[Freeipa-users] Adding a custom attribute to user object
Rob Crittenden
rcritten at redhat.com
Mon Mar 23 17:21:36 UTC 2015
Prashant Bapat wrote:
> Thanks. I will take a look. However will using this attr only on new
> users from the time it was added have any issues ?
Shouldn't cause any problems with IPA.
> Also, will replication include this new attr ?
Yes. Schema is replicated as well.
rob
>
> On 23 March 2015 at 21:57, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>> wrote:
>
> You would need to extend user-mod to add this objectclass to
> existing modified
> users. There is an example of such plugin in the PDF I mentioned.
>
> On 03/23/2015 05:22 PM, Prashant Bapat wrote:
> > Hi Rob,
> >
> > Yes I did restart it.
> >
> > Ok another problem. I'm not able to add this attr to existing
> users. Only
> > the new ones. Any pointers ?
> >
> > Thanks.
> > --Prashant
> >
> > On 23 March 2015 at 21:19, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
> >
> >> Prashant Bapat wrote:
> >>> Ok the command you gave me worked. But I was following the PDF
> and below
> >>> command never worked.
> >>>
> >>> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
> >>>
> >>> Is that expected ?
> >>
> >> Did you restart httpd after adding the schema? A cached copy is
> used and
> >> restarting will cause it to re-read the schema.
> >>
> >> rob
> >>
> >>>
> >>> Thanks.
> >>> --Prashant
> >>>
> >>>
> >>> On 23 March 2015 at 17:37, Prashant Bapat <prashant at apigee.com
> <mailto:prashant at apigee.com>
> >>> <mailto:prashant at apigee.com <mailto:prashant at apigee.com>>> wrote:
> >>>
> >>> Martin,
> >>>
> >>> Thanks!
> >>>
> >>> Let me double check.
> >>>
> >>> Yes I was referring to the exact same pdf.
> >>>
> >>> Regards.
> >>> --Prashant
> >>>
> >>> On 23 March 2015 at 16:49, Martin Kosek <mkosek at redhat.com
> <mailto:mkosek at redhat.com>
> >>> <mailto:mkosek at redhat.com <mailto:mkosek at redhat.com>>> wrote:
> >>>
> >>> On 03/23/2015 10:19 AM, Prashant Bapat wrote:
> >>> > Hi,
> >>> >
> >>> > I'm trying to add a custom attribute to user object.
> Below is
> >>> the ldif i'm
> >>> > using.
> >>> >
> >>> > dn: cn=schema
> >>> > changetype: modify
> >>> > add: attributeTypes
> >>> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
> >>> 'ipaSshSigTimestamp'
> >>> > DESC 'SSH public key signature and timestamp' EQUALITY
> >>> octetStringMatch
> >>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM
> FREEIPA
> >>> EXTENTION' )
> >>> > -
> >>> > add: objectclasses
> >>> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
> >>> 'ApigeeUserAttr' SUP
> >>> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
> >>> ipaSshSigTimestamp )
> >>> >
> >>> > This gets added successfully using the ldapmodify
> command as
> >>> directory
> >>> > manager. But both the UI and the ipa config-mod commands
> >>> refuse to add the
> >>> > new attribute to ipaUserObjectClasses with error
> objectclass
> >>> not found.
> >>> >
> >>> > What I'm I doing wrong ?
> >>>
> >>> Not sure yet, the schema above looks OK (except some
> typos). I
> >>> tried it on my
> >>> VM, and it just worked:
> >>>
> >>> # ldapmodify -D "cn=Directory Manager" -x -w Secret123
> >>> ...
> >>> modifying entry "cn=schema"
> >>>
> >>> # ipa config-mod
> >>>
> >>
> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
> >>> ...
> >>> Default user objectclasses: ipaobject, person, top,
> ipasshuser,
> >>> inetorgperson, organizationalperson,
> >>> krbticketpolicyaux,
> >> krbprincipalaux,
> >>> ApigeeUserAttr, inetuser,
> >>> posixaccount
> >>>
> >>>
> >>> # ipa user-add apigee --first Foo --last Bar --setattr
> >>> ipaSshSigTimestamp=barbar
> >>> -------------------
> >>> Added user "apigee"
> >>> -------------------
> >>> User login: apigee
> >>> First name: Foo
> >>> Last name: Bar
> >>> Full name: Foo Bar
> >>> Display name: Foo Bar
> >>> Initials: FB
> >>> Home directory: /home/apigee
> >>> GECOS: Foo Bar
> >>> Login shell: /bin/sh
> >>> Kerberos principal: apigee at F21
> >>> Email address: apigee at f21.test
> >>> UID: 1889400080
> >>> GID: 1889400080
> >>> Password: False
> >>> Member of groups: ipausers
> >>> Kerberos keys available: False
> >>>
> >>>
> >>> # ldapsearch -Y GSSAPI -b
> >>> 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
> >>> ipaSshSigTimestamp
> >>> SASL/GSSAPI authentication started
> >>> SASL username: admin at F21
> >>> SASL SSF: 56
> >>> SASL data security layer installed.
> >>> # extended LDIF
> >>> #
> >>> # LDAPv3
> >>> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope
> >> subtree
> >>> # filter: (objectclass=*)
> >>> # requesting: uid ipaSshSigTimestamp
> >>> #
> >>>
> >>> # apigee, users, accounts, f21
> >>> dn: uid=apigee,cn=users,cn=accounts,dc=f21
> >>> uid: apigee
> >>> ipaSshSigTimestamp: barbar
> >>>
> >>> # search result
> >>> search: 4
> >>> result: 0 Success
> >>>
> >>> # numResponses: 2
> >>> # numEntries: 1
> >>>
> >>>
> >>>
> >>> BTW, did you read one of the very relevant upstream
> guides how
> >>> to add custom
> >>> attributes to LDAP? It pretty much covers the procedure
> you are
> >>> working on:
> >>>
> >>>
> >> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
> >>>
> >>> Martin
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
>
>
More information about the Freeipa-users
mailing list