Hi Dmitri,<br><br><div class="gmail_quote">On Sun, Mar 18, 2012 at 5:41 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <u></u> <div bgcolor="#ffffff" text="#000000"><div><div class="h5"> On 03/18/2012 08:59 AM, Marco Pizzoli wrote: <blockquote type="cite">Hi Simo,<br> <br> <div class="gmail_quote">On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div> <div>On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote:<br> > Hi guys,<br> ><br> > I extended my set of LDAP objectClasses associated to users by adding<br> > my new objectClass to my cn=ipaConfig LDAP entry, the<br> > ipaUserObjectClasses attribute.<br> > Then, I created a new user with the web ui and I see the new<br> > objectClass associated with that user, but as structural instead of<br> > auxiliary. I don't know why, could you help me?<br> ><br> > Same thing happened for my groups. I added 3 objectClasses and now I<br> > see all of them as structural. I would understand an answer: all<br> > objectClasses eventually result as structural, but so why, for<br> > example, the ipaObject is still an auxiliary objectClass?<br> <br> </div> </div> The objectClass type depends on the schema. It is not something that<br> changes after you assign it to an object.<br> </blockquote> <div><br> Yes, your answer surely does make sense.<br> <br> My question was triggered by the fact that, AFAICS, not all objectClasses are structural as well.<br> In fact I can see that, for my group object, the objectClass "ipaobject" has been defined as auxiliary, while others structural.<br> For users, I see that *only my objectClass* is defined as structural. All others as auxiliary.<br> <br> In attachment you can see 2 images that immediately represent what I'm trying to explain.<br> <br> If this was the intended behaviour, I would be really interested in knowing what is the rationale behind this.<br> Only curiousity, as usual :-)<br> <br> Thanks again for your patience!<br> </div> </div> </blockquote> <br></div></div> AFAIU the object classes that are added to users and groups need to be first defined in the schema.<br> I assume you have done so otherwise all sorts of errors would have shown up. Am I correct?</div></blockquote><div><br>Exact. I followed the instructions on extending the schema on 389-ds, by inserting a file in my /etc/dirsrv/<instance>/schema dir.<br>Everything went ok, and I can see from phpldapadmin that the DSA correctly present my objectClasses as available to use for extending objects.<br> </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#ffffff" text="#000000"> I do not recognize the object classes as standard object classes. But might knowledge might be limited.<br></div></blockquote><div><br>Exact, they are "mine" objects, under a reserved OID number.<br> </div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div bgcolor="#ffffff" text="#000000"> Can you put show how you defined these new object classes in schema? You might have not specified the type and it defaulted to structural. <br></div></blockquote><div><br>This was a schema file created for OpenLDAP and which is currently in production.<br>I used the script posted on the 389-ds HowTo for the migration from OpenLDAP schema files to 389-ds format.<br> Here you can find it. A little camouflated, of course.<br><br><span style="font-family:courier new,monospace">[root@freeipa01 ~]# cat /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">dn: cn=schema</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.4 NAME 'xxxUfficio' DESC 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli utenti XXX' MAY ( xxxUfficio ))</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.1 NAME 'xxxProgetto' DESC 'Nome del macro-progetto associato a questo gruppo LDAP' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.2 NAME 'xxxAmbiente' DESC 'Nome di ambiente SVIL-TEST-VALID-PROD associato al progetto' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.5 NAME 'xxxTipoGruppo' DESC 'Tipologia di gruppo' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi XXX' MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo ))</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.6 NAME 'xxxWebminAmbiente' DESC 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.4 NAME 'xxxWebminAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli oggetti Webmin' MAY ( xxxWebminAmbiente ))</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.3 NAME 'xxxDB2GruppiPrivilegi' DESC 'Tipologia di gruppo creato per accesso al DB2' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME 'xxxDB2GroupsAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per i gruppi DB2' MAY ( xxxDB2GruppiPrivilegi ))</span><br style="font-family:courier new,monospace"> <span style="font-family:courier new,monospace">objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.1 NAME 'xxxAttributes' SUP top AUXILIARY DESC 'Definizione di attributi specifici per utilizzo interno' MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo $ xxxDB2GruppiPrivilegi ))</span><br style="font-family:courier new,monospace"> <br>As you can see, they are explicitly declared as AUXILIARY.<br><br>Thanks again<br>Marco<br></div></div><br>