You would need to extend user-mod to add this objectclass to existing modified users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote: > Hi Rob, > > Yes I did restart it. > > Ok another problem. I'm not able to add this attr to existing users. Only > the new ones. Any pointers ? > > Thanks. > --Prashant > > On 23 March 2015 at 21:19, Rob Crittenden <rcrit...@redhat.com> wrote: > >> Prashant Bapat wrote: >>> Ok the command you gave me worked. But I was following the PDF and below >>> command never worked. >>> >>> ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr >>> >>> Is that expected ? >> >> Did you restart httpd after adding the schema? A cached copy is used and >> restarting will cause it to re-read the schema. >> >> rob >> >>> >>> Thanks. >>> --Prashant >>> >>> >>> On 23 March 2015 at 17:37, Prashant Bapat <prash...@apigee.com >>> <mailto:prash...@apigee.com>> wrote: >>> >>> Martin, >>> >>> Thanks! >>> >>> Let me double check. >>> >>> Yes I was referring to the exact same pdf. >>> >>> Regards. >>> --Prashant >>> >>> On 23 March 2015 at 16:49, Martin Kosek <mko...@redhat.com >>> <mailto:mko...@redhat.com>> wrote: >>> >>> On 03/23/2015 10:19 AM, Prashant Bapat wrote: >>> > Hi, >>> > >>> > I'm trying to add a custom attribute to user object. Below is >>> the ldif i'm >>> > using. >>> > >>> > dn: cn=schema >>> > changetype: modify >>> > add: attributeTypes >>> > attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME >>> 'ipaSshSigTimestamp' >>> > DESC 'SSH public key signature and timestamp' EQUALITY >>> octetStringMatch >>> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA >>> EXTENTION' ) >>> > - >>> > add: objectclasses >>> > objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME >>> 'ApigeeUserAttr' SUP >>> > top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY >>> ipaSshSigTimestamp ) >>> > >>> > This gets added successfully using the ldapmodify command as >>> directory >>> > manager. But both the UI and the ipa config-mod commands >>> refuse to add the >>> > new attribute to ipaUserObjectClasses with error objectclass >>> not found. >>> > >>> > What I'm I doing wrong ? >>> >>> Not sure yet, the schema above looks OK (except some typos). I >>> tried it on my >>> VM, and it just worked: >>> >>> # ldapmodify -D "cn=Directory Manager" -x -w Secret123 >>> ... >>> modifying entry "cn=schema" >>> >>> # ipa config-mod >>> >> >> --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} >>> ... >>> Default user objectclasses: ipaobject, person, top, ipasshuser, >>> inetorgperson, organizationalperson, >>> krbticketpolicyaux, >> krbprincipalaux, >>> ApigeeUserAttr, inetuser, >>> posixaccount >>> >>> >>> # ipa user-add apigee --first Foo --last Bar --setattr >>> ipaSshSigTimestamp=barbar >>> ------------------- >>> Added user "apigee" >>> ------------------- >>> User login: apigee >>> First name: Foo >>> Last name: Bar >>> Full name: Foo Bar >>> Display name: Foo Bar >>> Initials: FB >>> Home directory: /home/apigee >>> GECOS: Foo Bar >>> Login shell: /bin/sh >>> Kerberos principal: apigee@F21 >>> Email address: api...@f21.test >>> UID: 1889400080 >>> GID: 1889400080 >>> Password: False >>> Member of groups: ipausers >>> Kerberos keys available: False >>> >>> >>> # ldapsearch -Y GSSAPI -b >>> 'uid=apigee,cn=users,cn=accounts,dc=f21' uid >>> ipaSshSigTimestamp >>> SASL/GSSAPI authentication started >>> SASL username: admin@F21 >>> SASL SSF: 56 >>> SASL data security layer installed. >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <uid=apigee,cn=users,cn=accounts,dc=f21> with scope >> subtree >>> # filter: (objectclass=*) >>> # requesting: uid ipaSshSigTimestamp >>> # >>> >>> # apigee, users, accounts, f21 >>> dn: uid=apigee,cn=users,cn=accounts,dc=f21 >>> uid: apigee >>> ipaSshSigTimestamp: barbar >>> >>> # search result >>> search: 4 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> >>> >>> BTW, did you read one of the very relevant upstream guides how >>> to add custom >>> attributes to LDAP? It pretty much covers the procedure you are >>> working on: >>> >>> >> http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >>> >>> Martin >>> >>> >>> >>> >>> >> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project