Hi,
I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP has a few site-specific attributes and I have been trying to figure out how I add these in an easy was that also keeps them when upgrading etc.
I was thinking that making them optional would allow us to ad them without expanding the IPA web-interface. But which is the best way to place the additional LDIF file for extending the schema, I have read different location and some documentation point to using ldapmodify directly and most of the stuff I find regarding this is from 2014 or earlier so I’m unsure if it’s still relevant.
I would like to add something like this to all users:
dn: cn=schema changetype: modify add: attributetypes attributeTypes: ( OurUserType-oid NAME 'OurUserType' DESC 'Specifies account type: user / sys' SYNTAX IA5String SINGLE-VALUE ) attributeTypes: ( OurSysOwner-oid NAME 'OurSysOwner' DESC 'Owner of Sys account / Roles' SYNTAX IA5String SINGLE-VALUE ) - add: objectclasses objectclasses: ( ourUserSpec-oid NAME 'ourUserSpec' SUP top AUXILIARY DESC 'Holds user-specific attr' MAY ( ourUserType $ OurSysOwner ) )
Should this be located under /usr/share/ipa/updates, /usr/share/ipa/schema.d or should it be added in some other place?
I want to be able to set the attributes while creating users, user-add … —setattr ourUserType=“usertype1” ….
Regards Henrik
Henrik Johansson via FreeIPA-users wrote:
Hi,
I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP has a few site-specific attributes and I have been trying to figure out how I add these in an easy was that also keeps them when upgrading etc.
I was thinking that making them optional would allow us to ad them without expanding the IPA web-interface. But which is the best way to place the additional LDIF file for extending the schema, I have read different location and some documentation point to using ldapmodify directly and most of the stuff I find regarding this is from 2014 or earlier so I’m unsure if it’s still relevant.
I would like to add something like this to all users:
dn: cn=schema changetype: modify add: attributetypes attributeTypes: ( OurUserType-oid NAME 'OurUserType' DESC 'Specifies account type: user / sys' SYNTAX IA5String SINGLE-VALUE ) attributeTypes: ( OurSysOwner-oid NAME 'OurSysOwner' DESC 'Owner of Sys account / Roles' SYNTAX IA5String SINGLE-VALUE )
add: objectclasses objectclasses: ( ourUserSpec-oid NAME 'ourUserSpec' SUP top AUXILIARY DESC 'Holds user-specific attr' MAY ( ourUserType $ OurSysOwner ) )
Should this be located under /usr/share/ipa/updates, /usr/share/ipa/schema.d or should it be added in some other place?
I want to be able to set the attributes while creating users, user-add … —setattr ourUserType=“usertype1” ….
You don't need to drop the file anywhere. 389-ds supports online schema updates so if you add this schema binding as Directory Manager then it will add the new schema and replicate it to all other (and future) masters.
rob
On to, 13 syys 2018, Henrik Johansson via FreeIPA-users wrote:
Hi,
I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP has a few site-specific attributes and I have been trying to figure out how I add these in an easy was that also keeps them when upgrading etc.
I was thinking that making them optional would allow us to ad them without expanding the IPA web-interface. But which is the best way to place the additional LDIF file for extending the schema, I have read different location and some documentation point to using ldapmodify directly and most of the stuff I find regarding this is from 2014 or earlier so I’m unsure if it’s still relevant.
https://github.com/abbra/freeipa-userstatus-plugin is kind of canonical example I made to demonstrate how to extend a schema, a CLI, and a web UI, in addition to packaging this properly for an RPM-based distribution. It is a fully-working plugin.
freeipa-users@lists.fedorahosted.org