HI So what can I do?
Regards Per > On 16 Mar 2018, at 09:43, Florence Blanc-Renaud <f...@redhat.com> wrote: > > On 03/16/2018 09:46 AM, Per Qvindesland via FreeIPA-users wrote: >> Hi >> Ok so how would I go about creating it? >> Regards >> Per > Hi, > > it seems we don't have the same 389-ds-base version. In my version, the > schema for eduPerson was updated (see ticket > https://pagure.io/389-ds-base/issue/49248). I am using 389-ds-base.x86_64 > 1.3.7.9-1.fc27 > > Flo >>> On 15 Mar 2018, at 22:06, Rob Crittenden <rcrit...@redhat.com >>> <mailto:rcrit...@redhat.com>> wrote: >>> >>> Per Qvindesland via FreeIPA-users wrote: >>>> Hi Florence >>>> >>>> ipa user-show perq —all gives: >>>> objectclass: top, person, organizationalperson, inetorgperson, >>>> inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, >>>> ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>> mepOriginEntry, eduPerson >>>> >>>> And ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>> objectclasses | grep -i eduPerson gives: >>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY ( >>>> eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation ) X-ORIGIN >>>> 'http://middleware.internet2.edu/eduperson/‘ >>>> <http://middleware.internet2.edu/eduperson/%E2%80%98>) >>> >>> edupersontargetedid is not an attribute in the objectclass. I don't have >>> it defined in the schema on my server at all (though I have a similar if >>> not the same eduPerson). >>> >>> rob >>> >>>> >>>> So eduperson is listed, seems a bit odd that it then doesn’t work. >>>> >>>> Regards >>>> Per >>>> >>>> >>>> >>>> >>>>> On 15 Mar 2018, at 16:22, Florence Blanc-Renaud <f...@redhat.com >>>>> <mailto:f...@redhat.com> >>>>> <mailto:f...@redhat.com>> wrote: >>>>> >>>>> On 03/15/2018 02:35 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>> Hi Florence >>>>>> I did that added ipa user-mod perq --addattr objectclass=eduPerson >>>>>> which went fine then ipa user-mod perq --addattr >>>>>> "edupersontargetedid=value” but it still gives me the error ipa: >>>>>> ERROR: attribute "edupersontargetedid" not allowed. >>>>>> Looking into the logs and there is not much to go on, the same >>>>>> error: ERR - oc_check_allowed_sv - Entry >>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>> "edupersontargetedid" not allowed but nothing else. >>>>> Hi, >>>>> >>>>> I'm not able to reproduce your issue. Can you provide the output of >>>>> $ ipa user-show perq --all >>>>> >>>>> At the end of the output you should find something like: >>>>> objectclass: top, person, posixaccount, krbprincipalaux, >>>>> krbticketpolicyaux, >>>>> inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>>> eduPerson >>>>> >>>>> We need to make sure that eduPerson is listed in the objectclasses. >>>>> >>>>> Then check that the schema definition for eduPerson properly includes >>>>> edupersontargetedid: >>>>> $ ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>>> objectclasses | grep -i eduPerson >>>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY >>>>> ( eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation $ >>>>> eduPersonTargetedID $ eduPersonAssurance $ eduPersonPrincipalNamePrior >>>>> $ eduPersonUniqueId $ eduPersonOrcid ) X-ORIGIN >>>>> 'http://middleware.internet2.edu/eduperson/' ) >>>>> >>>>> Flo >>>>> >>>>>> Regards >>>>>> Per >>>>>>> On 03/15/2018 12:16 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>> Hi Florence >>>>>>>> First of all many thanks for responding to me and the information. >>>>>>>> Step 1 adding eduPerson was not a problem but when I tried to run >>>>>>>> ipa user-mod perq --addattr "edupersontargetedid=value” it fails >>>>>>>> with the error ipa: ERROR: attribute "edupersontargetedid" not allowed >>>>>>>> When I look in /var/log/messages the only entry is - ERR - >>>>>>>> oc_check_allowed_sv - Entry >>>>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>>>> "edupersontargetedid" not allowed >>>>>>>> Any suggestions on how to resolve this? >>>>>>> Hi, >>>>>>> >>>>>>> the default object classes are applied to *new* user entries only >>>>>>> (i.e users created after the default object classes modification). >>>>>>> So when you added eduPerson to the set of default object classes, >>>>>>> the objectclasses for already existing user entries were not >>>>>>> modified, hence the error. >>>>>>> >>>>>>> You will need to add eduPerson objectclass to the existing user entries: >>>>>>> ipa user-mod username --addattr objectclass=eduPerson >>>>>>> >>>>>>> After this step you should be able to add the edupersontargetedid >>>>>>> attribute. >>>>>>> >>>>>>> Hope this clarifies, >>>>>>> Flo >>>>>>> >>>>>>>> Regards >>>>>>>> Per >>>>>>>>> On 15 Mar 2018, at 10:31, Florence Blanc-Renaud via FreeIPA-users >>>>>>>>> <freeipa-users@lists.fedorahosted.org >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org>> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> On 03/15/2018 10:40 AM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>>>> Hi List >>>>>>>>>> We are currently busy implementing freeipa with a saml idP but we >>>>>>>>>> noticed that we are missing the following attributes: >>>>>>>>>> edupersontargetedid, edupersonaffiliation, displayname, and mail. >>>>>>>>>> How can we add these attributes into the freeipa server? >>>>>>>>>> Regards >>>>>>>>>> Per >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list >>>>>>>>>> -- freeipa-users@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> To unsubscribe send an email >>>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the attributes edupersontargetedid, edupersonaffiliation, >>>>>>>>> displayname, and mail are already defined in the LDAP schema, so >>>>>>>>> you won't need to add them to the schema. >>>>>>>>> >>>>>>>>> The edupersontargetedid and edupersonaffiliation attributes are >>>>>>>>> part of the objectclass eduPerson. >>>>>>>>> The displayName and mail attributes are part of the objectclass >>>>>>>>> inetorgperson. >>>>>>>>> >>>>>>>>> If you want to add these attributes to a user entry, the user >>>>>>>>> entry needs to contain the relevant objectclasses (by default, >>>>>>>>> FreeIPA users already contain the inetorgperson objectclass). You >>>>>>>>> will need to add the eduPerson objectclass to the default user >>>>>>>>> object classes, by following the instructions provided here: [1] >>>>>>>>> >>>>>>>>> Then you will be able to add the attributes to the new users by doing: >>>>>>>>> ipa user-mod username --addattr "edupersontargetedid=value" >>>>>>>>> >>>>>>>>> You may be interested in a description of the LDAP schema, >>>>>>>>> available in 389-ds guide [2], in order to understand what are >>>>>>>>> objectclasses and attribute types. >>>>>>>>> >>>>>>>>> HTH, >>>>>>>>> Flo >>>>>>>>> >>>>>>>>> [1] >>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses >>>>>>>>> [2] >>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#Overview_of_Extending_Schema >>>>>>>>> _______________________________________________ >>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> To unsubscribe send an email >>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>> _______________________________________________ >>>>>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>> To unsubscribe send an >>>>>>>> email tofreeipa-users-le...@lists.fedorahosted.org >>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> To unsubscribe send an email >>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>> >>>> >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>> To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org >>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org