FreeIPA can't see LDAP custom attributes

Question

I'm trying to add new attributes to FreeIPA, I added the custom attribute and object class to the LDAP using 'ldapmodify',

#color.ldif
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2
  NAME 'favoriteColorName'
  EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  X-ORIGIN 'Extending FreeIPA' )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 2.25.28639311321113238241701611583088740684.14.2.1
  NAME 'customPerson' SUP person
  STRUCTURAL
  MAY ( favoriteColorName )
  X-ORIGIN 'Extending FreeIPA' )

then restarted the server and used

ipa config-mod --addattr=ipaUserObjectClasses=customPerson

as instructed in the Extending the FreeIPA Server and it went all fine, finally I add the plugin to the freeIPA

#color.py
from ipalib.plugins import user
from ipalib.parameters import Str
from ipalib import _
user.user.takes_params = user.user.takes_params + (
    Str('favoritecolorname?',
        cli_name='color',
        label=_('Favorite color'),
    ),
)
user.user.default_attributes.append('favoritecolorname')

when I try to run the command:

ipa user-mod admin --color=red

I get the error:

ipa: ERROR: attribute "favoriteColorName" not allowed

score 1 · Answer 1 · answered May 11 '15 at 07:37

I found the cause of my problem. It looks like that the user 'admin' doesn't have the newly created class 'customPerson' included in it.

[root@domain ~]# ipa user-show admin --all
  dn: uid=admin,cn=users,cn=accounts,dc=sample,dc=com
  User login: admin
  Last name: Administrator
  Full name: Administrator
  Home directory: /home/admin
  GECOS: Administrator
  Login shell: /bin/bash
  Kerberos principal: admin@sample.com
  UID: 1236600000
  GID: 1236600000
  Account disabled: False
  Password: True
  Member of groups: admins, trust admins
  Kerberos keys available: True
  objectclass: top, person, posixaccount, krbprincipalaux, krbticketpolicyaux,
               inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys

so any attempt to use the attributes that are not included in those objectclasses are not allowed. but modifying the color value for other users is allowed :

[root@domain ~]# ipa user-mod test --color=blue
--------------------
Modified user "test"
--------------------
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/bash
  Email address: test@sample.com
  UID: 1236600007
  GID: 1236600007
  Account disabled: False
  Favorite color: blue
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Yes, existing objects are not modified 'automagically' when new object classes become available (there is no logic in slapping in specific object class to specific entry). So you need to change your callback in a such way that it would modify objectclasses at the time of adding a new attribute if the objectclasses don't have this class. — abbra, May 11 '15 at 17:07

FreeIPA can't see LDAP custom attributes

1 Answers1