[Freeipa-users] Adding a custom attribute to user object
Prashant Bapat
prashant at apigee.com
Mon Mar 23 15:40:12 UTC 2015
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat <prashant at apigee.com> wrote:
> Martin,
>
> Thanks!
>
> Let me double check.
>
> Yes I was referring to the exact same pdf.
>
> Regards.
> --Prashant
>
> On 23 March 2015 at 16:49, Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 03/23/2015 10:19 AM, Prashant Bapat wrote:
>> > Hi,
>> >
>> > I'm trying to add a custom attribute to user object. Below is the ldif
>> i'm
>> > using.
>> >
>> > dn: cn=schema
>> > changetype: modify
>> > add: attributeTypes
>> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
>> > DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
>> EXTENTION' )
>> > -
>> > add: objectclasses
>> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
>> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
>> >
>> > This gets added successfully using the ldapmodify command as directory
>> > manager. But both the UI and the ipa config-mod commands refuse to add
>> the
>> > new attribute to ipaUserObjectClasses with error objectclass not found.
>> >
>> > What I'm I doing wrong ?
>>
>> Not sure yet, the schema above looks OK (except some typos). I tried it
>> on my
>> VM, and it just worked:
>>
>> # ldapmodify -D "cn=Directory Manager" -x -w Secret123
>> ...
>> modifying entry "cn=schema"
>>
>> # ipa config-mod
>>
>> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
>> ...
>> Default user objectclasses: ipaobject, person, top, ipasshuser,
>> inetorgperson, organizationalperson,
>> krbticketpolicyaux, krbprincipalaux,
>> ApigeeUserAttr, inetuser,
>> posixaccount
>>
>>
>> # ipa user-add apigee --first Foo --last Bar --setattr
>> ipaSshSigTimestamp=barbar
>> -------------------
>> Added user "apigee"
>> -------------------
>> User login: apigee
>> First name: Foo
>> Last name: Bar
>> Full name: Foo Bar
>> Display name: Foo Bar
>> Initials: FB
>> Home directory: /home/apigee
>> GECOS: Foo Bar
>> Login shell: /bin/sh
>> Kerberos principal: apigee at F21
>> Email address: apigee at f21.test
>> UID: 1889400080
>> GID: 1889400080
>> Password: False
>> Member of groups: ipausers
>> Kerberos keys available: False
>>
>>
>> # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
>> ipaSshSigTimestamp
>> SASL/GSSAPI authentication started
>> SASL username: admin at F21
>> SASL SSF: 56
>> SASL data security layer installed.
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: uid ipaSshSigTimestamp
>> #
>>
>> # apigee, users, accounts, f21
>> dn: uid=apigee,cn=users,cn=accounts,dc=f21
>> uid: apigee
>> ipaSshSigTimestamp: barbar
>>
>> # search result
>> search: 4
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>>
>>
>> BTW, did you read one of the very relevant upstream guides how to add
>> custom
>> attributes to LDAP? It pretty much covers the procedure you are working
>> on:
>>
>> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>>
>> Martin
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150323/85f39634/attachment.htm>
More information about the Freeipa-users
mailing list