On Пан, 10 сак 2025, Данила Скачедубов via FreeIPA-users wrote:
Thank you for your response. I would like to clarify my approach. My goal is to extend the organizationalUnit class by adding custom attributes, such as customAttribute and a few others, as follows: objectclasses: ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST ou MAY ( businessCategory $ description $ destinationIndicator $ facsimileTelephoneNumber $ internationalISDNNumber $ l $ physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $ preferredDeliveryMethod $ registeredAddress $ searchGuide $ seeAlso $ st $ street $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ userPassword $ x121Address $ customAttribute ) X-ORIGIN ( 'Custom Modification' 'user defined' ) ) I am not expecting FreeIPA to interact with or recognize these modifications. Instead, I am developing a separate application that will work directly with this structure in the LDAP database. However, my main concern is whether FreeIPA might, under certain circumstances, reset the schema to its defaults, potentially removing my custom attributes. Additionally, I am wondering if the organizationalUnit class is used in critical FreeIPA operations, such as trust relationships with Active Directory (AD) or other built-in functions. Given these concerns, would it be more architecturally sound to: 1. Extend the existing organizationalUnit class as I have done above, or 2. Create a new object class with SUP organizationalUnit to avoid interfering with the standard schema?
organizationalUnit is part of RFC 4519 (section 3.11). You should never modify existing object classes, especially if they are part of the LDAP specification and created well before your solution. So the approach (2) is what should be used, in my opinion. If FreeIPA ever starts using organizationalUnit itself, we definitely will not be modifying its object class as well. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
