[Freeipa-users] Adding a custom attribute to user object
Rob Crittenden
rcritten at redhat.com
Mon Mar 23 15:49:19 UTC 2015
Prashant Bapat wrote:
> Ok the command you gave me worked. But I was following the PDF and below
> command never worked.
>
> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
>
> Is that expected ?
Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.
rob
>
> Thanks.
> --Prashant
>
>
> On 23 March 2015 at 17:37, Prashant Bapat <prashant at apigee.com
> <mailto:prashant at apigee.com>> wrote:
>
> Martin,
>
> Thanks!
>
> Let me double check.
>
> Yes I was referring to the exact same pdf.
>
> Regards.
> --Prashant
>
> On 23 March 2015 at 16:49, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> On 03/23/2015 10:19 AM, Prashant Bapat wrote:
> > Hi,
> >
> > I'm trying to add a custom attribute to user object. Below is
> the ldif i'm
> > using.
> >
> > dn: cn=schema
> > changetype: modify
> > add: attributeTypes
> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
> 'ipaSshSigTimestamp'
> > DESC 'SSH public key signature and timestamp' EQUALITY
> octetStringMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
> EXTENTION' )
> > -
> > add: objectclasses
> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
> 'ApigeeUserAttr' SUP
> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
> ipaSshSigTimestamp )
> >
> > This gets added successfully using the ldapmodify command as
> directory
> > manager. But both the UI and the ipa config-mod commands
> refuse to add the
> > new attribute to ipaUserObjectClasses with error objectclass
> not found.
> >
> > What I'm I doing wrong ?
>
> Not sure yet, the schema above looks OK (except some typos). I
> tried it on my
> VM, and it just worked:
>
> # ldapmodify -D "cn=Directory Manager" -x -w Secret123
> ...
> modifying entry "cn=schema"
>
> # ipa config-mod
> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
> ...
> Default user objectclasses: ipaobject, person, top, ipasshuser,
> inetorgperson, organizationalperson,
> krbticketpolicyaux, krbprincipalaux,
> ApigeeUserAttr, inetuser,
> posixaccount
>
>
> # ipa user-add apigee --first Foo --last Bar --setattr
> ipaSshSigTimestamp=barbar
> -------------------
> Added user "apigee"
> -------------------
> User login: apigee
> First name: Foo
> Last name: Bar
> Full name: Foo Bar
> Display name: Foo Bar
> Initials: FB
> Home directory: /home/apigee
> GECOS: Foo Bar
> Login shell: /bin/sh
> Kerberos principal: apigee at F21
> Email address: apigee at f21.test
> UID: 1889400080
> GID: 1889400080
> Password: False
> Member of groups: ipausers
> Kerberos keys available: False
>
>
> # ldapsearch -Y GSSAPI -b
> 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
> ipaSshSigTimestamp
> SASL/GSSAPI authentication started
> SASL username: admin at F21
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope subtree
> # filter: (objectclass=*)
> # requesting: uid ipaSshSigTimestamp
> #
>
> # apigee, users, accounts, f21
> dn: uid=apigee,cn=users,cn=accounts,dc=f21
> uid: apigee
> ipaSshSigTimestamp: barbar
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
>
> BTW, did you read one of the very relevant upstream guides how
> to add custom
> attributes to LDAP? It pretty much covers the procedure you are
> working on:
>
> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>
> Martin
>
>
>
>
>
More information about the Freeipa-users
mailing list