[Freeipa-users] Re: OpenLdap - Freeipa - overview of all Fields?

2017-07-13 Thread hedrick--- via FreeIPA-users 
First, be aware that the attributes available depend upon the type of object. 
E.g. a person can have a telephone number, but a host can't. Assuming you have 
a kerberos credential, you can do ldap queries using ldapsearch. (You may need 
to install openldap clients for that to be present.)

E.g. to look up my entry:

ldapsearch -Y GSSAPI -h krb1.cs.rutgers.edu -b dc=cs,dc=rutgers,dc=edu 
uid=hedrick

obviously krb1.cs.rutgers.edu is our hostname. Use your. And 
dc=cs,dc=rutgers,dc=edu is for our domain, which is CS.RUTGERS.EDU. You'll need 
to use yours.

If you look up your entry, you'll see that a lot of the lines are for 
"objectclass." For a person it's typically things like person and 
inetOrgPerson. Each objectclass has certain attributes that are legal. So a 
person entry can have any of the attributes associated with any of its 
objectclasses. To see all available object classes, and the atrributes they 
allow, do

ldapsearch -Y GSSAPI -h krb1.cs.rutgers.edu -b cn=schema objectclass="*" 
objectclasses

The legal atttributes are may or must, depending upon whether they're mandatory 
or optional.

If you see an attribute you'd like for your users, but the object class that 
has it isn't assigned, to people, you can add it. E.g. the following commands 
add an objectclass hostObject to all users and groups. The objectclass 
hostObject has an attribute host. So this lets us associate hosts with both 
people and groups. The permission-mod commands allow people who can modify 
people and groups to be able to modify those attributes.

ipa config-mod --addattr=ipaUserObjectClasses=hostObject
ipa config-mod --addattr=ipaGroupObjectClasses=hostObject
ipa permission-mod "System: Read User Standard Attributes" --includedattrs=host
ipa permission-mod "System: Read Groups" --includedattrs=host
ipa permission-mod "System: Modify Groups" --includedattrs=host
ipa permission-mod "System: Modify Users" --includedattrs=host

You can create new objectclasses and groups, but it's a bit more complex.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: OpenLdap - Freeipa - overview of all Fields?

2017-07-13 Thread Martin Bašti via FreeIPA-users 



On 13.07.2017 11:50, Tobi Berninger via FreeIPA-users wrote:

Hey,

I am pretty new to this whole OpenLdap / Freeipa Buisness.

Is there any overview of all fields that openldap offers?
can anyone recommend me an good introduction to this topic ?

thank you all
j.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

FreeIPA uses 389 directory server not OpenLDAP server.

Can you be more specific what do you mean by all fields?

LDAP attributes and objectclasses are introduced here 
http://www.zytrax.com/books/ldap/


Martin

--
Martin Bašti
Software Engineer
Red Hat Czech

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org