Per Qvindesland via FreeIPA-users wrote: > HI > > So what can I do?
Flo is right, it is there in 389-ds-base-1.3.7.9-1.fc27. I was looking in the old schema directory. The attribute should be there. rob > > Regards > Per > > > >> On 16 Mar 2018, at 09:43, Florence Blanc-Renaud <f...@redhat.com> wrote: >> >> On 03/16/2018 09:46 AM, Per Qvindesland via FreeIPA-users wrote: >>> Hi >>> Ok so how would I go about creating it? >>> Regards >>> Per >> Hi, >> >> it seems we don't have the same 389-ds-base version. In my version, the >> schema for eduPerson was updated (see ticket >> https://pagure.io/389-ds-base/issue/49248). I am using 389-ds-base.x86_64 >> 1.3.7.9-1.fc27 >> >> Flo >>>> On 15 Mar 2018, at 22:06, Rob Crittenden <rcrit...@redhat.com >>>> <mailto:rcrit...@redhat.com>> wrote: >>>> >>>> Per Qvindesland via FreeIPA-users wrote: >>>>> Hi Florence >>>>> >>>>> ipa user-show perq —all gives: >>>>> objectclass: top, person, organizationalperson, inetorgperson, >>>>> inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, >>>>> ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>>> mepOriginEntry, eduPerson >>>>> >>>>> And ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>>> objectclasses | grep -i eduPerson gives: >>>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY ( >>>>> eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation ) X-ORIGIN >>>>> 'http://middleware.internet2.edu/eduperson/‘ >>>>> <http://middleware.internet2.edu/eduperson/%E2%80%98>) >>>> >>>> edupersontargetedid is not an attribute in the objectclass. I don't have >>>> it defined in the schema on my server at all (though I have a similar if >>>> not the same eduPerson). >>>> >>>> rob >>>> >>>>> >>>>> So eduperson is listed, seems a bit odd that it then doesn’t work. >>>>> >>>>> Regards >>>>> Per >>>>> >>>>> >>>>> >>>>> >>>>>> On 15 Mar 2018, at 16:22, Florence Blanc-Renaud <f...@redhat.com >>>>>> <mailto:f...@redhat.com> >>>>>> <mailto:f...@redhat.com>> wrote: >>>>>> >>>>>> On 03/15/2018 02:35 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>>> Hi Florence >>>>>>> I did that added ipa user-mod perq --addattr objectclass=eduPerson >>>>>>> which went fine then ipa user-mod perq --addattr >>>>>>> "edupersontargetedid=value” but it still gives me the error ipa: >>>>>>> ERROR: attribute "edupersontargetedid" not allowed. >>>>>>> Looking into the logs and there is not much to go on, the same >>>>>>> error: ERR - oc_check_allowed_sv - Entry >>>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>>> "edupersontargetedid" not allowed but nothing else. >>>>>> Hi, >>>>>> >>>>>> I'm not able to reproduce your issue. Can you provide the output of >>>>>> $ ipa user-show perq --all >>>>>> >>>>>> At the end of the output you should find something like: >>>>>> objectclass: top, person, posixaccount, krbprincipalaux, >>>>>> krbticketpolicyaux, >>>>>> inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>>>> eduPerson >>>>>> >>>>>> We need to make sure that eduPerson is listed in the objectclasses. >>>>>> >>>>>> Then check that the schema definition for eduPerson properly includes >>>>>> edupersontargetedid: >>>>>> $ ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>>>> objectclasses | grep -i eduPerson >>>>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY >>>>>> ( eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation $ >>>>>> eduPersonTargetedID $ eduPersonAssurance $ eduPersonPrincipalNamePrior >>>>>> $ eduPersonUniqueId $ eduPersonOrcid ) X-ORIGIN >>>>>> 'http://middleware.internet2.edu/eduperson/' ) >>>>>> >>>>>> Flo >>>>>> >>>>>>> Regards >>>>>>> Per >>>>>>>> On 03/15/2018 12:16 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>>> Hi Florence >>>>>>>>> First of all many thanks for responding to me and the information. >>>>>>>>> Step 1 adding eduPerson was not a problem but when I tried to run >>>>>>>>> ipa user-mod perq --addattr "edupersontargetedid=value” it fails >>>>>>>>> with the error ipa: ERROR: attribute "edupersontargetedid" not allowed >>>>>>>>> When I look in /var/log/messages the only entry is - ERR - >>>>>>>>> oc_check_allowed_sv - Entry >>>>>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>>>>> "edupersontargetedid" not allowed >>>>>>>>> Any suggestions on how to resolve this? >>>>>>>> Hi, >>>>>>>> >>>>>>>> the default object classes are applied to *new* user entries only >>>>>>>> (i.e users created after the default object classes modification). >>>>>>>> So when you added eduPerson to the set of default object classes, >>>>>>>> the objectclasses for already existing user entries were not >>>>>>>> modified, hence the error. >>>>>>>> >>>>>>>> You will need to add eduPerson objectclass to the existing user >>>>>>>> entries: >>>>>>>> ipa user-mod username --addattr objectclass=eduPerson >>>>>>>> >>>>>>>> After this step you should be able to add the edupersontargetedid >>>>>>>> attribute. >>>>>>>> >>>>>>>> Hope this clarifies, >>>>>>>> Flo >>>>>>>> >>>>>>>>> Regards >>>>>>>>> Per >>>>>>>>>> On 15 Mar 2018, at 10:31, Florence Blanc-Renaud via FreeIPA-users >>>>>>>>>> <freeipa-users@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org>> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> On 03/15/2018 10:40 AM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>>>>> Hi List >>>>>>>>>>> We are currently busy implementing freeipa with a saml idP but we >>>>>>>>>>> noticed that we are missing the following attributes: >>>>>>>>>>> edupersontargetedid, edupersonaffiliation, displayname, and mail. >>>>>>>>>>> How can we add these attributes into the freeipa server? >>>>>>>>>>> Regards >>>>>>>>>>> Per >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> FreeIPA-users mailing list >>>>>>>>>>> -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> To unsubscribe send an email >>>>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> the attributes edupersontargetedid, edupersonaffiliation, >>>>>>>>>> displayname, and mail are already defined in the LDAP schema, so >>>>>>>>>> you won't need to add them to the schema. >>>>>>>>>> >>>>>>>>>> The edupersontargetedid and edupersonaffiliation attributes are >>>>>>>>>> part of the objectclass eduPerson. >>>>>>>>>> The displayName and mail attributes are part of the objectclass >>>>>>>>>> inetorgperson. >>>>>>>>>> >>>>>>>>>> If you want to add these attributes to a user entry, the user >>>>>>>>>> entry needs to contain the relevant objectclasses (by default, >>>>>>>>>> FreeIPA users already contain the inetorgperson objectclass). You >>>>>>>>>> will need to add the eduPerson objectclass to the default user >>>>>>>>>> object classes, by following the instructions provided here: [1] >>>>>>>>>> >>>>>>>>>> Then you will be able to add the attributes to the new users by >>>>>>>>>> doing: >>>>>>>>>> ipa user-mod username --addattr "edupersontargetedid=value" >>>>>>>>>> >>>>>>>>>> You may be interested in a description of the LDAP schema, >>>>>>>>>> available in 389-ds guide [2], in order to understand what are >>>>>>>>>> objectclasses and attribute types. >>>>>>>>>> >>>>>>>>>> HTH, >>>>>>>>>> Flo >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses >>>>>>>>>> [2] >>>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#Overview_of_Extending_Schema >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> To unsubscribe send an email >>>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> _______________________________________________ >>>>>>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>> To unsubscribe send an >>>>>>>>> email tofreeipa-users-le...@lists.fedorahosted.org >>>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>> _______________________________________________ >>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>> To unsubscribe send an email >>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>> To unsubscribe send an email tofreeipa-users-le...@lists.fedorahosted.org >>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org