I am going to migrate an existing environment to FreeIPA 4.5. The current LDAP has a few site-specific attributes and I have been trying to figure out how I add these in an easy was that also keeps them when upgrading etc.

I was thinking that making them optional would allow us to ad them without expanding the IPA web-interface. But which is the best way to place the additional LDIF file for extending the schema, I have read different location and some documentation point to using ldapmodify directly and most of the stuff I find regarding this is from 2014 or earlier so I’m unsure if it’s still relevant.

I would like to add something like this to all users:

dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: ( OurUserType-oid NAME 'OurUserType' DESC 'Specifies account type: user / sys' SYNTAX IA5String SINGLE-VALUE )
attributeTypes: ( OurSysOwner-oid NAME 'OurSysOwner' DESC 'Owner of Sys account / Roles' SYNTAX IA5String SINGLE-VALUE )
add: objectclasses
objectclasses: ( ourUserSpec-oid NAME 'ourUserSpec' SUP top AUXILIARY DESC 'Holds user-specific attr' MAY ( ourUserType $ OurSysOwner  ) )

Should this be located under /usr/share/ipa/updates, /usr/share/ipa/schema.d or should it be added in some other place?

I want to be able to set the attributes while creating users, user-add … —setattr ourUserType=“usertype1” ….