Hi I’m on centos 7 and I just did a yum update and I see: 389-ds-base x86_64 1.3.6.1-26.el7_4 updates 1.7 M 389-ds-base-libs x86_64 1.3.6.1-26.el7_4 updates 681 k
I updated and tried ipa user-mod perq --addattr "edupersontargetedid=value” again but with the same results, so it looks like I need the same version. Any idea when it will be released for Centos 7? Regards Per > On 16 Mar 2018, at 18:10, Rob Crittenden via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Per Qvindesland via FreeIPA-users wrote: >> HI >> >> So what can I do? > > Flo is right, it is there in 389-ds-base-1.3.7.9-1.fc27. I was looking > in the old schema directory. The attribute should be there. > > rob > >> >> Regards >> Per >> >> >> >>> On 16 Mar 2018, at 09:43, Florence Blanc-Renaud <f...@redhat.com> wrote: >>> >>> On 03/16/2018 09:46 AM, Per Qvindesland via FreeIPA-users wrote: >>>> Hi >>>> Ok so how would I go about creating it? >>>> Regards >>>> Per >>> Hi, >>> >>> it seems we don't have the same 389-ds-base version. In my version, the >>> schema for eduPerson was updated (see ticket >>> https://pagure.io/389-ds-base/issue/49248). I am using 389-ds-base.x86_64 >>> 1.3.7.9-1.fc27 >>> >>> Flo >>>>> On 15 Mar 2018, at 22:06, Rob Crittenden <rcrit...@redhat.com >>>>> <mailto:rcrit...@redhat.com>> wrote: >>>>> >>>>> Per Qvindesland via FreeIPA-users wrote: >>>>>> Hi Florence >>>>>> >>>>>> ipa user-show perq —all gives: >>>>>> objectclass: top, person, organizationalperson, inetorgperson, >>>>>> inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, >>>>>> ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>>>> mepOriginEntry, eduPerson >>>>>> >>>>>> And ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>>>> objectclasses | grep -i eduPerson gives: >>>>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY ( >>>>>> eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation ) X-ORIGIN >>>>>> 'http://middleware.internet2.edu/eduperson/‘ >>>>>> <http://middleware.internet2.edu/eduperson/%E2%80%98>) >>>>> >>>>> edupersontargetedid is not an attribute in the objectclass. I don't have >>>>> it defined in the schema on my server at all (though I have a similar if >>>>> not the same eduPerson). >>>>> >>>>> rob >>>>> >>>>>> >>>>>> So eduperson is listed, seems a bit odd that it then doesn’t work. >>>>>> >>>>>> Regards >>>>>> Per >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On 15 Mar 2018, at 16:22, Florence Blanc-Renaud <f...@redhat.com >>>>>>> <mailto:f...@redhat.com> >>>>>>> <mailto:f...@redhat.com>> wrote: >>>>>>> >>>>>>> On 03/15/2018 02:35 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>> Hi Florence >>>>>>>> I did that added ipa user-mod perq --addattr objectclass=eduPerson >>>>>>>> which went fine then ipa user-mod perq --addattr >>>>>>>> "edupersontargetedid=value” but it still gives me the error ipa: >>>>>>>> ERROR: attribute "edupersontargetedid" not allowed. >>>>>>>> Looking into the logs and there is not much to go on, the same >>>>>>>> error: ERR - oc_check_allowed_sv - Entry >>>>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>>>> "edupersontargetedid" not allowed but nothing else. >>>>>>> Hi, >>>>>>> >>>>>>> I'm not able to reproduce your issue. Can you provide the output of >>>>>>> $ ipa user-show perq --all >>>>>>> >>>>>>> At the end of the output you should find something like: >>>>>>> objectclass: top, person, posixaccount, krbprincipalaux, >>>>>>> krbticketpolicyaux, >>>>>>> inetuser, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, >>>>>>> eduPerson >>>>>>> >>>>>>> We need to make sure that eduPerson is listed in the objectclasses. >>>>>>> >>>>>>> Then check that the schema definition for eduPerson properly includes >>>>>>> edupersontargetedid: >>>>>>> $ ldapsearch -x -b cn=schema -LLL -s base -o ldif-wrap=no >>>>>>> objectclasses | grep -i eduPerson >>>>>>> objectclasses: ( 1.3.6.1.4.1.5923.1.1.2 NAME 'eduPerson' AUXILIARY MAY >>>>>>> ( eduPersonAffiliation $ eduPersonNickName $ eduPersonOrgDN $ >>>>>>> eduPersonOrgUnitDN $ eduPersonPrimaryAffiliation $ >>>>>>> eduPersonPrincipalName $ eduPersonEntitlement $ >>>>>>> eduPersonPrimaryOrgUnitDN $ eduPersonScopedAffiliation $ >>>>>>> eduPersonTargetedID $ eduPersonAssurance $ eduPersonPrincipalNamePrior >>>>>>> $ eduPersonUniqueId $ eduPersonOrcid ) X-ORIGIN >>>>>>> 'http://middleware.internet2.edu/eduperson/' ) >>>>>>> >>>>>>> Flo >>>>>>> >>>>>>>> Regards >>>>>>>> Per >>>>>>>>> On 03/15/2018 12:16 PM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>>>> Hi Florence >>>>>>>>>> First of all many thanks for responding to me and the information. >>>>>>>>>> Step 1 adding eduPerson was not a problem but when I tried to run >>>>>>>>>> ipa user-mod perq --addattr "edupersontargetedid=value” it fails >>>>>>>>>> with the error ipa: ERROR: attribute "edupersontargetedid" not >>>>>>>>>> allowed >>>>>>>>>> When I look in /var/log/messages the only entry is - ERR - >>>>>>>>>> oc_check_allowed_sv - Entry >>>>>>>>>> "uid=perq,cn=users,cn=accounts,dc=domain,dc=ac,dc=uk" -- attribute >>>>>>>>>> "edupersontargetedid" not allowed >>>>>>>>>> Any suggestions on how to resolve this? >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> the default object classes are applied to *new* user entries only >>>>>>>>> (i.e users created after the default object classes modification). >>>>>>>>> So when you added eduPerson to the set of default object classes, >>>>>>>>> the objectclasses for already existing user entries were not >>>>>>>>> modified, hence the error. >>>>>>>>> >>>>>>>>> You will need to add eduPerson objectclass to the existing user >>>>>>>>> entries: >>>>>>>>> ipa user-mod username --addattr objectclass=eduPerson >>>>>>>>> >>>>>>>>> After this step you should be able to add the edupersontargetedid >>>>>>>>> attribute. >>>>>>>>> >>>>>>>>> Hope this clarifies, >>>>>>>>> Flo >>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Per >>>>>>>>>>> On 15 Mar 2018, at 10:31, Florence Blanc-Renaud via FreeIPA-users >>>>>>>>>>> <freeipa-users@lists.fedorahosted.org >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org>> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> On 03/15/2018 10:40 AM, Per Qvindesland via FreeIPA-users wrote: >>>>>>>>>>>> Hi List >>>>>>>>>>>> We are currently busy implementing freeipa with a saml idP but we >>>>>>>>>>>> noticed that we are missing the following attributes: >>>>>>>>>>>> edupersontargetedid, edupersonaffiliation, displayname, and mail. >>>>>>>>>>>> How can we add these attributes into the freeipa server? >>>>>>>>>>>> Regards >>>>>>>>>>>> Per >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> FreeIPA-users mailing list >>>>>>>>>>>> -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>>> To unsubscribe send an email >>>>>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> the attributes edupersontargetedid, edupersonaffiliation, >>>>>>>>>>> displayname, and mail are already defined in the LDAP schema, so >>>>>>>>>>> you won't need to add them to the schema. >>>>>>>>>>> >>>>>>>>>>> The edupersontargetedid and edupersonaffiliation attributes are >>>>>>>>>>> part of the objectclass eduPerson. >>>>>>>>>>> The displayName and mail attributes are part of the objectclass >>>>>>>>>>> inetorgperson. >>>>>>>>>>> >>>>>>>>>>> If you want to add these attributes to a user entry, the user >>>>>>>>>>> entry needs to contain the relevant objectclasses (by default, >>>>>>>>>>> FreeIPA users already contain the inetorgperson objectclass). You >>>>>>>>>>> will need to add the eduPerson objectclass to the default user >>>>>>>>>>> object classes, by following the instructions provided here: [1] >>>>>>>>>>> >>>>>>>>>>> Then you will be able to add the attributes to the new users by >>>>>>>>>>> doing: >>>>>>>>>>> ipa user-mod username --addattr "edupersontargetedid=value" >>>>>>>>>>> >>>>>>>>>>> You may be interested in a description of the LDAP schema, >>>>>>>>>>> available in 389-ds guide [2], in order to understand what are >>>>>>>>>>> objectclasses and attribute types. >>>>>>>>>>> >>>>>>>>>>> HTH, >>>>>>>>>>> Flo >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/adding-custom-objclasses >>>>>>>>>>> [2] >>>>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#Overview_of_Extending_Schema >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>>> To unsubscribe send an email >>>>>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> _______________________________________________ >>>>>>>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>>>> To unsubscribe send an >>>>>>>>>> email tofreeipa-users-le...@lists.fedorahosted.org >>>>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:tofreeipa-users-le...@lists.fedorahosted.org> >>>>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>> _______________________________________________ >>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>>>> To unsubscribe send an email >>>>>>>> to freeipa-users-le...@lists.fedorahosted.org >>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> FreeIPA-users mailing list --freeipa-users@lists.fedorahosted.org >>>>>> <mailto:freeipa-users@lists.fedorahosted.org> >>>>>> To unsubscribe send an email >>>>>> tofreeipa-users-le...@lists.fedorahosted.org >>>>>> <mailto:freeipa-users-le...@lists.fedorahosted.org> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > <mailto:freeipa-users-le...@lists.fedorahosted.org>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org