4:51 a.m.
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the
command line, but seemed not to work as expected.
I provide the steps below:
cd /usr/share/ipa
ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is
customised on the template below. **********************
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1
NAME 'authKey'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
-
add: objectClasses
objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1
NAME '*****Account'
SUP top
AUXILIARY
MAY (authKey)
X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: *************************
2021-10-20T09:43:19Z DEBUG importing plugin module
ipaserver.install.plugins.update_uniqueness
2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208
2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8>
2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif
2021-10-20T09:43:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 143, in run
ldapi=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py",
line 129, in update_schema
_dn, new_schema = ldap.schema.subentry.urlfetch(url)
File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480,
in urlfetch
ldif_file = urllib.urlopen(uri)
File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib64/python2.7/urllib.py", line 210, in open
return getattr(self, name)(url)
File "/usr/lib64/python2.7/urllib.py", line 463, in open_file
return self.open_ftp(url)
File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp
host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno
socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See
/var/log/ipaupgrade.log for more information
All the best,
gcol
5:10 a.m.
Hello,
Also thinking if perhaps there is a missing field in the file created below:
customised on the template below. **********************
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1
NAME 'authKey'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
-
add: objectClasses
objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1
NAME '*****Account'
SUP top
AUXILIARY
MAY (authKey)
X-ORIGIN 'Extending FreeIPA' )
Thank you for your help
gcol
5:21 a.m.
On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the
command line, but seemed not to work as expected.
I provide the steps below:
cd /usr/share/ipa
ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is
customised on the template below. **********************
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1
NAME 'authKey'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
-
add: objectClasses
objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1
NAME '*****Account'
SUP top
AUXILIARY
MAY (authKey)
X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: *************************
2021-10-20T09:43:19Z DEBUG importing plugin module
ipaserver.install.plugins.update_uniqueness
2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208
2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8>
2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif
2021-10-20T09:43:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 143, in run
ldapi=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py",
line 129, in update_schema
_dn, new_schema = ldap.schema.subentry.urlfetch(url)
File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480,
in urlfetch
ldif_file = urllib.urlopen(uri)
File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib64/python2.7/urllib.py", line 210, in open
return getattr(self, name)(url)
File "/usr/lib64/python2.7/urllib.py", line 463, in open_file
return self.open_ftp(url)
File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp
host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno
socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See
/var/log/ipaupgrade.log for more information
You are using wrong syntax for schema file for ipa-ldap-updater and you
are also not passing ipa-ldap-update a full path to the file.
Your 01authkey.ldif file uses LDAP update file format as accepted by
ldapadd/ldapmodify but misses this requirement stated in the man page
for ipa-ldap-updater:
-------------
Schema files should be in LDIF format, and may only specify
attributeTypes and objectClasses attributes of cn=schema.
-------------
You can look for examples in /usr/share/ipa, for example
/usr/share/ipa/60basev4.ldif.
Since ipa-ldap-updater uses Python ldap library, it needs to follow the
logic of urllib which basically tries to guess the name as a URI. If
that one starts with / or ./, it will be interpreted as a file and not
tried to open an URL with other protocols. In the stack trace above it
decided that the url '01authkey.ldif' looks like an FTP URL.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5:31 a.m.
Hello Alexander,
Thank you for your comments, they are really helpful :)
The command would be: ipa-ldap-updater --schema-file ./01authkey.ldif ?
About the format what would be wrong or what would be the correct format for our file.
We were following an freeipa user guide, but perhaps there was something I didn't
apply correctly based on the notes:
https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Kiitos
Kind regards,
gcol
5:36 a.m.
Just thinking about this topic, is this wrong approach to test a new schema change and
there is a better command and sintax to do it via freeipa?
Kind regards,
gcol
5:39 a.m.
On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Hello Alexander,
Thank you for your comments, they are really helpful :)
The command would be: ipa-ldap-updater --schema-file ./01authkey.ldif ?
yes.
About the format what would be wrong or what would be the correct
format for our file.
We were following an freeipa user guide, but perhaps there was something I didn't
apply correctly based on the notes:
https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Just make sure you opened 01authkey.ldif and, say, 60basev4.ldif
side-by-side and see the difference yourself.
If you are interested in extending IPA, I'd suggest to follow sample
plugins I have in my github tree like https://github.com/abbra/freeipa-desktop-profile
They cover all required details, for schema to updates and UI changes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
6:06 a.m.
Apparently just to let you know, the approach we followed worked out in the end, we made
it work with the same file just not having intro spaces in the file. And now the change is
in place.
Thank you for your comments,
Terveisin,
gcol
919
days inactive
919
days old
freeipa-users@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Alexander Bokovoy -
G Col