value, subid count=65536,
+#   and subgid == subuid.
+# - allow user admins to set subids. count=65536 and subgid == subuid
+#   properties are enforced as wel.
+#
+# The delete-when-empty check is required because IPA uses MOD_REPLACE to
+# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
+#
+# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
+# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
+# fake_dna_plugin hack has been removed.
+#
+dn: $SUFFIX
+add: aci: (targetfilter = "(objectclass=posixaccount)")(targattrfilters = "add=objectClass:(|(objectClass=ipasubordinateid)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (write) userdn = "ldap:///self" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=posixaccount)")(targattrfilters = "add=objectClass:(|(objectClass=ipasubordinateid)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
+
+# DNA plugin and idrange configuration
+dn: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: subordinate-ids
+
+dn: cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
+default: objectclass: top
+default: objectclass: extensibleObject
+default: cn: Subordinate IDs
+default: dnaType: ipasubuidnumber
+default: dnaType: ipasubgidnumber
+default: dnaNextValue: eval($SUBID_RANGE_START)
+default: dnaMaxValue: eval($SUBID_RANGE_MAX)
+default: dnaMagicRegen: -1
+default: dnaFilter: (objectClass=ipaSubordinateId)
+default: dnaScope: $SUFFIX
+default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
+# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
+# default: dnaStepAttr: ipaSubUidCount
+# default: dnaStepAttr: ipaSubGidCount
+# default: dnaStepAllowedValues: eval($SUBID_COUNT)
+default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
+default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: aci: (targetattr = "dnaNextRange || dnaNextValue || dnaMaxValue")(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+default: aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue  || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=${REALM}_subid_range,cn=ranges,cn=etc,$SUFFIX
+default: objectClass: top
+default: objectClass: ipaIDrange
+default: objectClass: ipaTrustedADDomainRange
+default: cn: ${REALM}_subid_range
+default: ipaBaseID: $SUBID_RANGE_START
+default: ipaIDRangeSize: $SUBID_RANGE_SIZE
+# HACK: RIDs to work around adtrust sidgen issue
+default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
+# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
+# see https://github.com/SSSD/sssd/issues/5571
+default: ipaRangeType: ipa-ad-trust
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 5741805a65a09c4c00ea47bf437c8821373d1e80..d4f6acba0dc83e4692edd10b8a7617915bd49e84 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -61,6 +61,7 @@ app_DATA =				\
 	71-idviews-sasl-mapping.update  \
 	72-domainlevels.update		\
 	73-custodia.update		\
+	73-subid.update		\
 	73-winsync.update		\
 	73-certmap.update		\
 	75-user-trust-attributes.update	\
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 79ea36f08cb0108a7434bc58cf0a764e9e15a7af..bee4c92fb39769d427e315116575f217924915be 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -343,3 +343,16 @@ SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
 # Apache's mod_ssl SSLVerifyDepth value (Maximum depth of CA
 # Certificates in Client Certificate verification)
 MOD_SSL_VERIFY_DEPTH = '5'
+
+# subuid / subgid counts are hard-coded
+# An interval of 65536 uids/gids is required to map nobody (65534).
+SUBID_COUNT = 65536
+
+# upper half of uid_t (uint32_t)
+SUBID_RANGE_START = 2 ** 31
+# theoretical max limit is UINT32_MAX-1 ((2 ** 32) - 2)
+# We use a smaller value to keep the topmost subid interval unused.
+SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT)
+SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START
+# threshold before DNA plugin requests a new range
+SUBID_DNA_THRESHOLD = 500 * SUBID_COUNT
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index a7a403f37db13b7cccf74dff1b92b22529170b8a..24e90f3ecf5b4669f162e1bc68a33ef9d6094514 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -36,6 +36,7 @@ from ipaserver.install import service
 from ipaserver.install import installutils
 from ipaserver.install.replication import wait_for_task
 from ipalib import errors, api
+from ipalib.constants import SUBID_RANGE_START
 from ipalib.util import normalize_zone
 from ipapython.dn import DN
 from ipapython import ipachangeconf
@@ -352,12 +353,19 @@ class ADTRUSTInstance(service.Service):
                 DN(api.env.container_ranges, self.suffix),
                 ldap.SCOPE_ONELEVEL, "(objectclass=ipaDomainIDRange)")
 
-            # Filter out ranges where RID base is already set
-            no_rid_base_set = lambda r: not any((
-                                  r.single_value.get('ipaBaseRID'),
-                                  r.single_value.get('ipaSecondaryBaseRID')))
+            ranges_with_no_rid_base = []
+            for entry in ranges:
+                sv = entry.single_value
+                if sv.get('ipaBaseRID') or sv.get('ipaSecondaryBaseRID'):
+                    # skip range where RID base is already set
+                    continue
+                if sv.get('ipaRangeType') == 'ipa-local-subid':
+                    # ignore subid ranges
+                    continue
+                ranges_with_no_rid_base.append(entry)
 
-            ranges_with_no_rid_base = [r for r in ranges if no_rid_base_set(r)]
+            logger.debug(repr(ranges))
+            logger.debug(repr(ranges_with_no_rid_base))
 
             # Return if no range is without RID base
             if len(ranges_with_no_rid_base) == 0:
@@ -384,6 +392,17 @@ class ADTRUSTInstance(service.Service):
                                "They have to differ at least by %d." % size)
                 raise RuntimeError("RID bases too close.\n")
 
