Hi Folks, I'm new here so please kindly let me know if I go wrong...

I'm hoping someone can help me with diagnosing this problem. I recently installed FreeIPA on a CentOS 8 LXC container. Everything was working quite well, I had a few users set up and my first objective was to set up Postfix/Dovecot for virtual user/mailbox support using LDAP against FreeIPA.

Background:
Following the excellent instructions here

https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains

 was mostly straight forward. I'm fairly familiar with Postfix but the instructions called for extending the LDAP schema to add a new class with two attributes (At least i think that's how it's correctly described) for maildrop and mailacceptinggeneralid. The article doesn't specifically relate to FreeIPA or 389Dir so to work out how to extend the schema I had to cross reference other material and this may be where I have gone wrong - it took a couple of goes.

However I eventually added an ldif file to /etc/dirsrv/slapd-PILLARAMA-NET/schema/ and restarted FreeIPA without error.
I also wrote and installed a js plugin for the webUI to /usr/share/ipa/ui/js/plugins/ which was based closely on a NextCloud Quota plugin found here https://github.com/radiorabe/freeipa-extending-ldap-schema-and-ui/issues/2

Here is the content of my LDIF:

dn: cn=schema
cn: postfix
attributetypes: (1.3.6.1.4.1.4203.666.1.200 NAME 'mailacceptinggeneralid'
       DESC 'Postfix mail local address alias attribute'
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024})
attributetypes: (1.3.6.1.4.1.4203.666.1.201 NAME 'maildrop'
       DESC 'Postfix mail final destination attribute'
       EQUALITY caseIgnoreMatch
       SUBSTR caseIgnoreSubstringsMatch
       SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024})
objectclasses: (1.3.6.1.4.1.4203.666.1.100 NAME 'postfixuser'
       DESC 'Postfix mail user class'
       SUP top AUXILIARY MAY(mailacceptinggeneralid $ maildrop))

I can supply the web UI plugin code as well if anyone thinks it's related but it's probably a bit long to paste in here.

This mostly seems to work (I have one issue where only the Directory Admin can read those attributes not the new PostFix bind user I created, but that's not what concerned about fixing yet unless it's somehow related).

The Problem:
After successfully getting Postfix and Dovecot up and running with virtual user accounts I momentarily celebrated... until I tried to create another new user in FreeIPA to discover that every single user account I try to create complains that it's a duplicate user - no matter what random and definitely unique username I choose. Here is the error in the webinterface:

IPA Error 4002: DuplicateEntry

user with name "newuserthatsdefinitelyunique" already exists


I have looked for logs but not found much that was helpful. The most relevant I found was actually /var/log/httpd/error_log which says:

[Tue Mar 08 12:08:19.420195 2022] [wsgi:error] [pid 28301:tid 139989980104448] [remote 192.168.100.26:49712] ipa: INFO: [jsonserver_session] admi
n@PILLARAMA.NET: user_add('newuserthatsdefinitelyunique', givenname='New', sn='User', version='2.245'): DuplicateEntry

But again - not much to go on.

I have tried to remove the schema extension but when I remove the class from IPAServer->Configuration>Default user objectclasses in the web interface I get this error:


IPA Error 3009: ValidationError

invalid 'ipauserobjectclasses': user default attribute postfixmailacceptinggeneralid would not be allowed!


Which I could guess what that means - I suppose because those attributes are now in use the class can't be safely removed? Either way I don't know how to proceed and don't even know if the schema extension is the problem or not trying hard to removine it straight after I got it working doesn't seem that appealing.

I really don't know where to look from here - I've been Googling for days but being new to the whole LDAP/FreeIPA stack I may not be searching well.

I don't know if this is a FreeIPA issue or a 389Dir issue nor if I created the problem with the schema extension or something else I did trying to install that extension, or if it's unrelated. Please can someone give me some direction about where to look? I would rather try to learn from my mistakes and fix this install than scrap it and just blindly start from scratch, possibly repeating the same mistake again.

Thanks in advance!

Pillarama