subject:"\[Freeipa\-users\] Re\: Extra objectClass for new IPA group"

[Freeipa-users] Re: Extra objectClass for new IPA group

2024-04-11 Thread Winfried de Heiden via FreeIPA-users


hi all,

Nice tip, but no: not Vsphere although it might usefull later; so thanks

We need it for several self-build applications.

email handtekening privé Met vriendelijke groet,

Winfried de Heiden
w...@dds.nl

Op 10-04-2024 om 17:13 schreef Rob Crittenden:

Winfried de Heiden via FreeIPA-users wrote:

Hi all,

Following documentation as provided on:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses-groups#doc-wrapper  


adding an extra objectClass (groupOfUniqueNames in this case) to newly
created groups turned out to be easy.

It seems we depend of this objectClass and its attribute "uniqueMember"
because of existing applications. Adding the latter attribute will only
work from the CLI. (ipa group-mod dummy3
--addattr=uniqueMember=uid=someuser,cn=users,cn=accounts,dc=example,dc=com)

Let me guess, vSphere?

You can tryhttps://www.freeipa.org/page/HowTo/vsphere5_integration  but
it's very old. I can't guarantee it will work.

It has the benefit that rather than manually modifying your entries the
extra attributes are calculated on the fly.

rob



OK, this seems to work well, but the objectClass will be added to ALL
newly created groups since the objectClass is added to the defaults.
Now, let's say I want to add an extra objectClass to only one new
created group; how would that be possible? The command "ipa group-add"
command does not provide such an option, does it?

FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :)

The new attributes will not be visible in de webUI, only using the CLI
(or good-old Apache Directory Studio of ldapsearch). Correct?

--
email handtekening privé Met vriendelijke groet,

Winfried de Heiden
w...@dds.nl


--
___
FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org
To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org
Fedora Code of 
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List 
Archives:https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report 
it:https://pagure.io/fedora-infrastructure/new_issue
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Extra objectClass for new IPA group

2024-04-10 Thread Rob Crittenden via FreeIPA-users

Winfried de Heiden via FreeIPA-users wrote:
> Hi all,
> 
> Following documentation as provided on:
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses-groups#doc-wrapper
>  
> 
> adding an extra objectClass (groupOfUniqueNames in this case) to newly
> created groups turned out to be easy.
> 
> It seems we depend of this objectClass and its attribute "uniqueMember"
> because of existing applications. Adding the latter attribute will only
> work from the CLI. (ipa group-mod dummy3
> --addattr=uniqueMember=uid=someuser,cn=users,cn=accounts,dc=example,dc=com)

Let me guess, vSphere?

You can try https://www.freeipa.org/page/HowTo/vsphere5_integration but
it's very old. I can't guarantee it will work.

It has the benefit that rather than manually modifying your entries the
extra attributes are calculated on the fly.

rob


> 
> OK, this seems to work well, but the objectClass will be added to ALL
> newly created groups since the objectClass is added to the defaults. 
> Now, let's say I want to add an extra objectClass to only one new
> created group; how would that be possible? The command "ipa group-add"
> command does not provide such an option, does it?
> 
> FYI, I'm running/testing IPA version: 4.11.0 on RHEL 9.4 Beta :)
> 
> The new attributes will not be visible in de webUI, only using the CLI
> (or good-old Apache Directory Studio of ldapsearch). Correct?
> 
> -- 
> email handtekening privé Met vriendelijke groet,
> 
> Winfried de Heiden
> w...@dds.nl
> 
> 
> --
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
--
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Extra objectClass for new IPA group

[Freeipa-users] Re: Extra objectClass for new IPA group

2 matches

Site Navigation

Mail list logo

Footer information