+            # values above
+            if any(
+                v + size >= SUBID_RANGE_START
+                for v in (self.rid_base, self.secondary_rid_base)
+            ):
+                self.print_msg(
+                    "Ceiling of primary or secondary base is larger than "
+                    f"start of subordinate id range {SUBID_RANGE_START}."
+                )
+                raise RuntimeError("RID bases overlap with SUBID range.\n")
+
             # Modify the range
             # If the RID bases would cause overlap with some other range,
             # this will be detected by ipa-range-check DS plugin
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 6033c04109f6278cb7b6015becd507b2b4699e02..ac9e131bb1b8c6ff8aff911cb257fbb03406d603 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -23,7 +23,6 @@ from __future__ import print_function, absolute_import
 import logging
 import shutil
 import os
-import time
 import tempfile
 import fnmatch
 
@@ -46,6 +45,7 @@ from ipaserver.install import certs
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
 from ipaserver.install import upgradeinstance
+from ipaserver.install import ldapupdate
 from ipalib import api
 from ipalib import errors
 from ipalib import constants
@@ -66,6 +66,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
                     "60ipaconfig.ldif",
                     "60basev2.ldif",
                     "60basev3.ldif",
+                    "60basev4.ldif",
                     "60ipapk11.ldif",
                     "60ipadns.ldif",
                     "60certificate-profiles.ldif",
@@ -214,6 +215,8 @@ class DsInstance(service.Service):
         if realm_name:
             self.suffix = ipautil.realm_to_suffix(self.realm)
             self.serverid = ipaldap.realm_to_serverid(self.realm)
+            if self.domain is None:
+                self.domain = self.realm.lower()
             self.__setup_sub_dict()
         else:
             self.suffix = DN()
@@ -497,34 +500,22 @@ class DsInstance(service.Service):
 
     def __setup_sub_dict(self):
         server_root = find_server_root()
-        try:
-            idrange_size = self.idmax - self.idstart + 1
-        except TypeError:
-            idrange_size = None
-        self.sub_dict = dict(
-            FQDN=self.fqdn, SERVERID=self.serverid,
+        self.sub_dict = ldapupdate.get_sub_dict(
+            realm=self.realm,
+            domain=self.domain,
+            suffix=self.suffix,
+            fqdn=self.fqdn,
+            idstart=self.idstart,
+            idmax=self.idmax,
+        )
+        self.sub_dict.update(
+            DOMAIN_LEVEL=self.domainlevel,
+            SERVERID=self.serverid,
             PASSWORD=self.dm_password,
             RANDOM_PASSWORD=ipautil.ipa_generate_password(),
-            SUFFIX=self.suffix,
-            REALM=self.realm, USER=DS_USER,
-            SERVER_ROOT=server_root, DOMAIN=self.domain,
-            TIME=int(time.time()), IDSTART=self.idstart,
-            IDMAX=self.idmax, HOST=self.fqdn,
-            ESCAPED_SUFFIX=str(self.suffix),
+            USER=DS_USER,
             GROUP=DS_GROUP,
-            IDRANGE_SIZE=idrange_size,
-            DOMAIN_LEVEL=self.domainlevel,
-            MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
-            MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
-            STRIP_ATTRS=" ".join(replication.STRIP_ATTRS),
-            EXCLUDES='(objectclass=*) $ EXCLUDE ' +
-            ' '.join(replication.EXCLUDES),
-            TOTAL_EXCLUDES='(objectclass=*) $ EXCLUDE ' +
-            ' '.join(replication.TOTAL_EXCLUDES),
-            DEFAULT_SHELL=platformconstants.DEFAULT_SHELL,
-            DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
-            SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
-            SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
+            SERVER_ROOT=server_root,
         )
 
