On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the
command line, but seemed not to work as expected.
I provide the steps below:
cd /usr/share/ipa
ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is
customised on the template below. **********************
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1
NAME 'authKey'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
-
add: objectClasses
objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1
NAME '*****Account'
SUP top
AUXILIARY
MAY (authKey)
X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: *************************
2021-10-20T09:43:19Z DEBUG importing plugin module
ipaserver.install.plugins.update_uniqueness
2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt
2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208
2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8>
2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif
2021-10-20T09:43:21Z DEBUG File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py",
line 143, in run
ldapi=True) or modified
File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py",
line 129, in update_schema
_dn, new_schema = ldap.schema.subentry.urlfetch(url)
File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480,
in urlfetch
ldif_file = urllib.urlopen(uri)
File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/lib64/python2.7/urllib.py", line 210, in open
return getattr(self, name)(url)
File "/usr/lib64/python2.7/urllib.py", line 463, in open_file
return self.open_ftp(url)
File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp
host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno
socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details:
IOError: [Errno socket error] [Errno -2] Name or service not known
2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See
/var/log/ipaupgrade.log for more information
You are using wrong syntax for schema file for ipa-ldap-updater and you
are also not passing ipa-ldap-update a full path to the file.
Your 01authkey.ldif file uses LDAP update file format as accepted by
ldapadd/ldapmodify but misses this requirement stated in the man page
for ipa-ldap-updater:
-------------
Schema files should be in LDIF format, and may only specify
attributeTypes and objectClasses attributes of cn=schema.
-------------
You can look for examples in /usr/share/ipa, for example
/usr/share/ipa/60basev4.ldif.
Since ipa-ldap-updater uses Python ldap library, it needs to follow the
logic of urllib which basically tries to guess the name as a URI. If
that one starts with / or ./, it will be interpreted as a file and not
tried to open an URL with other protocols. In the stack trace above it
decided that the url '01authkey.ldif' looks like an FTP URL.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland