Re: [Freeipa-users] Adding a custom attribute to user object
On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Prashant Bapat wrote: Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting will cause it to re-read the schema. rob Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks. --Prashant On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting will cause it to re-read the schema. rob Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
You would need to extend user-mod to add this objectclass to existing modified users. There is an example of such plugin in the PDF I mentioned. On 03/23/2015 05:22 PM, Prashant Bapat wrote: Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks. --Prashant On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting will cause it to re-read the schema. rob Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are working on: http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Adding a custom attribute to user object
Thanks. I will take a look. However will using this attr only on new users from the time it was added have any issues ? Also, will replication include this new attr ? On 23 March 2015 at 21:57, Martin Kosek mko...@redhat.com wrote: You would need to extend user-mod to add this objectclass to existing modified users. There is an example of such plugin in the PDF I mentioned. On 03/23/2015 05:22 PM, Prashant Bapat wrote: Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks. --Prashant On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com wrote: Prashant Bapat wrote: Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting will cause it to re-read the schema. rob Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp SASL/GSSAPI authentication started SASL username: admin@F21 SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base uid=apigee,cn=users,cn=accounts,dc=f21 with scope subtree # filter: (objectclass=*) # requesting: uid ipaSshSigTimestamp # # apigee, users, accounts, f21 dn: uid=apigee,cn=users,cn=accounts,dc=f21 uid: apigee ipaSshSigTimestamp: barbar # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1 BTW, did you read one of the very relevant upstream guides how to add custom attributes to LDAP? It pretty much covers the procedure you are
Re: [Freeipa-users] Adding a custom attribute to user object
Prashant Bapat wrote: Thanks. I will take a look. However will using this attr only on new users from the time it was added have any issues ? Shouldn't cause any problems with IPA. Also, will replication include this new attr ? Yes. Schema is replicated as well. rob On 23 March 2015 at 21:57, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com wrote: You would need to extend user-mod to add this objectclass to existing modified users. There is an example of such plugin in the PDF I mentioned. On 03/23/2015 05:22 PM, Prashant Bapat wrote: Hi Rob, Yes I did restart it. Ok another problem. I'm not able to add this attr to existing users. Only the new ones. Any pointers ? Thanks. --Prashant On 23 March 2015 at 21:19, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Prashant Bapat wrote: Ok the command you gave me worked. But I was following the PDF and below command never worked. ipa config-mod --addattr=ipaUserObjectClasses=ApigeeUserAttr Is that expected ? Did you restart httpd after adding the schema? A cached copy is used and restarting will cause it to re-read the schema. rob Thanks. --Prashant On 23 March 2015 at 17:37, Prashant Bapat prash...@apigee.com mailto:prash...@apigee.com mailto:prash...@apigee.com mailto:prash...@apigee.com wrote: Martin, Thanks! Let me double check. Yes I was referring to the exact same pdf. Regards. --Prashant On 23 March 2015 at 16:49, Martin Kosek mko...@redhat.com mailto:mko...@redhat.com mailto:mko...@redhat.com mailto:mko...@redhat.com wrote: On 03/23/2015 10:19 AM, Prashant Bapat wrote: Hi, I'm trying to add a custom attribute to user object. Below is the ldif i'm using. dn: cn=schema changetype: modify add: attributeTypes attributeTypes: (2.16.840.1.113730.3.8.11.31.1 NAME 'ipaSshSigTimestamp' DESC 'SSH public key signature and timestamp' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'CUSTOM FREEIPA EXTENTION' ) - add: objectclasses objectclasses: ( 2.16.840.1.113730.3.8.11.31.2 NAME 'ApigeeUserAttr' SUP top AUXILIARY DESC 'CUSTOM FREEIPA EXTENTION' MAY ipaSshSigTimestamp ) This gets added successfully using the ldapmodify command as directory manager. But both the UI and the ipa config-mod commands refuse to add the new attribute to ipaUserObjectClasses with error objectclass not found. What I'm I doing wrong ? Not sure yet, the schema above looks OK (except some typos). I tried it on my VM, and it just worked: # ldapmodify -D cn=Directory Manager -x -w Secret123 ... modifying entry cn=schema # ipa config-mod --userobjectclasses={ipaobject,person,top,ipasshuser,inetorgperson,organizationalperson,krbticketpolicyaux,krbprincipalaux,inetuser,posixaccount,ApigeeUserAttr} ... Default user objectclasses: ipaobject, person, top, ipasshuser, inetorgperson, organizationalperson, krbticketpolicyaux, krbprincipalaux, ApigeeUserAttr, inetuser, posixaccount # ipa user-add apigee --first Foo --last Bar --setattr ipaSshSigTimestamp=barbar --- Added user apigee --- User login: apigee First name: Foo Last name: Bar Full name: Foo Bar Display name: Foo Bar Initials: FB Home directory: /home/apigee GECOS: Foo Bar Login shell: /bin/sh Kerberos principal: apigee@F21 Email address: api...@f21.test UID: 1889400080 GID: 1889400080 Password: False Member of groups: ipausers Kerberos keys available: False # ldapsearch -Y GSSAPI -b 'uid=apigee,cn=users,cn=accounts,dc=f21' uid ipaSshSigTimestamp