Good day! I setup integration Freeipa with Jamf. I mapped default user attributes from Identity Settings like: Job Title First name Last name Email
In Jamf i have more user attributes (Department, Building). My question is How i can mapping user attributes form Employee Information to attributes in Jamf or maybe i need create new field in Identity Settings
On 3/24/20 11:24 AM, dmitriys via FreeIPA-users wrote:
Good day! I setup integration Freeipa with Jamf. I mapped default user attributes from Identity Settings like: Job Title First name Last name Email
In Jamf i have more user attributes (Department, Building). My question is How i can mapping user attributes form Employee Information to attributes in Jamf or maybe i need create new field in Identity Settings
Hi,
LDAP schema already defines a lot of attributes that can be re-used. The difficulty is to find one that suits your needs and is allowed by the schema.
You need first to check which objectclasses represent your user entries (by default IPA uses person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser). This can be found with $ ipa config-show --all | grep "Default user objectclass"
Then you can have a look at the LDAP schema and find the attribute types included in each of these objectclasses. This will give you a list of potential attributes. For instance
$ ldapsearch -x -LLL -o ldif-wrap=no -b cn=schema -s base objectclasses | grep -i inetorgperson objectclasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500UniqueIdentifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) X-ORIGIN 'RFC 2798' )
The inetorgperson defines departmentNumber which may be of interest. You need to check what type of content is allowed in this attribute:
$ ldapsearch -x -LLL -o ldif-wrap=no -b cn=schema -s base attributetypes | grep -i departmentnumber attributetypes: ( 2.16.840.1.113730.3.1.2 NAME 'departmentNumber' DESC 'identifies a department within an organization' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2798' )
The SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 means it's a DirectoryString. If you intend to store the "department" info as a string you may use this specific attribute.
If you are familiar with ApacheDirectoryStudio, you can use the LDAP browser and schema browser to help you find all this information.
HTH, flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org