Thank you very much for your recommendations!
/Skachedubov Danila
----------------
Кому: FreeIPA users list ([email protected]);
Копия: Sam Morris ([email protected]);
Тема: [Freeipa-users] Re: Proper Approach to Extending LDAP Schema for GPC Storage in FreeIPA;
10.03.2025, 15:04, "Alexander Bokovoy" <[email protected]>:
On Пан, 10 сак 2025, Данила Скачедубов via FreeIPA-users wrote:
Thank you for your response. I would like to clarify my approach. My goal
is to extend the organizationalUnit class by adding custom attributes,
such as customAttribute and a few others, as follows:
objectclasses: ( 2.5.6.5 NAME 'organizationalUnit' SUP top STRUCTURAL MUST
ou MAY ( businessCategory $ description $ destinationIndicator $
facsimileTelephoneNumber $ internationalISDNNumber $ l $
physicalDeliveryOfficeName $ postalAddress $ postalCode $ postOfficeBox $
preferredDeliveryMethod $ registeredAddress $ searchGuide $ seeAlso $ st $
street $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $
userPassword $ x121Address $ customAttribute ) X-ORIGIN ( 'Custom
Modification' 'user defined' ) )
I am not expecting FreeIPA to interact with or recognize these
modifications. Instead, I am developing a separate application that will
work directly with this structure in the LDAP database.
However, my main concern is whether FreeIPA might, under certain
circumstances, reset the schema to its defaults, potentially removing my
custom attributes. Additionally, I am wondering if the organizationalUnit
class is used in critical FreeIPA operations, such as trust relationships
with Active Directory (AD) or other built-in functions.
Given these concerns, would it be more architecturally sound to:
1. Extend the existing organizationalUnit class as I have done above,
or
2. Create a new object class with SUP organizationalUnit to avoid
interfering with the standard schema?--
organizationalUnit is part of RFC 4519 (section 3.11).
You should never modify existing object classes, especially if they
are part of the LDAP specification and created well before your
solution. So the approach (2) is what should be used, in my opinion.
If FreeIPA ever starts using organizationalUnit itself, we definitely
will not be modifying its object class as well.
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
