Re: [Freeipa-users] Adding a custom attribute to user object
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as directory
manager. But both the UI and the ipa config-mod commands refuse to add the
new attribute to ipaUserObjectClasses with error objectclass not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux, krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how to add custom
attributes to LDAP? It pretty much covers the procedure you are working on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is the ldif
i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION'
)
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as directory
manager. But both the UI and the ipa config-mod commands refuse to add
the
new attribute to ipaUserObjectClasses with error objectclass not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I tried it on
my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux, krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how to add
custom
attributes to LDAP? It pretty much covers the procedure you are working on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is the ldif
i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as directory
manager. But both the UI and the ipa config-mod commands refuse to add
the
new attribute to ipaUserObjectClasses with error objectclass not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I tried it
on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux, krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how to add
custom
attributes to LDAP? It pretty much covers the procedure you are working
on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.
rob
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is
the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error objectclass
not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I
tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux, krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how
to add custom
attributes to LDAP? It pretty much covers the procedure you are
working on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?
Thanks.
--Prashant
On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.
rob
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is
the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error objectclass
not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I
tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux,
krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope
subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how
to add custom
attributes to LDAP? It pretty much covers the procedure you are
working on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
You would need to extend user-mod to add this objectclass to existing modified
users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote:
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?
Thanks.
--Prashant
On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.
rob
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is
the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error objectclass
not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I
tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top, ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux,
krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope
subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how
to add custom
attributes to LDAP? It pretty much covers the procedure you are
working on:
http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Thanks. I will take a look. However will using this attr only on new users
from the time it was added have any issues ?
Also, will replication include this new attr ?
On 23 March 2015 at 21:57, Martin Kosek mko...@redhat.com wrote:
You would need to extend user-mod to add this objectclass to existing
modified
users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote:
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing users. Only
the new ones. Any pointers ?
Thanks.
--Prashant
On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF and
below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Did you restart httpd after adding the schema? A cached copy is used and
restarting will cause it to re-read the schema.
rob
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object. Below is
the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )
This gets added successfully using the ldapmodify command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error objectclass
not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some typos). I
tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top,
ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux,
krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
SASL/GSSAPI authentication started
SASL username: admin@F21
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base uid=apigee,cn=users,cn=accounts,dc=f21 with scope
subtree
# filter: (objectclass=*)
# requesting: uid ipaSshSigTimestamp
#
# apigee, users, accounts, f21
dn: uid=apigee,cn=users,cn=accounts,dc=f21
uid: apigee
ipaSshSigTimestamp: barbar
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
BTW, did you read one of the very relevant upstream guides how
to add custom
attributes to LDAP? It pretty much covers the procedure you are
Re: [Freeipa-users] Adding a custom attribute to user object
Prashant Bapat wrote:
Thanks. I will take a look. However will using this attr only on new
users from the time it was added have any issues ?
Shouldn't cause any problems with IPA.
Also, will replication include this new attr ?
Yes. Schema is replicated as well.
rob
On 23 March 2015 at 21:57, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com wrote:
You would need to extend user-mod to add this objectclass to
existing modified
users. There is an example of such plugin in the PDF I mentioned.
On 03/23/2015 05:22 PM, Prashant Bapat wrote:
Hi Rob,
Yes I did restart it.
Ok another problem. I'm not able to add this attr to existing
users. Only
the new ones. Any pointers ?
Thanks.
--Prashant
On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:
Prashant Bapat wrote:
Ok the command you gave me worked. But I was following the PDF
and below
command never worked.
ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr
Is that expected ?
Did you restart httpd after adding the schema? A cached copy is
used and
restarting will cause it to re-read the schema.
rob
Thanks.
--Prashant
On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com
mailto:prash...@apigee.com
mailto:prash...@apigee.com mailto:prash...@apigee.com wrote:
Martin,
Thanks!
Let me double check.
Yes I was referring to the exact same pdf.
Regards.
--Prashant
On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com
mailto:mko...@redhat.com
mailto:mko...@redhat.com mailto:mko...@redhat.com wrote:
On 03/23/2015 10:19 AM, Prashant Bapat wrote:
Hi,
I'm trying to add a custom attribute to user object.
Below is
the ldif i'm
using.
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME
'ipaSshSigTimestamp'
DESC 'SSH public key signature and timestamp' EQUALITY
octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM
FREEIPA
EXTENTION' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME
'ApigeeUserAttr' SUP
top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY
ipaSshSigTimestamp )
This gets added successfully using the ldapmodify
command as
directory
manager. But both the UI and the ipa config-mod commands
refuse to add the
new attribute to ipaUserObjectClasses with error
objectclass
not found.
What I'm I doing wrong ?
Not sure yet, the schema above looks OK (except some
typos). I
tried it on my
VM, and it just worked:
# ldapmodify -D cn=Directory Manager -x -w Secret123
...
modifying entry cn=schema
# ipa config-mod
--userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr}
...
Default user objectclasses: ipaobject, person, top,
ipasshuser,
inetorgperson, organizationalperson,
krbticketpolicyaux,
krbprincipalaux,
ApigeeUserAttr, inetuser,
posixaccount
# ipa user-add apigee --first Foo --last Bar --setattr
ipaSshSigTimestamp=barbar
---
Added user apigee
---
User login: apigee
First name: Foo
Last name: Bar
Full name: Foo Bar
Display name: Foo Bar
Initials: FB
Home directory: /home/apigee
GECOS: Foo Bar
Login shell: /bin/sh
Kerberos principal: apigee@F21
Email address: api...@f21.test
UID: 1889400080
GID: 1889400080
Password: False
Member of groups: ipausers
Kerberos keys available: False
# ldapsearch -Y GSSAPI -b
'uid=apigee,cn=users,cn=accounts,dc=f21' uid
ipaSshSigTimestamp
