On ke, 20 loka 2021, G Col via FreeIPA-users wrote:
Dear FreeIPA team,
We have been trying to add a new attribute to our FreeIPA ldap configuration from the command line, but seemed not to work as expected. I provide the steps below:
cd /usr/share/ipa ipa-ldap-updater --schema-file 01auhkey.ldif
******************File content: The content is quite generic and nothing in particular is customised on the template below. ********************** dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.1.1 NAME 'authKey' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' )
add: objectClasses objectClasses: ( 2.25.28639311321113238241701611583088740684.14.2.2.1 NAME '*****Account' SUP top AUXILIARY MAY (authKey) X-ORIGIN 'Extending FreeIPA' )
*****************Logs after executing the command: ************************* 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.update_uniqueness 2021-10-20T09:43:19Z DEBUG importing plugin module ipaserver.install.plugins.upload_cacrt 2021-10-20T09:43:20Z DEBUG Created connection context.ldap2_139992050688208 2021-10-20T09:43:20Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-HOOYU-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f526fe1f3f8> 2021-10-20T09:43:21Z DEBUG Processing schema LDIF file 01authkey.ldif 2021-10-20T09:43:21Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_ldap_updater.py", line 143, in run ldapi=True) or modified File "/usr/lib/python2.7/site-packages/ipaserver/install/schemaupdate.py", line 129, in update_schema _dn, new_schema = ldap.schema.subentry.urlfetch(url) File "/usr/lib64/python2.7/site-packages/ldap/schema/subentry.py", line 480, in urlfetch ldif_file = urllib.urlopen(uri) File "/usr/lib64/python2.7/urllib.py", line 87, in urlopen return opener.open(url) File "/usr/lib64/python2.7/urllib.py", line 210, in open return getattr(self, name)(url) File "/usr/lib64/python2.7/urllib.py", line 463, in open_file return self.open_ftp(url) File "/usr/lib64/python2.7/urllib.py", line 522, in open_ftp host = socket.gethostbyname(host)
2021-10-20T09:43:21Z DEBUG The ipa-ldap-updater command failed, exception: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: IOError: [Errno socket error] [Errno -2] Name or service not known 2021-10-20T09:43:21Z ERROR The ipa-ldap-updater command failed. See /var/log/ipaupgrade.log for more information
You are using wrong syntax for schema file for ipa-ldap-updater and you are also not passing ipa-ldap-update a full path to the file.
Your 01authkey.ldif file uses LDAP update file format as accepted by ldapadd/ldapmodify but misses this requirement stated in the man page for ipa-ldap-updater:
------------- Schema files should be in LDIF format, and may only specify attributeTypes and objectClasses attributes of cn=schema. -------------
You can look for examples in /usr/share/ipa, for example /usr/share/ipa/60basev4.ldif.
Since ipa-ldap-updater uses Python ldap library, it needs to follow the logic of urllib which basically tries to guess the name as a URI. If that one starts with / or ./, it will be interpreted as a file and not tried to open an URL with other protocols. In the stack trace above it decided that the url '01authkey.ldif' looks like an FTP URL.