[Freeipa-users] Extending IPA schema for Federation services.

Dmitri Pal dpal at redhat.com
Mon Mar 19 02:21:49 UTC 2012 

On 03/18/2012 08:55 PM, Steven Jones wrote:
> Hi,
>
>
> Is it possible to expand IPA's schema to do this?
>
>

Yes.
Steps:
1) Convert schema to the correct schema format
2) Add it to the DS schema by placing the file onto the right place. Now
you have it available for use by IPA via LDAP tools.
3) Use ipa config to tell IPA to add this schema to user object.  
4) You can use --setaddr and --addaddr switches to populate these
attributes via CLI
I do not think it is exposed in UI.

To make it available via UI and CLI natively the plugins should be
developed following the extensibility guide.


> ===================
>
> Your Identity Management System (IdMS) will very likely have most of the attributes asked for by the federation - or will have enough information to synthesize the specific attribute values on the fly inside the IdP. But for some attributes, the IdMS might not have enough information. The following information should be considered for adding into your IdMS:
>
>   *   eduPersonEntitlement: The eduPersonEntitlement attribute is a storage container for values representing privileges to access resources within the federation. It is a multi-valued string attribute. The values will have the form of a URI - with specific values that are yet to be defined. The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, page 14):
>
> Origin/ObjectClass:   eduPerson [eduPerson]
> OID:                  1.3.6.1.4.1.5923.1.1.1.7
> SAML attribute name:  urn:mace:dir:attribute-def:eduPersonEntitlement
> LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
> Number of values:     Multiple
> Example values:       eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
>                       eduPersonEntitlement: http://publisher.example.com/contract/GL123
>
>   *   auEduPersonSharedToken: The auEduPersonSharedToken uniquely identifies users when accessing certain resources - particularly within the computational grid and data grid. The values should be opaque, non-reassignable and persistent - and transferrable when a user moves between institutions. Even though the values are typically created as hash-values on first use, they MUST be stored and each institution must be ready to accept values users already have when coming from another institution. The attribute can be stored in either the IdMS directly (preferred) or in a database. The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, pages 9-10, with OID updated to correct value):
>
> Origin/ObjectClass:   auEduPerson
> OID:                  1.3.6.1.4.1.27856.1.2.5
> SAML attribute name   urn:mace:federation.org.au:attribute:auEduPersonSharedToken
> LDAP syntax:          directoryString [1.3.6.1.4.1.27856.1.2.5]
> Number of values:     Single
> Example values:       ZsiAvfxa0BXULgcz7QXknbGtfxk
>
>      *   See also the auEduPerson LDAP Schema Definition<https://wiki.caudit.edu.au/confluence/display/aafaueduperson/LDAP+Schema+Definitions> for exact LDAP definition snippets.
>
>   *   eduPersonAssurance: This attribute represents the Levels of Assurance<https://tuakiri.ac.nz/confluence/display/Tuakiri/Levels+of+Assurance>. Either add the attribute into the IdMS directly, or start collecting enough information to synthesize the values later in a scripted attribute definition (like done for Affiliation below).  The attribute definition details are (source: Attribute Recommendation 2.1 (PDF)<https://wiki.caudit.edu.au/confluence/download/attachments/784/auEduPerson_attribute_vocabulary_v02+1+0.pdf>, page 13):
>
> Origin/ObjectClass:   eduPerson
> OID:                  1.3.6.1.4.1.5923.1.1.1.11
> SAML attribute name:  urn:oid:1.3.6.1.4.1.5923.1.1.1.11
> LDAP syntax:          directoryString [1.3.6.1.4.1.1466.115.121.1.15]
> Number of values:     multiple
> Example values:       See AAF IdentityLoA Vocabulary
>
> =====================
>
>
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list