     def __create_instance(self):
diff --git a/ipaserver/install/ipa_subids.py b/ipaserver/install/ipa_subids.py
new file mode 100644
index 0000000000000000000000000000000000000000..ac77a4008aec58d92c8b24df5e00b83c6998401f
--- /dev/null
+++ b/ipaserver/install/ipa_subids.py
@@ -0,0 +1,154 @@
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+
+import logging
+
+from ipalib import api
+from ipalib import errors
+from ipalib.facts import is_ipa_configured
+from ipaplatform.paths import paths
+from ipapython.admintool import AdminTool, ScriptError
+from ipapython.dn import DN
+from ipaserver.plugins.baseldap import DNA_MAGIC
+
+logger = logging.getLogger(__name__)
+
+
+class IPASubids(AdminTool):
+    command_name = "ipa-subids"
+    usage = "%prog [--group GROUP|--all-users]"
+    description = "Mass-assign subordinate ids to users"
+
+    @classmethod
+    def add_options(cls, parser):
+        super(IPASubids, cls).add_options(parser, debug_option=True)
+        parser.add_option(
+            "--group",
+            dest="group",
+            action="store",
+            default=None,
+            help="Updates members of a user group.",
+        )
+        parser.add_option(
+            "--all-users",
+            dest="all_users",
+            action="store_true",
+            default=False,
+            help="Update all users.",
+        )
+        parser.add_option(
+            "--filter",
+            dest="user_filter",
+            action="store",
+            default="(!(nsaccountlock=TRUE))",
+            help="Additional raw LDAP filter (default: active users).",
+        )
+        parser.add_option(
+            "--dry-run",
+            dest="dry_run",
+            action="store_true",
+            default=False,
+            help="Dry run mode.",
+        )
+
+    def validate_options(self, neends_root=False):
+        super().validate_options(needs_root=True)
+        opt = self.safe_options
+
+        if opt.all_users and opt.group:
+            raise ScriptError("--group and --all-users are mutually exclusive")
+        if not opt.all_users and not opt.group:
+            raise ScriptError("Either --group or --all-users required")
+
+    def get_group_info(self):
+        assert api.isdone("finalize")
+        group = self.safe_options.group
+        if group is None:
+            return None
+        try:
+            result = api.Command.group_show(group, no_members=True)
+            return result["result"]
+        except errors.NotFound:
+            raise ScriptError(f"Unknown users group '{group}'.")
+
+    def make_filter(self, groupinfo, user_filter):
+        filters = [
+            # only users with posixAccount
+            "(objectClass=posixAccount)",
+            # without subordinate ids
+            "(!(objectClass=ipaSubordinateId))",
+        ]
+        if groupinfo is not None:
+            filters.append(
+                self.ldap2.make_filter({"memberof": groupinfo["dn"]})
+            )
+        if user_filter:
+            filters.append(user_filter)
+        return self.ldap2.combine_filters(filters, self.ldap2.MATCH_ALL)
+
+    def search_users(self, filters):
+        users_dn = DN(api.env.container_user, api.env.basedn)
+        attrs = ["objectclass", "uid", "uidnumber"]
+
+        logger.debug("basedn: %s", users_dn)
+        logger.debug("attrs: %s", attrs)
+        logger.debug("filter: %s", filters)
+
+        try:
+            entries = self.ldap2.get_entries(
+                base_dn=users_dn,
+                filter=filters,
+                attrs_list=attrs,
+            )
+        except errors.NotFound:
+            logger.debug("No entries found")
+            return []
+        else:
+            return entries
+
+    def run(self):
+        if not is_ipa_configured():
+            print("IPA is not configured.")
+            return 2
+
+        api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
+        api.finalize()
+        api.Backend.ldap2.connect()
+        self.ldap2 = api.Backend.ldap2
+        user_obj = api.Object["user"]
+
+        dry_run = self.safe_options.dry_run
+        group_info = self.get_group_info()
+        filters = self.make_filter(
+            group_info, self.safe_options.user_filter
+        )
+
+        entries = self.search_users(filters)
+        total = len(entries)
+        logger.info("Found %i user(s) without subordinate ids", total)
+
+        total = len(entries)
+        for i, entry in enumerate(entries, start=1):
+            logger.info(
+                "  Processing user '%s' (%i/%i)",
+                entry.single_value["uid"],
+                i,
+                total
+            )
+            user_obj.set_subordinate_ids(
+                self.ldap2, entry.dn, entry, DNA_MAGIC
+            )
+            if not dry_run:
+                self.ldap2.update_entry(entry)
+
+        if dry_run:
+            logger.info("Dry run mode, no user was modified")
+        else:
+            logger.info("Updated %s user(s)", total)
+
+        return 0
+
+
+if __name__ == "__main__":
+    IPASubids.run_cli()
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index f21e5a5af465be37541b9fbdddaf800b73f80b71..d0516dc3028366df5d03a960866abe72601aa4b6 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -32,9 +32,9 @@ import os
 import fnmatch
 import warnings
 
+from pysss_murmur import murmurhash3  # pylint: disable=no-name-in-module
 import six
 
-from ipaserver.install import installutils
 from ipapython import ipautil, ipaldap
 from ipalib import errors
 from ipalib import api, create_api
@@ -43,6 +43,7 @@ from ipaplatform.constants import constants as platformconstants
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
+from ipaserver.install import installutils, replication
 
 if six.PY3:
     unicode = str
@@ -53,6 +54,54 @@ UPDATES_DIR=paths.UPDATES_DIR
 UPDATE_SEARCH_TIME_LIMIT = 30  # seconds
 
 
+def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
+    """LDAP template substitution dict for installer and updater
+    """
+    if idstart is None:
+        idrange_size = None
+    else:
+        idrange_size = idmax - idstart + 1
+
+    return dict(
+        REALM=realm,
+        DOMAIN=domain,
+        SUFFIX=suffix,
+        ESCAPED_SUFFIX=str(suffix),
+        FQDN=fqdn,
+        HOST=fqdn,
+        LIBARCH=paths.LIBARCH,
+        TIME=int(time.time()),
+        FIPS="#" if tasks.is_fips_enabled() else "",
+        # idstart, idmax, and idrange_size may be None
+        IDSTART=idstart,
+        IDMAX=idmax,
+        IDRANGE_SIZE=idrange_size,
+        SUBID_COUNT=constants.SUBID_COUNT,
+        SUBID_RANGE_START=constants.SUBID_RANGE_START,
+        SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
+        SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
+        SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
+        DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
+        MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
+        MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
+        STRIP_ATTRS=" ".join(replication.STRIP_ATTRS),
+        EXCLUDES=(
+            '(objectclass=*) $ EXCLUDE ' + ' '.join(replication.EXCLUDES)
+        ),
+        TOTAL_EXCLUDES=(
+            '(objectclass=*) $ EXCLUDE '
+            + ' '.join(replication.TOTAL_EXCLUDES)
+        ),
+        DEFAULT_SHELL=platformconstants.DEFAULT_SHELL,
+        DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
+        SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
+        SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
+        # uid / gid for autobind
+        NAMED_UID=platformconstants.NAMED_USER.uid,
+        NAMED_GID=platformconstants.NAMED_GROUP.gid,
+    )
+
+
 def connect(ldapi=False, realm=None, fqdn=None):
     """Create a connection for updates"""
     if ldapi:
@@ -284,35 +333,33 @@ class LDAPUpdate:
             ldap_uri=self.ldapuri
         )
         self.api.finalize()
-
         self.create_connection()
 
+        # get ipa-local domain idrange settings
+        domain_range = f"{self.api.env.realm}_id_range"
+        try:
+            result = self.api.Command.idrange_show(domain_range)["result"]
+        except errors.NotFound:
+            idstart = None
+            idmax = None
+        else:
+            idstart = int(result['ipabaseid'][0])
+            idrange_size = int(result['ipaidrangesize'][0])
+            idmax = idstart + idrange_size - 1
+
+        default_sub = get_sub_dict(
+            realm=api.env.realm,
+            domain=api.env.domain,
+            suffix=api.env.basedn,
+            fqdn=api.env.host,
+            idstart=idstart,
+            idmax=idmax,
+        )
         replication_plugin = (
             installutils.get_replication_plugin_name(self.conn.get_entry)
         )
+        default_sub["REPLICATION_PLUGIN"] = replication_plugin
 
