Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the command line, but seemed not to work as expected. I provide the steps below:
cd /usr/share/ipa ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is customised on the template below. ********************** dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1 NAME 'authKey' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' ) - add: objectClasses objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1 NAME '*****Account' SUP top AUXILIARY MAY (authKey) X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: ************************* 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208 2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8> 2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif 2021-10-20T09:43:21Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run ldapi=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema _dn, new_schema = ldap.schema.subentry.urlfetch(url) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch ldif_file = urllib.urlopen(uri) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 210, in open return getattr(self, name)(url) File "/usr/lib64/python2.7/urllib.py", line 463, in open_file return self.open_ftp(url) File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
All the best, gcol
Hello,
Also thinking if perhaps there is a missing field in the file created below:
customised on the template below. ********************** dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1 NAME 'authKey' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' ) - add: objectClasses objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1 NAME '*****Account' SUP top AUXILIARY MAY (authKey) X-ORIGIN 'Extending FreeIPA' )
Thank you for your help gcol
On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the command line, but seemed not to work as expected. I provide the steps below:
cd /usr/share/ipa ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is customised on the template below. ********************** dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1 NAME 'authKey' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' )
add: objectClasses objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1 NAME '*****Account' SUP top AUXILIARY MAY (authKey) X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: ************************* 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208 2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8> 2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif 2021-10-20T09:43:21Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run ldapi=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema _dn, new_schema = ldap.schema.subentry.urlfetch(url) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch ldif_file = urllib.urlopen(uri) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 210, in open return getattr(self, name)(url) File "/usr/lib64/python2.7/urllib.py", line 463, in open_file return self.open_ftp(url) File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
You are using wrong syntax for schema file for ipa-ldap-updater and you are also not passing ipa-ldap-update a full path to the file.
Your 01authkey.ldif file uses LDAP update file format as accepted by ldapadd/ldapmodify but misses this requirement stated in the man page for ipa-ldap-updater:
------------- Schema files should be in LDIF format, and may only specify attributeTypes and objectClasses attributes of cn=schema. -------------
You can look for examples in /usr/share/ipa, for example /usr/share/ipa/60basev4.ldif.
Since ipa-ldap-updater uses Python ldap library, it needs to follow the logic of urllib which basically tries to guess the name as a URI. If that one starts with / or ./, it will be interpreted as a file and not tried to open an URL with other protocols. In the stack trace above it decided that the url '01authkey.ldif' looks like an FTP URL.
Hello Alexander,
Thank you for your comments, they are really helpful :)
The command would be: ipa-ldap-updater --schema-file ./01authkey.ldif ?
About the format what would be wrong or what would be the correct format for our file. We were following an freeipa user guide, but perhaps there was something I didn't apply correctly based on the notes: https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Kiitos Kind regards, gcol
Just thinking about this topic, is this wrong approach to test a new schema change and there is a better command and sintax to do it via freeipa?
Kind regards, gcol
On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Hello Alexander,
Thank you for your comments, they are really helpful :)
The command would be: ipa-ldap-updater --schema-file ./01authkey.ldif ?
yes.
About the format what would be wrong or what would be the correct format for our file. We were following an freeipa user guide, but perhaps there was something I didn't apply correctly based on the notes: https://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf
Just make sure you opened 01authkey.ldif and, say, 60basev4.ldif side-by-side and see the difference yourself.
If you are interested in extending IPA, I'd suggest to follow sample plugins I have in my github tree like https://github.com/abbra/freeipa-desktop-profile
They cover all required details, for schema to updates and UI changes.
Apparently just to let you know, the approach we followed worked out in the end, we made it work with the same file just not having intro spaces in the file. And now the change is in place.
Thank you for your comments, Terveisin, gcol
freeipa-users@lists.fedorahosted.org