Joshua Hoblitt via FreeIPA-users wrote: > Hi Folks, > > At the moment, I'm investigating using pwm to allow user password reset > self service. pwm requires a schema change to add its own attributes. > I'm afraid I've never been clear on what the correct procedure is for > make schema changes and I've been unable to find a blurb on this in the > RH IdM docs. > > There seems to be a couple of possible ways of going about this using > ldapmodify or dropping ldif files directly under > /etc/dirsrv/slapd-<foo>/schema. However, that requires templating the > ldif with server specific changes. > > Seeing as the files under /usr/share/ipa appear to be templated via > ipa-ldap-updater and the man page states: > > Additionally, ipa-ldap-updater can update the schema based on > LDIF files. Any missing object classes and attribute types are > added, and differing ones are updated to match the > LDIF file. To enable this behavior, use the --schema-file > options. Schema files should be in LDIF format, and may only > specify attributeTypes and objectClasses attributes of > cn=schema. > > I attempted to template the pwm schema changes as follows: > > dn: cn=schema > objectclass: top > objectclass: ldapSubentry > objectclass: subschema > cn: schema
You don't need the objectclass and cn attributes here. cn=schema already exists. > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version > 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = > "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators > Group"; allow (all) > groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) > aci: (targetattr="*")(version 3.0; acl "Configuration > Administrator"; allow (all) > userdn="ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";;) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) > groupdn = "ldap:///fqdn=$FQDN,cn=computers,cn=accounts,$SUFFIX";;) Don't put your acis under cn=schema. They need to live where the data lives. I'd drop your aci read restriction too, it isn't necessary. > attributetypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'user > defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmToken' SYNTAX I think this should be 1.2.5. It's a dup of the previous value. > 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'user defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.6 NAME 'pwmOtpSecret' > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) > attributetypes: ( 1.3.6.1.4.1.35015.1.2.7 NAME 'pwmData' SYNTAX > 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' ) > objectclasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' DESC '' SUP > top AUXILIARY MAY ( pwmEventLog $ pwmResponseSet $ pwmLastPwdUpdate > $ pwmGUID $ pwmToken $ pwmOtpSecret $ pwmData ) X-ORIGIN 'user > defined' ) I know nothing about pwm but it seems like some of these values duplicate what is already in IPA. > > However, trying to use `ipa-ldap-updater` in this manner suggested by > the manpage fails: > > # ipa-ldap-updater --schema-file ./99pwm.ldif > Unexpected error - see /var/log/ipaupgrade.log for details: > IOError: [Errno socket error] [Errno -2] Name or service not known > The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for > more information > > > The error message is complaining about the socket... which I've > confirmed from the ipaupgrade.log is the correct path to the dirsrv > socket (and dirsrv is otherwise functioning). > > Is this an abuse of, or bug in, ipa-ldap-updater? Is it possible to > simply drop templated ldif files under /usr/share/ipa/ and have them be > processed similarly to /usr/share/ipa/updates/? Just dropping files in place will be run by ipa-ldap-update and you might see the same issue. Just a raw ipa-ldap-updater run at all? Perhaps check for SELinux AVCs. It does a ldapi bind using the socket. I've never seen that fail before. rob > > Any guidance would be greatly appreciated. > > -Josh > > -- > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
