<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/05/2014 10:47 AM, <a class="moz-txt-link-abbreviated" href="mailto:barrykfl@gmail.com">barrykfl@gmail.com</a> wrote:
<blockquote
cite="mid:CAELz9duD3ZhXQp4ovP13bOduEnhRcWjX6iMB-ZsJPfvS6hRXHQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Any one knows how to add new attribute or object class to
the user accounts ...eg. added department and id creation date
in those users info field.</div>
<div><br>
</div>
<div>Can use 389 / redhat driectory console ? I tried to edit
99user.ldif seem not shown up new attribute.</div>
</div>
</blockquote>
<br>
I am changing the name of the thread since it is a different issue.<br>
You first need to decide what the schema is.<br>
Say you want a new custom attribute.<br>
<br>
<h1>Requirements</h1>
<p><strong>Please pay close attention to these requirements:</strong></p>
<ul>
<li>All users and groups must still be initially created via the
FreeIPA Web UI or CLI tools, but custom attributes can then be
modified using the LDAP interface via ldapmodify or other
programmatic methods.</li>
<li>All custom attributes must be referenced by a custom
objectclass. This objectclass must be "AUXILIARY" and must not
include any mandatory ("MUST") attributes, only optional ("MAY")
attributes. Note that this is necessary to guarantee that
object creation through the Web UI or CLI tools does not fail
due to the lack of inclusion of a mandatory attribute.</li>
<li>Review all third-party schema to verify that objectclasses are
AUXIALIARY and that all attributes are optional.</li>
<li>When creating custom schema, <strong>NEVER</strong> re-use an
existing or well-known OID. Instead, apply for your own
Enterprise Number from <a class="jive-link-external-small"
href="http://pen.iana.org/pen/PenApplication.page">IANA</a>.</li>
<li>Perform a backup - errors made to the schema could render
your entire FreeIPA environment inoperable. At a minimum,
perform a snapshot of your primary FreeIPA server. In event of
a environment-wide failure, the environment can be rebuilt by
redeploying the snapshotted master, and deploying new FreeIPA
servers replicating from that master.</li>
</ul>
<h1>Process</h1>
<ol>
<li>The schema must be in LDIF format. This is commonly provided
for third party schemas. If creating your own custom schema,
please review "<a class="jive-link-external-small"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#extending-the-schema">8.1.4.
Extending the Schema</a>" of the <a
class="jive-link-external-small"
href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide">Red
Hat Directory Server 9 Administration Guide</a>.<br>
<strong>~/custom-schema.ldif</strong>
<hr>
<pre>dn: cn=schema
changetype: modify
add: attributetypes
attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' DESC 'Per-user login attributes' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' DESC 'Semi-colon separated key=value pairs of attributes' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
-
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY DESC 'User attributes' MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $ SolarisAttrReserved2 $ SolarisAttrKeyValue ) )
</pre>
<hr></li>
<li>Using "ldapmodify", authenticate as "cn=Directory Manager " to
apply the custom schema:
<pre>$> ldapmodify -ZZ -x -D "cn=Directory Manager" -W -H <a class="moz-txt-link-freetext" href="ldap://localhost">ldap://localhost</a> -f custom-schema.ldif</pre>
</li>
<li>Log into FreeIPA. "IPA Server" tab, "Configuration" sub-tab,
"User options" panel, "Default user objectclasses" list, and add
"SolarisUserAttr". This will cause this objectclass to be
applied to all newly created users.</li>
</ol>
<p><img src="cid:part4.09070608.01000607@redhat.com" alt=""></p>
<p><br>
</p>
<ol>
<li>Existing users need to be updated, using ldapmodify and LDIF:<br>
<strong>update-existing-user.ldif</strong>
<hr>
<pre>dn: uid=tux,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: SolarisUserAttr
</pre>
<hr>
<pre>$> ldapmodify -ZZ -x -D "cn=Directory Manager" -W -H <a class="moz-txt-link-freetext" href="ldap://localhost">ldap://localhost</a> -f update-existing-user.ldif</pre>
</li>
<li>Custom attributes can now be populated using ldapmodify and
LDIF: <br>
<strong>custom-data.ldif</strong>
<hr>
<pre>dn: uid=tux,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
add: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal,roles=root,class;profiles=System Administrator</pre>
<hr>
<pre>$> ldapmodify -ZZ -x -D "cn=Directory Manager" -W -H <a class="moz-txt-link-freetext" href="ldap://localhost">ldap://localhost</a> -f custom-data.ldif
</pre>
</li>
</ol>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>