First, be aware that the attributes available depend upon the type of object. E.g. a
person can have a telephone number, but a host can't. Assuming you have a kerberos
credential, you can do ldap queries using ldapsearch. (You may need to install openldap
clients for that to be present.)
E.g. to look up my entry:
ldapsearch -Y GSSAPI -h
krb1.cs.rutgers.edu -b dc=cs,dc=rutgers,dc=edu uid=hedrick
obviously
krb1.cs.rutgers.edu is our hostname. Use your. And dc=cs,dc=rutgers,dc=edu is
for our domain, which is
CS.RUTGERS.EDU. You'll need to use yours.
If you look up your entry, you'll see that a lot of the lines are for
"objectclass." For a person it's typically things like person and
inetOrgPerson. Each objectclass has certain attributes that are legal. So a person entry
can have any of the attributes associated with any of its objectclasses. To see all
available object classes, and the atrributes they allow, do
ldapsearch -Y GSSAPI -h
krb1.cs.rutgers.edu -b cn=schema objectclass="*"
objectclasses
The legal atttributes are may or must, depending upon whether they're mandatory or
optional.
If you see an attribute you'd like for your users, but the object class that has it
isn't assigned, to people, you can add it. E.g. the following commands add an
objectclass hostObject to all users and groups. The objectclass hostObject has an
attribute host. So this lets us associate hosts with both people and groups. The
permission-mod commands allow people who can modify people and groups to be able to modify
those attributes.
ipa config-mod --addattr=ipaUserObjectClasses=hostObject
ipa config-mod --addattr=ipaGroupObjectClasses=hostObject
ipa permission-mod "System: Read User Standard Attributes" --includedattrs=host
ipa permission-mod "System: Read Groups" --includedattrs=host
ipa permission-mod "System: Modify Groups" --includedattrs=host
ipa permission-mod "System: Modify Users" --includedattrs=host
You can create new objectclasses and groups, but it's a bit more complex.