-        default_sub = dict(
-            REALM=api.env.realm,
-            DOMAIN=api.env.domain,
-            SUFFIX=api.env.basedn,
-            ESCAPED_SUFFIX=str(api.env.basedn),
-            FQDN=api.env.host,
-            LIBARCH=paths.LIBARCH,
-            TIME=int(time.time()),
-            MIN_DOMAIN_LEVEL=str(constants.MIN_DOMAIN_LEVEL),
-            MAX_DOMAIN_LEVEL=str(constants.MAX_DOMAIN_LEVEL),
-            STRIP_ATTRS=" ".join(constants.REPL_AGMT_STRIP_ATTRS),
-            EXCLUDES="(objectclass=*) $ EXCLUDE %s" % (
-                " ".join(constants.REPL_AGMT_EXCLUDES)
-            ),
-            TOTAL_EXCLUDES="(objectclass=*) $ EXCLUDE %s" % (
-                " ".join(constants.REPL_AGMT_TOTAL_EXCLUDES)
-            ),
-            SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
-            SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
-            FIPS="#" if tasks.is_fips_enabled() else "",
-            REPLICATION_PLUGIN=replication_plugin,
-        )
         for k, v in default_sub.items():
             self.sub_dict.setdefault(k, v)
 
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 6035228f19ef8acaf4992490d5512c126881816d..12ff03c2302ff08aabb9369306965e0c125724f8 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -17,9 +17,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import random
 import six
 
-from ipalib import api, errors
+from ipalib import api, errors, output, constants
 from ipalib import (
     Flag, Int, Password, Str, Bool, StrEnum, DateTime, DNParam)
 from ipalib.parameters import Principal, Certificate
@@ -27,13 +28,13 @@ from ipalib.plugable import Registry
 from .baseldap import (
     DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
     LDAPRetrieve, LDAPAddAttribute, LDAPModAttribute, LDAPRemoveAttribute,
-    LDAPAddMember, LDAPRemoveMember,
+    LDAPQuery, LDAPAddMember, LDAPRemoveMember,
     LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption,
-    add_missing_object_class)
+    add_missing_object_class, DNA_MAGIC, pkey_to_value, entry_to_dict
+)
 from ipaserver.plugins.service import (validate_realm, normalize_principal)
 from ipalib.request import context
 from ipalib import _
-from ipalib.constants import PATTERN_GROUPUSER_NAME
 from ipapython import kerberos
 from ipapython.ipautil import ipa_generate_password, TMP_PWD_ENTROPY_BITS
 from ipapython.ipavalidate import Email
@@ -161,7 +162,7 @@ class baseuser(LDAPObject):
     possible_objectclasses = [
         'meporiginentry', 'ipauserauthtypeclass', 'ipauser',
         'ipatokenradiusproxyuser', 'ipacertmapobject',
-        'ipantuserattrs'
+        'ipantuserattrs', 'ipasubordinateid',
     ]
     disallow_object_classes = ['krbticketpolicyaux']
     permission_filter_objectclasses = ['posixaccount']
@@ -175,13 +176,15 @@ class baseuser(LDAPObject):
         'krbprincipalexpiration', 'usercertificate;binary',
         'krbprincipalname', 'krbcanonicalname',
         'ipacertmapdata', 'ipantlogonscript', 'ipantprofilepath',
-        'ipanthomedirectory', 'ipanthomedirectorydrive'
+        'ipanthomedirectory', 'ipanthomedirectorydrive',
     ]
     search_display_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'krbcanonicalname',
         'krbprincipalname', 'loginshell',
         'mail', 'telephonenumber', 'title', 'nsaccountlock',
         'uidnumber', 'gidnumber', 'sshpubkeyfp',
+        'ipasubuidnumber', 'ipasubuidcount', 'ipasubgidnumber',
+        'ipasubgidcount',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -198,7 +201,7 @@ class baseuser(LDAPObject):
 
     takes_params = (
         Str('uid',
-            pattern=PATTERN_GROUPUSER_NAME,
+            pattern=constants.PATTERN_GROUPUSER_NAME,
             pattern_errmsg='may only include letters, numbers, _, -, . and $',
             maxlength=255,
             cli_name='login',
@@ -429,6 +432,41 @@ class baseuser(LDAPObject):
                     'J:', 'K:', 'L:', 'M:', 'N:', 'O:', 'P:', 'Q:', 'R:',
                     'S:', 'T:', 'U:', 'V:', 'W:', 'X:', 'Y:', 'Z:'),
                 ),
+        Int(
+            'ipasubuidnumber?',
+            label=_('SubUID range start'),
+            cli_name='subuid',
+            doc=_('Start value for subordinate user ID (subuid) range'),
+            minvalue=constants.SUBID_RANGE_START,
+            maxvalue=constants.SUBID_RANGE_MAX,
+        ),
+        Int(
+            'ipasubuidcount?',
+            label=_('SubUID range size'),
+            cli_name='subuidcount',
+            doc=_('Subordinate user ID count'),
+            flags={'no_create', 'no_update', 'no_search'},
+            minvalue=constants.SUBID_COUNT,
+            maxvalue=constants.SUBID_COUNT,
+        ),
+        Int(
+            'ipasubgidnumber?',
+            label=_('SubGID range start'),
+            cli_name='subgid',
+            doc=_('Start value for subordinate group ID (subgid) range'),
+            flags={'no_create', 'no_update'},
+            minvalue=constants.SUBID_RANGE_START,
+            maxvalue=constants.SUBID_RANGE_MAX,
+        ),
+        Int(
+            'ipasubgidcount?',
+            label=_('SubGID range size'),
+            cli_name='subgidcount',
+            doc=_('Subordinate group ID count'),
+            flags={'no_create', 'no_update', 'no_search'},
+            minvalue=constants.SUBID_COUNT,
+            maxvalue=constants.SUBID_COUNT,
+        ),
     )
 
     def normalize_and_validate_email(self, email, config=None):
@@ -526,6 +564,131 @@ class baseuser(LDAPObject):
         except KeyError:
             pass
 
