Thanks Alexander,

It's not clear in the API or python-freeapi module that all is a keyword
argument, so all=true solves my first problem.

I added the objectclasses _before_ users were created using a python import
script, which keeps their attributes up-to-date.

I added the objectclasses using the following method:

git clone https://github.com/nesi/auEduPerson.git
cp auEduPerson/auEduPerson20170721.ldif
/etc/dirsrv/slapd-MY-ORG/schema/60aueduperson.ldif
chown dirsrv:dirsrv /etc/dirsrv/slapd-MY-ORG/schema/60aueduperson.ldif
ipactl restart
kinit admin
ipa config-mod
--userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,p
osixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,ipasshuser,employee
info,eduperson,aueduperson

Though, I did not do the last line using the CLI, but used the web UI to set
objectclasses so that I didn't drop any by missing them out of the list.

Regards,

Aaron Hicks


-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Friday, 3 November 2017 7:10 PM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] Searching for user by extended attribute

On pe, 03 marras 2017, Aaron Hicks via FreeIPA-users wrote:
>Hi all,
>
>
>
>We've added two objectclasses to the default user in our FreeIPA instance.
>We're able to set and modify them fine, however we need two additional 
>functions.
>
>
>
>We need two additional attributes auedupersonsharedtoken and 
>edupersonprinciplename to be included in the user attributes when 
>executing user-find with the python-freeipa module. It works fine from 
>the command line by adding the --all argument, but there's no 
>equivalent to --all the python-freeipa module.
It is all there.

$ ipa console
(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
11
>>> len(api.Command.user_find(all=True)['result'][0])
24

>We need to be able to user-find to search for users by these 
>attributes, both from the command line and the python-freeipa module. 
>There does not seem to be an equivalent of the --setattr command on the 
>find function to search by attributes provided by additional objectclass
schema.
This is a bit different. You need to make sure you injected those attributes
into existing object definitions if you want to see them used by the
baseldap.py machinery.

Can you show a code you use to extend IPA classes?

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to