Jason White wrote:
Is there a good reason not simply to spawn useradd/groupadd and let them allocate the ids?
I think you missed the part where he said it's LDAP. useradd only knows about the flat files backend. A great annoyance of LDAP/krb is the lack of solid, portable management solutions. There's e.g. a webmin module, but yecch. So, you solve it... with Yet Another site-specific LDAP management UI.
If you're concerned that someone might run useradd/groupadd at the same time as your tool is operating, I don't see how this could be prevented easily other than opening and locking /etc/passwd or /etc/group.
You could dpkg-divert --rename /usr/sbin/useradd, and replace it with a little script that prints "YOU IDIOT! You're supposed to add accounts to LDAP!" Of course, that'll break package installs that try to create system groups, so then you extend your wrapper to parse useradd arguments and look for --system, and if it's there pass "$@" to useradd.distrib. That way lies madness...