I'm trying to figure out how to configure idmap_ad to *not* map anything that does not have a UID assigned by Active Directory. I do not like randomly allocated UIDs appearing on my systems and would prefer to drive these out centrally. Setting the idmap ranges to nothing seems to cause an error. How can I do this?