[Freeipa-users] Adding a custom attribute to user object
Martin Kosek
mkosek at redhat.com
Mon Mar 23 16:27:59 UTC 2015
You would need to extend user-mod to add this objectclass to existing modified
users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote:
> Hi Rob,
>
> Yes I did restart it.
>
> Ok another problem. I'm not able to add this attr to existing users. Only
> the new ones. Any pointers ?
>
> Thanks.
> --Prashant
>
> On 23 March 2015 at 21:19, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Prashant Bapat wrote:
>>> Ok the command you gave me worked. But I was following the PDF and below
>>> command never worked.
>>>
>>> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
>>>
>>> Is that expected ?
>>
>> Did you restart httpd after adding the schema? A cached copy is used and
>> restarting will cause it to re-read the schema.
>>
>> rob
>>
>>>
>>> Thanks.
>>> --Prashant
>>>
>>>
>>> On 23 March 2015 at 17:37, Prashant Bapat <prashant at apigee.com
>>> <mailto:prashant at apigee.com>> wrote:
>>>
>>> Martin,
>>>
>>> Thanks!
>>>
>>> Let me double check.
>>>
>>> Yes I was referring to the exact same pdf.
>>>
>>> Regards.
>>> --Prashant
>>>
>>> On 23 March 2015 at 16:49, Martin Kosek <mkosek at redhat.com
>>> <mailto:mkosek at redhat.com>> wrote:
>>>
>>> On 03/23/2015 10:19 AM, Prashant Bapat wrote:
>>> > Hi,
>>> >
>>> > I'm trying to add a custom attribute to user object. Below is
>>> the ldif i'm
>>> > using.
>>> >
>>> > dn: cn=schema
>>> > changetype: modify
>>> > add: attributeTypes
>>> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
>>> 'ipaSshSigTimestamp'
>>> > DESC 'SSH public key signature and timestamp' EQUALITY
>>> octetStringMatch
>>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
>>> EXTENTION' )
>>> > -
>>> > add: objectclasses
>>> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
>>> 'ApigeeUserAttr' SUP
>>> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
>>> ipaSshSigTimestamp )
>>> >
>>> > This gets added successfully using the ldapmodify command as
>>> directory
>>> > manager. But both the UI and the ipa config-mod commands
>>> refuse to add the
>>> > new attribute to ipaUserObjectClasses with error objectclass
>>> not found.
>>> >
>>> > What I'm I doing wrong ?
>>>
>>> Not sure yet, the schema above looks OK (except some typos). I
>>> tried it on my
>>> VM, and it just worked:
>>>
>>> # ldapmodify -D "cn=Directory Manager" -x -w Secret123
>>> ...
>>> modifying entry "cn=schema"
>>>
>>> # ipa config-mod
>>>
>> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
>>> ...
>>> Default user objectclasses: ipaobject, person, top, ipasshuser,
>>> inetorgperson, organizationalperson,
>>> krbticketpolicyaux,
>> krbprincipalaux,
>>> ApigeeUserAttr, inetuser,
>>> posixaccount
>>>
>>>
>>> # ipa user-add apigee --first Foo --last Bar --setattr
>>> ipaSshSigTimestamp=barbar
>>> -------------------
>>> Added user "apigee"
>>> -------------------
>>> User login: apigee
>>> First name: Foo
>>> Last name: Bar
>>> Full name: Foo Bar
>>> Display name: Foo Bar
>>> Initials: FB
>>> Home directory: /home/apigee
>>> GECOS: Foo Bar
>>> Login shell: /bin/sh
>>> Kerberos principal: apigee at F21
>>> Email address: apigee at f21.test
>>> UID: 1889400080
>>> GID: 1889400080
>>> Password: False
>>> Member of groups: ipausers
>>> Kerberos keys available: False
>>>
>>>
>>> # ldapsearch -Y GSSAPI -b
>>> 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
>>> ipaSshSigTimestamp
>>> SASL/GSSAPI authentication started
>>> SASL username: admin at F21
>>> SASL SSF: 56
>>> SASL data security layer installed.
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope
>> subtree
>>> # filter: (objectclass=*)
>>> # requesting: uid ipaSshSigTimestamp
>>> #
>>>
>>> # apigee, users, accounts, f21
>>> dn: uid=apigee,cn=users,cn=accounts,dc=f21
>>> uid: apigee
>>> ipaSshSigTimestamp: barbar
>>>
>>> # search result
>>> search: 4
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>>
>>> BTW, did you read one of the very relevant upstream guides how
>>> to add custom
>>> attributes to LDAP? It pretty much covers the procedure you are
>>> working on:
>>>
>>>
>> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
>>>
>>> Martin
>>>
>>>
>>>
>>>
>>>
>>
>>
>
More information about the Freeipa-users
mailing list