+    def handle_subordinate_ids(self, ldap, dn, entry_attrs):
+        """Handle ipaSubordinateId object class
+        """
+        obj_classes = entry_attrs.get("objectclass")
+        new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
+        new_subgid = entry_attrs.single_value.get("ipasubgidnumber")
+
+        # entry has object class ipaSubordinateId
+        # default to auto-assigment of subuids
+        if (
+            new_subuid is None
+            and obj_classes is not None
+            and self.has_objectclass(obj_classes, "ipasubordinateid")
+        ):
+            new_subuid = DNA_MAGIC
+
+        # neither auto-assignment nor explicit assignment
+        if new_subuid is None:
+            # nothing to do
+            return False
+
+        # enforce subuid == subgid
+        if new_subgid is not None and new_subgid != new_subuid:
+            raise errors.ValidationError(
+                name="ipasubgidnumber",
+                error=_("subgidnumber must be equal to subuidnumber")
+            )
+
+        self.set_subordinate_ids(ldap, dn, entry_attrs, new_subuid)
+        return True
+
+    def set_subordinate_ids(self, ldap, dn, entry_attrs, subuid):
+        """Set subuid value of an entry
+
+        Takes care of objectclass and sibbling attributes
+        """
+        if "objectclass" in entry_attrs:
+            obj_classes = entry_attrs["objectclass"]
+        else:
+            _entry_attrs = ldap.get_entry(dn, ["objectclass"])
+            entry_attrs["objectclass"] = _entry_attrs["objectclass"]
+            obj_classes = entry_attrs["objectclass"]
+
+        if not self.has_objectclass(obj_classes, "ipasubordinateid"):
+            # could append ipasubordinategid and ipasubordinateuid, too
+            obj_classes.append("ipasubordinateid")
+
+        # XXX HACK, remove later
+        if subuid == DNA_MAGIC:
+            subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
+
+        entry_attrs["ipasubuidnumber"] = subuid
+        # enforice subuid == subgid for now
+        entry_attrs["ipasubgidnumber"] = subuid
+        # hard-coded constants
+        entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
+        entry_attrs["ipasubgidcount"] = constants.SUBID_COUNT
+
+    def get_subid_match_candidate_filter(
+        self, ldap, *, subuid, subgid, extra_filters=(), offset=None,
+    ):
+        """Create LDAP filter to locate matching/overlapping subids
+        """
+        if subuid is None and subgid is None:
+            raise ValueError("subuid and subgid are both None")
+        if offset is None:
+            # assumes that no subordinate count is larger than SUBID_COUNT
+            offset = constants.SUBID_COUNT - 1
+
+        class_filters = "(objectclass=ipasubordinateid)"
+        subid_filters = []
+        if subuid is not None:
+            subid_filters.append(
+                ldap.combine_filters(
+                    [
+                        f"(ipasubuidnumber>={subuid - offset})",
+                        f"(ipasubuidnumber<={subuid + offset})",
+                    ],
+                    rules=ldap.MATCH_ALL
+                )
+            )
+        if subgid is not None:
+            subid_filters.append(
+                ldap.combine_filters(
+                    [
+                        f"(ipasubgidnumber>={subgid - offset})",
+                        f"(ipasubgidnumber<={subgid + offset})",
+                    ],
+                    rules=ldap.MATCH_ALL
+                )
+            )
+
+        subid_filters = ldap.combine_filters(
+            subid_filters, rules=ldap.MATCH_ANY
+        )
+        filters = [class_filters, subid_filters]
+        filters.extend(extra_filters)
+        return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
+
+    def _fake_dna_plugin(self, ldap, dn, entry_attrs):
+        """XXX HACK, remove when 389-DS DNA plugin supports steps"""
+        uidnumber = entry_attrs.single_value.get("uidnumber")
+        if uidnumber is None:
+            entry = ldap.get_entry(dn, ["uidnumber"])
+            uidnumber = entry.single_value["uidnumber"]
+        uidnumber = int(uidnumber)
+
+        if uidnumber == DNA_MAGIC:
+            return (
+                3221225472
+                + random.randint(1, 16382) * constants.SUBID_COUNT
+            )
+
+        if not hasattr(context, "idrange_ipabaseid"):
+            range_name = f"{self.api.env.realm}_id_range"
+            range = self.api.Command.idrange_show(range_name)["result"]
+            context.idrange_ipabaseid = int(range["ipabaseid"][0])
+
+        range_start = context.idrange_ipabaseid
+
+        assert uidnumber >= range_start
+        assert uidnumber < range_start + 2**14
+
+        return (uidnumber - range_start) * constants.SUBID_COUNT + 2**31
+
 
 class baseuser_add(LDAPCreate):
     """
@@ -536,6 +699,7 @@ class baseuser_add(LDAPCreate):
         assert isinstance(dn, DN)
         set_krbcanonicalname(entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
+        self.obj.handle_subordinate_ids(ldap, dn, entry_attrs)
         if entry_attrs.get('ipatokenradiususername', None):
             add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
                                      entry_attrs, update=False)
@@ -688,6 +852,7 @@ class baseuser_mod(LDAPUpdate):
 
         self.check_objectclass(ldap, dn, entry_attrs)
         self.obj.convert_usercertificate_pre(entry_attrs)
+        self.obj.handle_subordinate_ids(ldap, dn, entry_attrs)
         self.preserve_krbprincipalname_pre(ldap, entry_attrs, *keys, **options)
         update_samba_attrs(ldap, dn, entry_attrs, **options)
 
