[Freeipa-users] Adding a custom attribute to user object

Martin Kosek mkosek at redhat.com
Mon Mar 23 16:27:59 UTC 2015 

You would need to extend user-mod to add this objectclass to existing modified
users. There is an example of such plugin in the PDF I mentioned.

On 03/23/2015 05:22 PM, Prashant Bapat wrote:
> Hi Rob,
> 
> Yes I did restart it.
> 
> Ok another problem. I'm not able to add this attr to existing users. Only
> the new ones. Any pointers ?
> 
> Thanks.
> --Prashant
> 
> On 23 March 2015 at 21:19, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>> Prashant Bapat wrote:
>>> Ok the command you gave me worked. But I was following the PDF and below
>>> command never worked.
>>>
>>> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
>>>
>>> Is that expected ?
>>
>> Did you restart httpd after adding the schema? A cached copy is used and
>> restarting will cause it to re-read the schema.
>>
>> rob
>>
>>>
>>> Thanks.
>>> --Prashant
>>>
>>>
>>> On 23 March 2015 at 17:37, Prashant Bapat <prashant at apigee.com
>>> <mailto:prashant at apigee.com>> wrote:
>>>
>>>     Martin,
>>>
>>>     Thanks!
>>>
>>>     Let me double check.
>>>
>>>     Yes I was referring to the exact same pdf.
>>>
>>>     Regards.
>>>     --Prashant
>>>
>>>     On 23 March 2015 at 16:49, Martin Kosek <mkosek at redhat.com
>>>     <mailto:mkosek at redhat.com>> wrote:
>>>
>>>         On 03/23/2015 10:19 AM, Prashant Bapat wrote:
>>>         > Hi,
>>>         >
>>>         > I'm trying to add a custom attribute to user object. Below is
>>>         the ldif i'm
>>>         > using.
>>>         >
>>>         > dn: cn=schema
>>>         > changetype: modify
>>>         > add: attributeTypes
>>>         > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
>>>         'ipaSshSigTimestamp'
>>>         > DESC 'SSH public key signature and timestamp' EQUALITY
>>>         octetStringMatch
>>>         > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
>>>         EXTENTION' )
>>>         > -
>>>         > add: objectclasses
>>>         > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
>>>         'ApigeeUserAttr' SUP
>>>         > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
>>>         ipaSshSigTimestamp )
>>>         >
>>>         > This gets added successfully using the ldapmodify command as
>>>         directory
>>>         > manager. But both the UI and the ipa config-mod commands
>>>         refuse to add the
>>>         > new attribute to ipaUserObjectClasses with error objectclass
>>>         not found.
>>>         >
>>>         > What I'm I doing wrong ?
>>>
>>>         Not sure yet, the schema above looks OK (except some typos). I
>>>         tried it on my
>>>         VM, and it just worked:
>>>
>>>         # ldapmodify -D "cn=Directory Manager" -x -w Secret123
>>>         ...
>>>         modifying entry "cn=schema"
>>>
>>>         # ipa config-mod
>>>
>>  --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
>>>         ...
>>>           Default user objectclasses: ipaobject, person, top, ipasshuser,
>>>         inetorgperson, organizationalperson,
>>>                                       krbticketpolicyaux,
>> krbprincipalaux,
>>>         ApigeeUserAttr, inetuser,
>>>                                       posixaccount
>>>
>>>
>>>         # ipa user-add apigee --first Foo --last Bar --setattr
>>>         ipaSshSigTimestamp=barbar
>>>         -------------------
>>>         Added user "apigee"
>>>         -------------------
>>>           User login: apigee
>>>           First name: Foo
>>>           Last name: Bar
>>>           Full name: Foo Bar
>>>           Display name: Foo Bar
>>>           Initials: FB
>>>           Home directory: /home/apigee
>>>           GECOS: Foo Bar
>>>           Login shell: /bin/sh
>>>           Kerberos principal: apigee at F21
>>>           Email address: apigee at f21.test
>>>           UID: 1889400080
>>>           GID: 1889400080
>>>           Password: False
>>>           Member of groups: ipausers
>>>           Kerberos keys available: False
>>>
>>>
>>>         # ldapsearch -Y GSSAPI -b
>>>         'uid=apigee,cn=users,cn=accounts,dc=f21' uid
>>>         ipaSshSigTimestamp
>>>         SASL/GSSAPI authentication started
>>>         SASL username: admin at F21
>>>         SASL SSF: 56
>>>         SASL data security layer installed.
>>>         # extended LDIF
>>>         #
>>>         # LDAPv3
>>>         # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope
>> subtree
>>>         # filter: (objectclass=*)
>>>         # requesting: uid ipaSshSigTimestamp
>>>         #
>>>
>>>         # apigee, users, accounts, f21
>>>         dn: uid=apigee,cn=users,cn=accounts,dc=f21
>>>         uid: apigee
>>>         ipaSshSigTimestamp: barbar
>>>
>>>         # search result
>>>         search: 4
>>>         result: 0 Success
>>>
>>>         # numResponses: 2
>>>         # numEntries: 1
>>>
>>>
>>>
>>>         BTW, did you read one of the very relevant upstream guides how
>>>         to add custom
>>>         attributes to LDAP? It pretty much covers the procedure you are
>>>         working on:
>>>
>>>
>> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>>>
>>>         Martin
>>>
>>>
>>>
>>>
>>>
>>
>>
>

More information about the Freeipa-users mailing list