<div dir="ltr"><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Thanks. I will take a look. However will using this attr only on new users from the time it was added have any issues ?</div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif"> </div><div class="gmail_default" style="font-family:'trebuchet ms',sans-serif">Also, will replication include this new attr ?</div></div><div class="gmail_extra"> <div class="gmail_quote">On 23 March 2015 at 21:57, Martin Kosek <<a href="mailto:mkosek@redhat.com" target="_blank">mkosek@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">You would need to extend user-mod to add this objectclass to existing modified users. There is an example of such plugin in the PDF I mentioned. <div class="HOEnZb"><div class="h5"> On 03/23/2015 05:22 PM, Prashant Bapat wrote: > Hi Rob, > > Yes I did restart it. > > Ok another problem. I'm not able to add this attr to existing users. Only > the new ones. Any pointers ? > > Thanks. > --Prashant > > On 23 March 2015 at 21:19, Rob Crittenden <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>> wrote: > >> Prashant Bapat wrote: >>> Ok the command you gave me worked. But I was following the PDF and below >>> command never worked. >>> >>> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr >>> >>> Is that expected ? >> >> Did you restart httpd after adding the schema? A cached copy is used and >> restarting will cause it to re-read the schema. >> >> rob >> >>> >>> Thanks. >>> --Prashant >>> >>> >>> On 23 March 2015 at 17:37, Prashant Bapat <<a href="mailto:prashant@apigee.com">prashant@apigee.com</a> >>> <mailto:<a href="mailto:prashant@apigee.com">prashant@apigee.com</a>>> wrote: >>> >>> Martin, >>> >>> Thanks! >>> >>> Let me double check. >>> >>> Yes I was referring to the exact same pdf. >>> >>> Regards. >>> --Prashant >>> >>> On 23 March 2015 at 16:49, Martin Kosek <<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a> >>> <mailto:<a href="mailto:mkosek@redhat.com">mkosek@redhat.com</a>>> wrote: >>> >>> On 03/23/2015 10:19 AM, Prashant Bapat wrote: >>> > Hi, >>> > >>> > I'm trying to add a custom attribute to user object. Below is >>> the ldif i'm >>> > using. >>> > >>> > dn: cn=schema >>> > changetype: modify >>> > add: attributeTypes >>> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME >>> 'ipaSshSigTimestamp' >>> > DESC 'SSH public key signature and timestamp' EQUALITY >>> octetStringMatch >>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA >>> EXTENTION' ) >>> > - >>> > add: objectclasses >>> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME >>> 'ApigeeUserAttr' SUP >>> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY >>> ipaSshSigTimestamp ) >>> > >>> > This gets added successfully using the ldapmodify command as >>> directory >>> > manager. But both the UI and the ipa config-mod commands >>> refuse to add the >>> > new attribute to ipaUserObjectClasses with error objectclass >>> not found. >>> > >>> > What I'm I doing wrong ? >>> >>> Not sure yet, the schema above looks OK (except some typos). I >>> tried it on my >>> VM, and it just worked: >>> >>> # ldapmodify -D "cn=Directory Manager" -x -w Secret123 >>> ... >>> modifying entry "cn=schema" >>> >>> # ipa config-mod >>> >> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} >>> ... >>> Default user objectclasses: ipaobject, person, top, ipasshuser, >>> inetorgperson, organizationalperson, >>> krbticketpolicyaux, >> krbprincipalaux, >>> ApigeeUserAttr, inetuser, >>> posixaccount >>> >>> >>> # ipa user-add apigee --first Foo --last Bar --setattr >>> ipaSshSigTimestamp=barbar >>> ------------------- >>> Added user "apigee" >>> ------------------- >>> User login: apigee >>> First name: Foo >>> Last name: Bar >>> Full name: Foo Bar >>> Display name: Foo Bar >>> Initials: FB >>> Home directory: /home/apigee >>> GECOS: Foo Bar >>> Login shell: /bin/sh >>> Kerberos principal: apigee@F21 >>> Email address: apigee@f21.test >>> UID: 1889400080 >>> GID: 1889400080 >>> Password: False >>> Member of groups: ipausers >>> Kerberos keys available: False >>> >>> >>> # ldapsearch -Y GSSAPI -b >>> 'uid=apigee,cn=users,cn=accounts,dc=f21' uid >>> ipaSshSigTimestamp >>> SASL/GSSAPI authentication started >>> SASL username: admin@F21 >>> SASL SSF: 56 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope >> subtree >>> # filter: (objectclass=*) >>> # requesting: uid ipaSshSigTimestamp >>> # >>> >>> # apigee, users, accounts, f21 >>> dn: uid=apigee,cn=users,cn=accounts,dc=f21 >>> uid: apigee >>> ipaSshSigTimestamp: barbar >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> >>> >>> BTW, did you read one of the very relevant upstream guides how >>> to add custom >>> attributes to LDAP? It pretty much covers the procedure you are >>> working on: >>> >>> >> <a href="http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf" target="_blank">http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf</a> >>> >>> Martin >>> >>> >>> >>> >>> >> >> > </div></div></blockquote></div> </div>