@@ -968,3 +1133,98 @@ class baseuser_remove_certmapdata(ModCertMapData,
                                   LDAPRemoveAttribute):
     __doc__ = _("Remove one or more certificate mappings from the user entry.")
     msg_summary = _('Removed certificate mappings from user "%(value)s"')
+
+
+class baseuser_auto_subid(LDAPQuery):
+    __doc__ = _("Auto-assign subuid and subgid range to user entry")
+
+    has_output = output.standard_entry
+
+    def execute(self, cn, **options):
+        ldap = self.obj.backend
+        dn = self.obj.get_dn(cn)
+
+        try:
+            entry_attrs = ldap.get_entry(
+                dn, ["objectclass", "ipasubuidnumber"]
+            )
+        except errors.NotFound:
+            raise self.obj.handle_not_found(cn)
+
+        if "ipasubuidnumber" in entry_attrs:
+            raise errors.AlreadyContainsValueError(attr="ipasubuidnumber")
+
+        self.obj.set_subordinate_ids(ldap, dn, entry_attrs, subuid=DNA_MAGIC)
+        ldap.update_entry(entry_attrs)
+
+        # fetch updated entry (use search display attribute to show subids)
+        if options.get('all', False):
+            attrs_list = ['*'] + self.obj.search_display_attributes
+        else:
+            attrs_list = set(self.obj.search_display_attributes)
+            attrs_list.update(entry_attrs.keys())
+            if options.get('no_members', False):
+                attrs_list.difference_update(self.obj.attribute_members)
+            attrs_list = list(attrs_list)
+
+        entry = self._exc_wrapper((cn,), options, ldap.get_entry)(
+            dn, attrs_list
+        )
+        entry_attrs = entry_to_dict(entry, **options)
+        entry_attrs['dn'] = dn
+
+        return dict(result=entry_attrs, value=pkey_to_value(cn, options))
+
+
+class baseuser_match_subid(baseuser_find):
+    __doc__ = _("Match users by any subordinate uid in their range")
+
+    _subid_attrs = {
+        "ipasubuidnumber",
+        "ipasubuidcount",
+        "ipasubgidnumber",
+        "ipasubgidcount"
+    }
+
+    def get_options(self):
+        base_options = {p.name for p in self.obj.takes_params}
+        for option in super().get_options():
+            if option.name == "ipasubuidnumber":
+                yield option.clone(
+                    label=_('SubUID match'),
+                    doc=_('Match value for subordinate user ID'),
+                    required=True,
+                )
+            elif option.name not in base_options:
+                # raw, version
+                yield option.clone()
+
+    def pre_callback(
+        self, ldap, filters, attrs_list, base_dn, scope, *args, **options
+    ):
+        # search for candidates in range
+        # Code assumes that no subordinate count is larger than SUBID_COUNT
+        filters = self.obj.get_subid_match_candidate_filter(
+            ldap, subuid=options["ipasubuidnumber"], subgid=None,
+        )
+        # always include subid attributes
+        for missing in self._subid_attrs.difference(attrs_list):
+            attrs_list.append(missing)
+
+        return filters, base_dn, scope
+
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        # filter out mismatches manually
+        osubuid = options["ipasubuidnumber"]
+        new_entries = []
+        for entry in entries:
+            esubuid = int(entry.single_value["ipasubuidnumber"])
+            esubcount = int(entry.single_value["ipasubuidcount"])
+            minsubuid = esubuid
+            maxsubuid = esubuid + esubcount - 1
+            if minsubuid <= osubuid <= maxsubuid:
+                new_entries.append(entry)
+
+        entries[:] = new_entries
+
+        return truncated
diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py
index 32b9c0c2d01b616d76505fc06fa9b6e5e209b234..3e486b8e27cfb12f2e4732fc1ee113f25dfbac5b 100644
--- a/ipaserver/plugins/idrange.py
+++ b/ipaserver/plugins/idrange.py
@@ -205,6 +205,7 @@ class idrange(LDAPObject):
     # The commented range types are planned but not yet supported
     range_types = {
         u'ipa-local': unicode(_('local domain range')),
+        # u'ipa-local-subid': unicode(_('local domain subid range')),
         # u'ipa-ad-winsync': unicode(_('Active Directory winsync range')),
         u'ipa-ad-trust': unicode(_('Active Directory domain range')),
         u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
@@ -221,10 +222,14 @@ class idrange(LDAPObject):
         Int('ipabaseid',
             cli_name='base_id',
             label=_("First Posix ID of the range"),
+            minvalue=1,
+            maxvalue=Int.MAX_UINT32
         ),
         Int('ipaidrangesize',
             cli_name='range_size',
             label=_("Number of IDs in the range"),
+            minvalue=1,
+            maxvalue=Int.MAX_UINT32
         ),
         Int('ipabaserid?',
             cli_name='rid_base',
@@ -669,7 +674,10 @@ class idrange_mod(LDAPUpdate):
         except errors.NotFound:
             raise self.obj.handle_not_found(*keys)
 
