[Freeipa-users] Adding a custom attribute to user object

Martin Kosek mkosek at redhat.com
Mon Mar 23 11:19:31 UTC 2015 

On 03/23/2015 10:19 AM, Prashant Bapat wrote:
> Hi,
> 
> I'm trying to add a custom attribute to user object. Below is the ldif i'm
> using.
> 
> dn: cn=schema
> changetype: modify
> add: attributeTypes
> attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
> DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' )
> -
> add: objectclasses
> objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
> top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
> 
> This gets added successfully using the ldapmodify command as directory
> manager. But both the UI and the ipa config-mod commands refuse to add the
> new attribute to ipaUserObjectClasses with error objectclass not found.
> 
> What I'm I doing wrong ?

Not sure yet, the schema above looks OK (except some typos). I tried it on my
VM, and it just worked:

# ldapmodify -D "cn=Directory Manager" -x -w Secret123
...
modifying entry "cn=schema"

# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
  Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
                              krbticketpolicyaux, krbprincipalaux,
ApigeeUserAttr, inetuser,
                              posixaccount


# ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar
-------------------
Added user "apigee"
-------------------
  User login: apigee
  First name: Foo
  Last name: Bar
  Full name: Foo Bar
  Display name: Foo Bar
  Initials: FB
  Home directory: /home/apigee
  GECOS: Foo Bar
  Login shell: /bin/sh
  Kerberos principal: apigee at F21
  Email address: apigee at f21.test
  UID: 1889400080
  GID: 1889400080
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


# ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin at F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#

# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1



BTW, did you read one of the very relevant upstream guides how to add custom
attributes to LDAP? It pretty much covers the procedure you are working on:

http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf

Martin

More information about the Freeipa-users mailing list