I am trying to add a new schema to FreeIPA, I am following the tutorial "Extending the FreeIPA Server", in order to add a new schema I have to use 'ldapmodify' command. but I get this result:
[root@rnddomain schema]# ldapmodify -D "cn=admin" -W -f favorateColorName.ldif
Enter LDAP Password:
ldap_bind: No such object (32)
I know many have already asked about this topic but none of their answers solved my problem.
This is the schema I'm trying to add:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2
NAME 'favoriteColorName'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
I'll start from a far.
When binding to LDAP, one needs to specify a bind DN. While Active Directory allows to specify rdn instead of full DN (e.g. cn=Administrator), other LDAP servers don't necessary allow to do so. In addition, RDN might be something other than cn. In FreeIPA uid attribute is used -- instead of using cn=admin you need to specify full DN which should be uid=admin,cn=users,cn=accounts,dc=example,dc=com. You can get DN of a user always by ipa user-find --raw --all --pkey-only <user>:
$ ipa user-find --raw --all --pkey-only admin
--------------
1 user matched
--------------
dn: uid=admin,cn=users,cn=accounts,dc=example,dc=com
uid: admin
----------------------------
Number of entries returned 1
----------------------------
However, knowing admin's full DN is not going to help you with schema updates. FreeIPA's LDAP server internally uses access controls that prevent schema modification to anyone other than the directory manager. Directory manager is a special account with a full DN cn=Directory Manager, so you should be using it to import schema updates.
But I would recommend you against using direct ldapmodify for schema distribution. FreeIPA has a tool called ipa-ldap-updater which gives a nice way to distribute such updates -- not only schema but also adding new entries and modifying existing ones. You can see details on how to add new entries or modify configuration in my blog article here.
For schema files create a file named NNname.ldif where NN is a number between 00 and 90, and place it somewhere. FreeIPA uses /usr/share/ipa/ for schema files and /usr/share/ipa/updates for stock update files and you can learn how things look there too. Then run ipa-ldap-updater --schema-file NNname.ldif and it will install your schema. See manual page for ipa-ldap-updater for other details.
ipa-ldap-updater syntax for schema follows 389-ds schema files, so your schema definition would look like this:
dn: cn=schema
attributeTypes: ( 2.25.28639311321113238241701611583088740684.14.2.2
NAME 'favoriteColorName'
EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
X-ORIGIN 'Extending FreeIPA' )
A attributeTypes or objectClasses values should follow standard LDIF format syntax -- if you want to split the single value to multiple lines, continuation lines must be prepended with a space (like above).