-        if old_attrs['iparangetype'][0] == 'ipa-local':
+        if (
+            old_attrs['iparangetype'][0] in {'ipa-local', 'ipa-local-subid'}
+            or old_attrs['cn'][0] == f'{self.api.env.realm}_subid_range'
+        ):
             raise errors.ExecutionError(
                 message=_('This command can not be used to change ID '
                           'allocation for local IPA domain. Run '
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 70164eb8654d211523c98722a02b77ee13eb0009..199838b199eb4cdabf597bd34d571d05547fd32e 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1547,6 +1547,13 @@ class i18n_messages(Command):
                     "Drive to mount a home directory"
                 ),
             },
+            "subordinate": {
+                "identity": _("Subordinate user and group id"),
+                "subuidnumber": _("Subordinate user id"),
+                "subuidcount": _("Subordinate user id count"),
+                "subgidnumber": _("Subordinate group id"),
+                "subgidcount": _("Subordinate group id count"),
+            },
             "trustconfig": {
                 "options": _("Options"),
             },
@@ -1570,6 +1577,11 @@ class i18n_messages(Command):
                 "add_into_sudo": _(
                     "Add user '${primary_key}' into sudo rules"
                 ),
+                "auto_subid": _("Auto assign subordinate ids"),
+                "auto_subid_confirm": _(
+                    "Are you sure you want to auto-assign a subordinate id "
+                    "to user ${object}?"
+                ),
                 "contact": _("Contact Settings"),
                 "delete_mode": _("Delete mode"),
                 "employee": _("Employee Information"),
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index e4ee572b236c288fd7dcf1d44c5adf1f836f63aa..f89b3ad5d9c994fe1ceb3da560fde7cc5bf5155a 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -50,7 +50,10 @@ from .baseuser import (
     baseuser_add_principal,
     baseuser_remove_principal,
     baseuser_add_certmapdata,
-    baseuser_remove_certmapdata)
+    baseuser_remove_certmapdata,
+    baseuser_auto_subid,
+    baseuser_match_subid,
+)
 from .idviews import remove_ipaobject_overrides
 from ipalib.plugable import Registry
 from .baseldap import (
@@ -202,6 +205,8 @@ class user(baseuser):
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
                 'ipauniqueid', 'ipasshpubkey', 'ipauserauthtype', 'userclass',
+                'ipasubuidnumber', 'ipasubuidcount', 'ipasubgidnumber',
+                'ipasubgidcount',
             },
             'fixup_function': fix_addressbook_permission_bindrule,
         },
@@ -1306,3 +1311,13 @@ class user_add_principal(baseuser_add_principal):
 class user_remove_principal(baseuser_remove_principal):
     __doc__ = _('Remove principal alias from the user entry')
     msg_summary = _('Removed aliases from user "%(value)s"')
+
+
+@register()
+class user_auto_subid(baseuser_auto_subid):
+    __doc__ = baseuser_auto_subid.__doc__
+
+
+@register()
+class user_match_subid(baseuser_match_subid):
+    __doc__ = baseuser_match_subid.__doc__
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index a66b56ad8f62a458e9cc240440e7d222c32c599f..6ddd155c9967fa248581a59c68dfe547a34be623 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -298,3 +298,15 @@ jobs:
         template: *ci-ipa-4-9-latest
         timeout: 3600
         topology: *master_1repl
+
+  fedora-latest-ipa-4-9/test_subids:
+    requires: [fedora-latest-ipa-4-9/build]
+    priority: 100
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest-ipa-4-9/build_url}'
+        test_suite: test_integration/test_subids.py
+        template: *ci-ipa-4-9-latest
+        timeout: 3600
+        topology: *master_1repl
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
new file mode 100644
index 0000000000000000000000000000000000000000..b462f22ac067f3e1e97ef3f6d63d4e14e4ae79af
--- /dev/null
+++ b/ipatests/test_integration/test_subids.py
@@ -0,0 +1,201 @@
+#
+# Copyright (C) 2021  FreeIPA Contributors see COPYING for license
+#
+
+"""Tests for subordinate ids
+"""
+import os
+
+from ipalib.constants import SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX
+from ipaplatform.paths import paths
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+
+
+class TestSubordinateId(IntegrationTest):
+    num_replicas = 0
+    topology = "star"
+
+    def _parse_result(self, result):
+        info = {}
+        for line in result.stdout_text.split("\n"):
+            line = line.strip()
+            if line:
+                if ":" not in line:
+                    continue
+                k, v = line.split(":", 1)
+                k = k.strip()
+                v = v.strip()
+                try:
+                    v = int(v, 10)
+                except ValueError:
+                    if v == "FALSE":
+                        v = False
+                    elif v == "TRUE":
+                        v = True
+                info.setdefault(k.lower(), []).append(v)
+
+        for k, v in info.items():
+            if len(v) == 1:
+                info[k] = v[0]
+            else:
+                info[k] = set(v)
+        return info
+
+    def get_user(self, uid):
+        cmd = ["ipa", "user-show", "--all", "--raw", uid]
+        result = self.master.run_command(cmd)
+        return self._parse_result(result)
+
+    def user_auto_subid(self, uid, **kwargs):
+        cmd = ["ipa", "user-auto-subid", uid]
+        return self.master.run_command(cmd, **kwargs)
+
+    def test_auto_subid(self):
+        tasks.kinit_admin(self.master)
+        uid = "testuser_auto1"
+        tasks.user_add(self.master, uid)
+        info = self.get_user(uid)
+        assert "ipasubuidcount" not in info
+
+        self.user_auto_subid(uid)
+        info = self.get_user(uid)
+        assert "ipasubuidcount" in info
+
+        subuid = info["ipasubuidnumber"]
+        result = self.master.run_command(
