On 03/18/2012 01:00 PM, Marco Pizzoli wrote: > Hi Dmitri, > > On Sun, Mar 18, 2012 at 5:41 PM, Dmitri Pal <[email protected] > <mailto:[email protected]>> wrote: > > On 03/18/2012 08:59 AM, Marco Pizzoli wrote: >> Hi Simo, >> >> On Sat, Mar 17, 2012 at 7:16 PM, Simo Sorce <[email protected] >> <mailto:[email protected]>> wrote: >> >> On Sat, 2012-03-17 at 11:12 +0100, Marco Pizzoli wrote: >> > Hi guys, >> > >> > I extended my set of LDAP objectClasses associated to users >> by adding >> > my new objectClass to my cn=ipaConfig LDAP entry, the >> > ipaUserObjectClasses attribute. >> > Then, I created a new user with the web ui and I see the new >> > objectClass associated with that user, but as structural >> instead of >> > auxiliary. I don't know why, could you help me? >> > >> > Same thing happened for my groups. I added 3 objectClasses >> and now I >> > see all of them as structural. I would understand an >> answer: all >> > objectClasses eventually result as structural, but so why, for >> > example, the ipaObject is still an auxiliary objectClass? >> >> The objectClass type depends on the schema. It is not >> something that >> changes after you assign it to an object. >> >> >> Yes, your answer surely does make sense. >> >> My question was triggered by the fact that, AFAICS, not all >> objectClasses are structural as well. >> In fact I can see that, for my group object, the objectClass >> "ipaobject" has been defined as auxiliary, while others structural. >> For users, I see that *only my objectClass* is defined as >> structural. All others as auxiliary. >> >> In attachment you can see 2 images that immediately represent >> what I'm trying to explain. >> >> If this was the intended behaviour, I would be really interested >> in knowing what is the rationale behind this. >> Only curiousity, as usual :-) >> >> Thanks again for your patience! > > AFAIU the object classes that are added to users and groups need > to be first defined in the schema. > I assume you have done so otherwise all sorts of errors would have > shown up. Am I correct? > > > Exact. I followed the instructions on extending the schema on 389-ds, > by inserting a file in my /etc/dirsrv/<instance>/schema dir. > Everything went ok, and I can see from phpldapadmin that the DSA > correctly present my objectClasses as available to use for extending > objects. > > > I do not recognize the object classes as standard object classes. > But might knowledge might be limited. > > > Exact, they are "mine" objects, under a reserved OID number. > > > Can you put show how you defined these new object classes in > schema? You might have not specified the type and it defaulted to > structural. > > > This was a schema file created for OpenLDAP and which is currently in > production. > I used the script posted on the 389-ds HowTo for the migration from > OpenLDAP schema files to 389-ds format. > Here you can find it. A little camouflated, of course. > > [root@freeipa01 ~]# cat > /etc/dirsrv/slapd-UNIX-MYDOMAIN-IT/schema/98myfile.ldif > dn: cn=schema > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.4 NAME 'xxxUfficio' DESC > 'Ufficio di appartenenza degli utenti XXX' EQUALITY caseIgnoreMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.2 NAME 'xxxPeopleAttributes' > SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli > utenti XXX' MAY ( xxxUfficio )) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.1 NAME 'xxxProgetto' DESC > 'Nome del macro-progetto associato a questo gruppo LDAP' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE > userApplications ) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.2 NAME 'xxxAmbiente' DESC > 'Nome di ambiente SVIL-TEST-VALID-PROD associato al progetto' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE > userApplications ) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.5 NAME 'xxxTipoGruppo' DESC > 'Tipologia di gruppo' EQUALITY caseIgnoreMatch SYNTAX > 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.3 NAME 'xxxGroupsAttributes' > SUP top AUXILIARY DESC 'Definizione di attributi specifici per i > gruppi XXX' MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo )) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.6 NAME 'xxxWebminAmbiente' > DESC 'Ufficio di appartenenza degli utenti XXX' EQUALITY > caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE > userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.4 NAME 'xxxWebminAttributes' > SUP top AUXILIARY DESC 'Definizione di attributi specifici per gli > oggetti Webmin' MAY ( xxxWebminAmbiente )) > attributetypes: ( 1.3.6.1.4.1.36005.0.2.4.3 NAME > 'xxxDB2GruppiPrivilegi' DESC 'Tipologia di gruppo creato per accesso > al DB2' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 > USAGE userApplications ) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.5 NAME > 'xxxDB2GroupsAttributes' SUP top AUXILIARY DESC 'Definizione di > attributi specifici per i gruppi DB2' MAY ( xxxDB2GruppiPrivilegi )) > objectclasses: ( 1.3.6.1.4.1.36005.0.2.6.1 NAME 'xxxAttributes' SUP > top AUXILIARY DESC 'Definizione di attributi specifici per utilizzo > interno' MAY ( xxxProgetto $ xxxAmbiente $ xxxTipoGruppo $ > xxxDB2GruppiPrivilegi )) > > As you can see, they are explicitly declared as AUXILIARY. >
OK. Then it seems like a bug on our side ;-) Please file a ticket and attached the info provided here. Thanks for your efforts. They really help us to make the project better. > Thanks again > Marco > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
