[Freeipa-users] Adding attributes to the user object

Dmitri Pal dpal at redhat.com
Wed Feb 5 17:31:54 UTC 2014 

On 02/05/2014 10:47 AM, barrykfl at gmail.com wrote:
> Any one knows how to add new attribute or object class  to the user
> accounts ...eg. added department and id creation date in those users
> info field.
>
> Can use 389 / redhat driectory console ? I tried to edit 99user.ldif
> seem not shown up new attribute.

I am changing the name of the thread since it is a different issue.
You first need to decide what the schema is.
Say you want a new custom attribute.


  Requirements

*Please pay close attention to these requirements:*

  * All users and groups must still be initially created via the FreeIPA
    Web UI or CLI tools, but custom attributes can then be modified
    using the LDAP interface via ldapmodify or other programmatic methods.
  * All custom attributes must be referenced by a custom objectclass. 
    This objectclass must be "AUXILIARY" and must not include any
    mandatory ("MUST") attributes, only optional ("MAY") attributes. 
    Note that this is necessary to guarantee that object creation
    through the Web UI or CLI tools does not fail due to the lack of
    inclusion of a mandatory attribute.
  * Review all third-party schema to verify that objectclasses are
    AUXIALIARY and that all attributes are optional.
  * When creating custom schema, *NEVER* re-use an existing or
    well-known OID.  Instead, apply for your own Enterprise Number from
    IANA <http://pen.iana.org/pen/PenApplication.page>.
  * Perform a backup  - errors made to the schema could render your
    entire FreeIPA environment inoperable.  At a minimum, perform a
    snapshot of your primary FreeIPA server.  In event of a
    environment-wide failure, the environment can be rebuilt by
    redeploying the snapshotted master, and deploying new FreeIPA
    servers replicating from that master.


  Process

 1. The schema must be in LDIF format.  This is commonly provided for
    third party schemas.  If creating your own custom schema, please
    review "8.1.4. Extending the Schema
    <https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide/index.html#extending-the-schema>"
    of the Red Hat Directory Server 9 Administration Guide
    <https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html-single/Administration_Guide>.
    *~/custom-schema.ldif*
    ------------------------------------------------------------------------

    dn: cn=schema
    changetype: modify
    add: attributetypes
    attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.12 NAME 'SolarisUserQualifier' DESC 'Per-user login attributes' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
    attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.13 NAME 'SolarisAttrReserved1' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
    attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.14 NAME 'SolarisAttrReserved2' DESC 'Reserved for future use' EQUALITY caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
    attributetypes:( 1.3.6.1.4.1.42.2.27.5.1.4 NAME 'SolarisAttrKeyValue' DESC 'Semi-colon separated key=value pairs of attributes' EQUALITY caseIgnoreIA5Match SUBSTRINGS caseIgnoreIA5Match SYNTAX 'IA5String' SINGLE-VALUE )
    -
    add: objectclasses
    objectclasses: ( 1.3.6.1.4.1.42.2.27.5.2.3 NAME 'SolarisUserAttr' SUP top AUXILIARY DESC 'User attributes' MAY ( SolarisUserQualifier $ SolarisAttrReserved1 $  SolarisAttrReserved2 $ SolarisAttrKeyValue ) )


    ------------------------------------------------------------------------
 2. Using "ldapmodify", authenticate as "cn=Directory Manager " to apply
    the custom schema:

    $> ldapmodify -ZZ -x -D "cn=Directory Manager" -W  -H ldap://localhost  -f custom-schema.ldif

 3. Log into FreeIPA.  "IPA Server" tab, "Configuration" sub-tab, "User
    options" panel, "Default user objectclasses" list, and add
    "SolarisUserAttr".  This will cause this objectclass to be applied
    to all newly created users.


 1. Existing users need to be updated, using ldapmodify and LDIF:
    *update-existing-user.ldif*
    ------------------------------------------------------------------------

    dn: uid=tux,cn=users,cn=accounts,dc=example,dc=com
    changetype: modify
    add: objectclass
    objectclass: SolarisUserAttr


    ------------------------------------------------------------------------

    $> ldapmodify -ZZ -x -D "cn=Directory Manager" -W  -H ldap://localhost  -f update-existing-user.ldif

 2. Custom attributes can now be populated using ldapmodify  and LDIF:
    *custom-data.ldif*
    ------------------------------------------------------------------------

    dn: uid=tux,cn=users,cn=accounts,dc=example,dc=com
    changetype: modify
    add: SolarisAttrKeyValue
    SolarisAttrKeyValue: type=normal,roles=root,class;profiles=System Administrator

    ------------------------------------------------------------------------

    $> ldapmodify -ZZ -x -D "cn=Directory Manager" -W  -H ldap://localhost  -f custom-data.ldif



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140205/776e3469/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gidjefjh.png
Type: image/png
Size: 154748 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140205/776e3469/attachment.png>

More information about the Freeipa-users mailing list