+            ["ipa", "user-match-subid", f"--subuid={subuid}", "--raw"]
+        )
+        match = self._parse_result(result)
+        assert match["uid"] == uid
+        assert match["ipasubuidnumber"] == info["ipasubuidnumber"]
+        assert match["ipasubuidnumber"] >= SUBID_RANGE_START
+        assert match["ipasubuidnumber"] <= SUBID_RANGE_MAX
+        assert match["ipasubuidcount"] == SUBID_COUNT
+        assert match["ipasubgidnumber"] == info["ipasubgidnumber"]
+        assert match["ipasubgidnumber"] == match["ipasubuidnumber"]
+        assert match["ipasubgidcount"] == SUBID_COUNT
+
+    def test_ipa_subid_script(self):
+        tasks.kinit_admin(self.master)
+
+        tool = os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-subids")
+        users = []
+        for i in range(1, 11):
+            uid = f"testuser_script{i}"
+            users.append(uid)
+            tasks.user_add(self.master, uid)
+            info = self.get_user(uid)
+            assert "ipasubuidcount" not in info
+
+        cmd = [tool, "--verbose", "--group", "ipausers"]
+        self.master.run_command(cmd)
+
+        for uid in users:
+            info = self.get_user(uid)
+            assert info["ipasubuidnumber"] >= SUBID_RANGE_START
+            assert info["ipasubuidnumber"] <= SUBID_RANGE_MAX
+            assert info["ipasubuidnumber"] == info["ipasubgidnumber"]
+            assert info["ipasubuidcount"] == SUBID_COUNT
+            assert info["ipasubuidcount"] == info["ipasubgidcount"]
+
+    def test_subid_selfservice(self):
+        tasks.kinit_admin(self.master)
+
+        uid = "testuser_selfservice1"
+        password = "Secret123"
+        role = "Subordinate ID Selfservice User"
+
+        tasks.user_add(self.master, uid, password=password)
+        tasks.kinit_user(
+            self.master, uid, f"{password}\n{password}\n{password}\n"
+        )
+        info = self.get_user(uid)
+        assert "ipasubuidcount" not in info
+        result = self.user_auto_subid(uid, raiseonerr=False)
+        assert result.returncode > 0
+
+        tasks.kinit_admin(self.master)
+        self.master.run_command(
+            ["ipa", "role-add-member", role, "--groups=ipausers"]
+        )
+
+        try:
+            tasks.kinit_user(self.master, uid, password)
+            self.user_auto_subid(uid)
+            info = self.get_user(uid)
+            assert "ipasubuidcount" in info
+        finally:
+            tasks.kinit_admin(self.master)
+            self.master.run_command(
+                ["ipa", "role-remove-member", role, "--groups=ipausers"]
+            )
+
+    def test_subid_useradmin(self):
+        tasks.kinit_admin(self.master)
+
+        uid_useradmin = "testuser_usermgr_mgr1"
+        role = "User Administrator"
+        uid = "testuser_usermgr_user1"
+        password = "Secret123"
+
+        # create user administrator
+        tasks.user_add(self.master, uid_useradmin, password=password)
+        # add user to user admin group
+        tasks.kinit_admin(self.master)
+        self.master.run_command(
+            ["ipa", "role-add-member", role, f"--users={uid_useradmin}"],
+        )
+        # kinit as user admin
+        tasks.kinit_user(
+            self.master,
+            uid_useradmin,
+            f"{password}\n{password}\n{password}\n",
+        )
+        # create new user as user admin
+        tasks.user_add(self.master, uid)
+        # assign new subid to user (with useradmin credentials)
+        self.user_auto_subid(uid)
+
+    def test_subordinate_default_objclass(self):
+        tasks.kinit_admin(self.master)
+
+        result = self.master.run_command(
+            ["ipa", "config-show", "--raw", "--all"]
+        )
+        info = self._parse_result(result)
+        usercls = info["ipauserobjectclasses"]
+        assert "ipasubordinateid" not in usercls
+
+        cmd = [
+            "ipa",
+            "config-mod",
+            "--addattr",
+            "ipaUserObjectClasses=ipasubordinateid",
+        ]
+        self.master.run_command(cmd)
+
+        uid = "testuser_usercls1"
+        tasks.user_add(self.master, uid)
+        info = self.get_user(uid)
+        assert "ipasubuidcount" in info
+
+    def test_idrange_subid(self):
+        tasks.kinit_admin(self.master)
+
+        range_name = f"{self.master.domain.realm}_subid_range"
+
+        result = self.master.run_command(
+            ["ipa", "idrange-show", range_name, "--raw"]
+        )
+        info = self._parse_result(result)
+
+        # see https://github.com/SSSD/sssd/issues/5571
+        assert info["iparangetype"] == "ipa-ad-trust"
+        assert info["ipabaseid"] == SUBID_RANGE_START
+        assert info["ipaidrangesize"] == SUBID_RANGE_MAX - SUBID_RANGE_START
+        assert info["ipabaserid"] < SUBID_RANGE_START
+        assert "ipasecondarybaserid" not in info
+        assert info["ipanttrusteddomainsid"].startswith(
+            "S-1-5-21-738065-838566-"
+        )
diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
index c756bb7941d6c2acae89d44d6c89abc6b80ef5f7..ef683f84e97cbba61972f580e84e3587fda8c63a 100644
--- a/ipatests/test_xmlrpc/test_range_plugin.py
+++ b/ipatests/test_xmlrpc/test_range_plugin.py
@@ -24,6 +24,7 @@ Test the `ipaserver/plugins/idrange.py` module, and XML-RPC in general.
 import six
 
 from ipalib import api, errors, messages
+from ipalib import constants
 from ipaplatform import services
 from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid
 from ipatests.test_xmlrpc import objectclasses
@@ -46,6 +47,12 @@ rid_shift = 0
 for idrange in api.Command['idrange_find']()['result']:
     size = int(idrange['ipaidrangesize'][0])
     base_id = int(idrange['ipabaseid'][0])
+    rtype = idrange['iparangetype'][0]
+
+    if rtype == 'ipa-local-subid' or base_id == constants.SUBID_RANGE_START:
+        # ignore subordinate id range. It would push values beyond uint32_t.
+        # There is plenty of space below SUBUID_RANGE_START.
+        continue
 
     id_end = base_id + size
     rid_end = 0
-- 
2.26.3